Malware 101: Prevention

This series has covered a large chunk of what an attacker can accomplish using malware, but unless you're planning to make a career change to cybercrime it's probably important to also know how to defend against malware. The most common approach to defending against malware is prevention — preventing it from reaching systems (i.e., perimeter protection) and preventing it from executing on systems when it does reach them (i.e., endpoint protection).

Network firewalls and perimeter protection

Perimeter protection involves keeping as many attacks out of one's network as possible. Because there are many points of entry, there are many types of protection required to secure the perimeter. Email is by far the most common method of distributing malware, so email protection capable of detecting and blocking malware goes a long way toward perimeter protection. It is also common for email to contain links to malware instead of attachments, which is where web traffic protection can also be helpful in addition to detecting browser exploits and blocking harmful pages in general.

Network firewalls are another type of perimeter protection that is more generalized, but, in being so, covers many different attack vectors. Network firewalls control and monitor traffic entering and, on some models, exiting a network, and they can protect systems within the network regardless of type, whether workstations, databases, internal web applications, or the like. They can block attacks against a network, in some cases including malware being transferred over the network if they contain malware detection capabilities.

While email and web protection can only protect against the primary payloads because those are what would be served via these protocols, network firewalls are capable of detecting additional payloads that malware making it past initial defenses tries to download, as well as command-and-control traffic, such as bots receiving instructions or encryption keys being sent during a ransomware attack. While network firewalls have access to email and web traffic, however, they generally don't offer as robust protection against these threats given data throughput and computational resources must be balanced with protection capabilities. An email being delayed a few minutes for a malware scan won't generally be an inconvenience, but holding up network packets for more than a second or two definitely will be.

How web application firewalls help

Perhaps less about protecting your own systems and network as those of your customers, web application firewalls are also a form of perimeter protection. They protect external-facing web applications from attacks that might be used to deface the website being protected or potentially use it to host and serve malware to others (i.e., your customers).

Hosting of malware is a common challenge attackers face because it's not as simple as just signing up for a web-hosting or file-sharing account. Such services don't want to take part in hosting and distributing malware and as such will suspend accounts hosting malicious content. Further, attackers need to cover their tracks to prevent law enforcement agencies from shutting down their operations or in many countries arresting them. There are services that provide hosting for attackers — referred to as bulletproof hosting providers — that operate in countries with more lax cybersecurity laws and that refuse to comply with law enforcement agencies. However, as these providers are typically well-known in the cybersecurity industry, it is not uncommon for simply being hosted by a bulletproof hosting provider enough of an indicator to assume that traffic is malicious and warrants blocking.

Preventing this requires finding hosting options that appear benign to protections, at least long enough to serve enough malware for a campaign to be successful. With no shortage of vulnerabilities to leverage — especially in content management systems (CMSs) such as WordPress — hacked sites are a very common means for malware hosting and distribution. That’s where web application protection comes in to help prevent the site from being hacked in the first place.

Types of endpoint protection

While protecting a perimeter is both important and effective, when threats make it through the perimeter they make it onto systems within. Endpoint protection is the software that protects these systems, most commonly utilized on user workstations, but many types of systems, such as servers, can utilize such protections.

Endpoint protection can come in different forms and levels of sophistication, but the most common type is antivirus software using signatures to detect malware that makes it onto the endpoint. For enterprise organizations, more sophisticated antimalware solutions are available using more advanced detection techniques such as more sophisticated static analysis — which analyzes the file as-is for malicious indicators — or dynamic analysis — which executes the file in a controlled setting to analyze its behavior. Endpoint protection can range in what can be analyzed as well, from simply files to examining running processes and memory dumps.

The power of patching

Perimeter and endpoint protection provide invaluable tools to defending against malware and other attacks. However, it is also highly dependent on the budgets provided for security as to what and how much protection can be acquired. Regardless of the amount of protection in place, there are far cheaper and simpler means to protecting against malware as well.

Ensuring that software is up to date is one of the most achievable and affordable methods of helping to protect against attacks. Because exploiting software vulnerabilities is a key component of attacks —whether to gain initial access to a network or to move throughout it and gain more privileged access —promptly updating software ensures that security patches to these vulnerabilities are applied so they can no longer be exploited. Vulnerabilities will always still undoubtedly exist, but at least the known ones will no longer be viable to attackers. And, known vulnerabilities are the most widely used exploits because finding or purchasing zero-day vulnerabilities (i.e., ones that are not yet patched) is very expensive.

Last line of defense

In general, the largest vulnerability in any organization irrespective of the amount of security precautions and solutions in place is the one that is most difficult to prevent — people. At the same time, it provides opportunities to create a security-conscious culture within an organization that can be highly effective at preventing and detecting malware and other attacks.

With email as the largest distribution method of malware, users knowing how to spot malicious emails and not click on attachments or links in them goes a long way to protecting against malware. Unfortunately, while not necessarily that expensive to achieve, it is very difficult to do so for a number of reasons. Many employees lack the knowledge and skills needed to spot attacks, which an hour or two of training per year can't possibly provide, and they also lack personal investment in the security of the organization, aside from the potential of losing their job, which only goes so far.

This particular protection truly is about fostering a culture within the company that cultivates the skills and motivation to become an active part of the cybersecurity  infrastructure. When employees internalize the significance of the impact they can have on the overall security of an organization, not only will they be more aware in their daily activities, but they will also internalize any training material more effectively, adding more value to the training itself rather than simply checking a compliance box. People are the last line of defense against many cyberattacks, and in some cases such as vishing (voice phishing which is phishing done via phone calls) or spotting suspicious activity at a physical site, the only line of defense.

You can read the rest of the Malware 101 series here.