Threat prevalence: your breach will have to wait

2012-09-01

Chad Loeven

Silicium Security
Editor: Helen Martin

Abstract

‘The vendor has no choice but to prioritize resources towards ... keep[ing] up with existing malware families.' Chad Loeven, Silicium Security.

Copyright © 2012 Virus Bulletin

Table of contents
Bibliography

The economics governing security vendors’ priorities do not bode well for victims of targeted attacks.

Recently, I blogged [1] my impressions following a security conference that was hosted by a major vendor, with many of our security vendor peers in attendance. In this article I expand on one of my main takeaways from that event: how the actions of mass malware purveyors targeting consumers provide cover to hackers engaging in targeted attacks. By being the needle in the haystack, state-sponsored and other hacking groups can successfully and regularly launch targeted attacks [2] because of what amounts to an economic, as much as a technical failure by security vendors [3].

Targeted attacks weren’t part of the discussion at the conference per se. What was discussed was the overall threat landscape we are dealing with. The dominant feature of that landscape is the sheer number of unique malicious binaries. Vendors are typically dealing with 100,000 or more [4] unique malware binaries each day, with some quoting 150,000 or even up to 250,000 daily samples received. Of course, the vast majority of these binaries are minor variations of existing malware, mostly polymorphic variants.

Yet even longstanding and widely propagated malware families can avoid signature detection, at least for a short time, through minor mutations [5]. Whether a vendor has the capacity to write a couple of dozen new signatures daily or several hundred, the vendor has no choice but to prioritize resources towards ensuring that their signature library does at least keep up with existing malware families.

Of course, this prioritization on prevalence makes sense in plain economic terms. Any major vendor with a broad customer base will focus on the threats that are a risk to the largest parts of its customer base. If that vendor has a large consumer base, then the bottom of the pyramid – the broadest section of their user base – can be huge indeed and may dwarf the user base of enterprise customers.

But if you are responsible for security at a large enterprise, and find yourself on the receiving end of targeted, custom attacks, where does the response to the custom malware you uncovered fit on your vendor’s priority list? You are by definition way down the far right end of the long tail [6]. This is where the failure of signatures becomes economic, rather than technical.

Under normal circumstances, a vendor may take anywhere from many hours to several days before publishing a signature for a new threat sample with no or few detections. For a custom threat, the only option for an enterprise may be (if supported by the vendor) to create a blocklist of hashes for all the samples they discover – back to the future, as it were, for threat detection, with all its attendant limitations.

Even a very large enterprise with hundreds of thousands of desktops and a corresponding IT security budget will not have the economic heft on its own to change the priorities for a vendor that measures its installed base in tens of millions of consumers and hundreds of thousands of small businesses.

The takeaway for those dealing with targeted attacks is caveat emptor. No matter how well intentioned the security vendor, if you are at the far end of the long tail, your vendor’s priorities are not the same as yours.

Bibliography

[1] http://www.siliciumsecurity.com/2012/07/17/threat-prevalence-your-breach-will-have-to-wait/.

[2] http://www.theatlantic.com/national/archive/2012/06/did-americas-cyber-attack-on-iran-make-us-more-vulnerable/258120/.

[3] http://www.f-secure.com/weblog/archives/00002376.html.

[4] http://www.reversinglabs.com/solutions.

[5] http://www.siliciumsecurity.com/2012/05/16/darkcomet-rat-attack-part-1/.

[6] http://en.wikipedia.org/wiki/Long_Tail.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.