Interview with Bart Meyer, Benny Bogaerts, Jordan Barth
Partner / Director and Competence Leader for Cyber Security / Manager - KPMG Advisory Belgium
Stéphane Darimont (SD) [Banking Boulevard]: You recently published the result of an analysis which demonstrates that many companies face important difficulties in detecting malware. What is the background of your study and how did you organize it?
In order to better understand the threats companies are currently facing, we, KPMG in Belgium, organized a study to analyze network traffic inside 10 different enterprises operating in varying sectors in Belgium. The goal of the study was to determine whether unknown threats were hiding within organizations’ infrastructure and if current information security practices and technology were effectively preventing and detecting these threats.
This study started in November 2014 and continued through June 2015. The technology supporting the study was provided by FireEye, a leading vendor in advanced attacks prevention technology, cyber security intelligence who is also responsible for the M-Trends report, an influential Cyber Intelligence report on threat actors and cyber terrorism groups. Over the course of eight months, we placed 10 advanced threat detection appliances within company networks to see what we could find.
All participants in our study were followers of traditional IT best practices: up-to-date antivirus, anti-spam gateways, internet gateways & proxies. However, we noticed how difficult it is for these technologies to detect malware that is constantly changing the way it looks, talks, and behaves.
We placed FireEye appliances to analyze network traffic right before endpoints – this means after all other network protection solutions have determined the network traffic is clean. We were able to determine when malware bypassed traditional defences and reached an endpoint.
Most modern malware that wants to achieve something must send messages “back home”. These messages are called callbacks and they are sent to Command and Control (C&C) servers.
(SD): Is the situation worrying for companies, and if so what is the percentage of companies that were breached?
If we detected a callback, this means that the malware had successfully installed itself on to the host and was ready to start achieving its objectives.
As per our analysis, most firms were breached but did not know it. As a matter of fact, 80% of participants had active malware infections.
We found that most of our participants relied on the following alerting mechanisms in order to detect malware running in their network:
• Reporting from network gateways of denied requests – network proxies are effective at recognizing and blocking domains and IP addresses known to be malicious. If an endpoint tries to access one of these addresses, they will be blocked and an administrator can be notified.
• Reporting from antivirus software – most commonly, our participants only knew about their malware infections if their antivirus software reported it and an administrator was notified.
(SD): How can the problem be summarized?
Detecting modern malware that has already gained a foothold in the network is difficult, and firms are not succeeding.
Modern malware changes so often that traditional solutions for generating alerts are no longer effective. Your malware is unique, just like everyone else’s.
Network solutions don’t prevent enough malware traffic from reaching the endpoints. For an endpoint to be compromised the host must be vulnerable to the exploit and the host based antivirus must fail to detect the malware. All participants in the study had up-to-date antivirus that did stop many infections, but not all. The trend of allowing so much malware traffic to reach the endpoint and trusting on antivirus to prevent an infection was found to be inadequate in sufficiently protecting networks.
In our study, all of our participants had malware traffic reaching endpoints. This means that either an exploit kit ran, a malware object was downloaded, or a callback was detected.
In all of the malware we analyzed, we identified 59 unique samples. However, these 59 unique samples were traced back to only 11 families of malware. The task of antivirus being able to block so many variants of the same malware families is daunting.
The sophistication of malware and its ability to hide from anti-virus software is a contributing factor to why so many participants in our study were breached. So, having a unique malware sample does not make an attack targeted, but it underscores the difficulty in keeping up with malware.
(SD): Your study presents an interesting summary of the types of malware that were detected as well as a description of their potential severity. Can you give us some examples of malware categories that were identified?
Sure, the malware samples and detections we collected show both known and unknown malware affecting endpoints. By analyzing how the malware acted in a virtualized environment as well as inspecting the callbacks, we were able to better understand the risk posed by the malware.
We found several examples of very serious infections that represented major business risks, as for instance:
• Conteudo Trojan
Conteudo is a highly functional remote access Trojan that is able to hide its presence from the operating system. Once it has infected a machine, its success is reported back to its controllers who then sell access to the machine on the black market. For one of our participants, the credentials and login URL to their SAP system were sent in clear text to an external attacker so they could be used later to gain access to the system.
• Houdini Backdoor
The Houdini backdoor is a remote access trojan that allows an outside attacker to gain full control of the infected endpoint. This trojan, which is based upon Visual Basic Scripting (VBS), has been known to target the international energy industry in spam email campaigns. This malware uses special techniques to avoid being detected by antivirus. Once a system is infected, the malware will report its existence to its controller and allow the attacker to begin moving data off the network.
• Zbot Citadel InfoStealer
Originating from the Zeus family, the Citadel variant of Zeus is a premier crimeware kit with features exceeding that of its predecessors. Citadel is known to use excellent encryption features to hide its stealing of user credentials. Once it infects an endpoint, it monitors important processes in order to steal usernames and passwords. The malware is particularly dangerous given how it targets password managers commonly used by businesses, including Nexus and Keypass.
Exploit Kits: The malware delivery eco-system
During the study, we observed both spam and exploit kits being used by attackers to compromise endpoints. While spam relies on an unsuspecting user to download and run an attachment, an exploit kit can succeed without user intervention. Exploit kits will take advantage of a known (or zero day) vulnerability in the user’s browser to deliver malware. Something of note was the occurrence of the Angler exploit kit which delivered malware that breached multiple participants. Angler is a highly advanced exploit kit designed to avoid detection from traditional security controls and deliver malware.
(SD): What can be said about the callbacks that were detected?
A callback signifies a successful infection and a breached endpoint.
Behind every malware there is a person who has an objective and is seeking to steal or disrupt its target. The motivations vary by who’s doing the hacking, but all modern malware that wants to achieve something must send messages back to the internet. These callbacks are the key to the malware achieving its objectives.
The messages sent by the malware can be anything from a notification to a hacker that the attack was successful, to updating its own software code to remain more stealthy. These messages offer proof that an organization was compromised. For an attacker to be successful, it needs only to compromise a company once. In this study, we observed some participants who had been compromised multiple times by unknown attackers.
We found that most callback traffic was sent through TCP port 80 because this port is not normally blocked at the firewall. Once these connections are established, the malware begins to install other components and steal data.
We observed data being stolen during the course of our study. When the data was not encrypted and we could see what information was being stolen, we saw:
• SAP User Names & Password credentials
• Operating System and host details
• Internal network information
• SMS Messages from Android Phones
We observed malware communicating through HTTP post requests and checking in several times a day to get new instructions or send internal data out of the network.
(SD): What is your conclusion? What should companies do?
The most important takeaway from our study is that nearly all of the organizations that participated in the study were already compromised by malware on endpoints. This allows us to conclude that those organizations cannot be certain that their information assets are secured from outside attackers by traditional security protections.
Cyber security breaches have real consequences: direct losses, indirect losses, and reputational damage amongst others. Enterprises large and small should re-evaluate their security posture to determine their resilience to the newest malware threats.
All businesses and organizations should evaluate the following:
•Make sure that traditional information security controls are implemented and maintained. These are foundational to everything else an organization must do to protect itself.
• Know what your critical systems are and where your most sensitive data is stored. Good security that is aligned to the business takes into account the level of protection that’s needed for each information asset. Firms should understand where their most critical data and systems are and setup sufficient monitoring and detection mechanisms to determine if/when they are compromised.
• Raise awareness of the latest cyber security threats from End Users to the Board, the impacts, and their role in protecting the organization.
• Don’t wait until an incident to find out if your network defenses and detection work. Don’t let preventative controls give the organization a false sense of security. Increase monitoring capabilities to detect breaches after they have occurred.
Preventative controls fail to mitigate all risks. Modern attacks have shown us that you can take all the necessary prevention measures and still be compromised.
Therefore, organizations should regularly test defenses with red team exercises. These exercises are full-out attempts at compromising a network that allow you to know how well your people, processes, and technology respond to a cyber attack.
(SD): How can KPMG help?
KPMG can help you understand your current state of preparedness against cyber attacks and assist you in closing any gaps. Whether from a governance, people, process or technology viewpoint, our services can help you improve your state of preparedness. To achieve that, we have developed KPMG’s Cyber Security Framework consisting of four major phases:
• Prepare: Developing an approach tailored to your specific organisation and ambitions. Everyone can go off and buy security solutions, but wouldn’t it be much better if someone listened to your concerns, views and questions? Someone who helps you to complete the picture of threats and opportunities? The prepare phase of KPMG’s Cyber Security Framework helps our clients to develop a cyber security strategy tailored to their specific business settings and ambitions.
• Protect: Balancing threats, risks and resources against business goals. Realising effective cyber security entails ensuring a baseline level of security across the organisation and establishing tailored protection of your crown jewels and critical assets. This requires balancing preventive and detective controls in the domains of governance, people, processes and technology. The protect phase of KPMG’s Cyber Security Framework helps our clients to increase their resilience against cyber attacks in all domains.
• Detect & respond: Timely detection of incidents. With the global proliferation of cyber attacks, the question for organisations is not if they will be attacked but when. The ability to effectively manage business during a major operational disruption is now a key success factor. With reputational damage occurring in an increasingly short time-span, organisations are looking for business and technical specialists who can help them design and execute incident response plans accordingly. The detect and respond phase of KPMG’s Cyber Security Framework helps our clients respond to and investigate cyber attacks.
• Integrate: Integrating cyber security into everything you do. Cyber threats have become part of the business environment and as such, there are risks which need to be managed. This necessitates that cyber security not be seen as a topic in isolation within the business, but as an integral part of your way of working. The integrate phase of KPMG’s Cyber Security Framework helps our clients to embed cyber security in the culture and decision making processes to help ensure their business stays one step ahead.
Contact KPMG Advisory: Bart Meyer, partner. Tel: +32 (0)3 821.17.80 firstname.lastname@example.org