Malware remains a significant threat to organisations and, as it continues to evolve, it is more important than ever that security teams know how to prevent an attack. Here, Intelligent CISO hears from three experts, Jose Miguel Esparza, Head of Threat Intelligence at Blueliv, Roland Daccache, Senior Regional Sales Engineer – META, Fidelis Cybersecurity, and Nicolai Solling, CTO at Help AG, about how enterprises can stay ahead of malware threats.
Are there any new malware threats organisations should be aware of?
Jose Miguel Esparza, Head of Threat Intelligence, Blueliv (JM): Threats from malware are constantly evolving. While many cyberthreats are sector-specific, all organisations are at risk of targeted malware attacks from threat actor groups such as Cobalt or Anunak/Carbanak.
Groups like these are extremely innovative, and even if LEA operations curtail their capabilities, they continue to find new ways to attack organisations.
Besides organised criminal entities, we always have opportunistic attackers using ransomware, cryptominers, RATs or the latest banking malware kit. Though these attackers may be less advanced, they can have a huge impact on an organisation.
Because of the sophistication, availability and diversity of malware, organisations are advised to use all tools available to keep up-to-speed on the latest threats targeting their organisation, from threat intelligence services to professional networks – intel-sharing and collaboration is key.
Roland Daccache, Senior Regional Sales Engineer – META, Fidelis Cybersecurity (RD): There are thousands of new malware variants in the wild everyday.
Organisations should be particularly cautious about unpatched or legacy systems, as well as targeted phishing campaigns, as these remain the most dangerous and effective infection vectors.
How important is effective malware prevention and how can CISOs keep organisations protected?
JM: It is critical to defend against malware infection to protect assets, employees and customers. A single malware infection could steal critical credentials for a company or allow lateral movement to take place, essentially becoming a key which opens the door to compromise the entire infrastructure.
It was reported last year that almost half of all data breaches are caused, in the first instance, by malware infection. As strains and families become increasingly sophisticated, targeted and much harder to detect, ensuring that you have equally sophisticated intelligence to ensure the adequate protection.”
RD: I can’t stress enough the extent of damage that a persistent malware, successfully implanted in a customer network, can do. It can impact everything from data theft to ransomware infections to credential sniffing, all the way up to wreaking havoc on complete IT infrastructure, so it’s important that organisations regularly verify the efficiency of anti-malware solutions deployed on the perimeter, the endpoints and the cloud.
Nicolai Solling, CTO at Help AG (NS): The increased need for malware protection relates to two trends – digital transformation and the increasing dependence of businesses on IT, and the widespread availability of sophisticated tools and exploits which have dramatically scaled the threat of malware.
The combination of these factors means that today, every organisation is a target and becoming a victim of malware could cripple business processes, disrupt the availability of services, result in data leakages and other disastrous impacts that translate to significant financial and reputational losses. With such business risk involved, no organisation can afford to ignore the threat of malware.
JM: Malware protection no longer relies solely on antivirus software, as cybercriminals are using advanced techniques and services to improve obfuscation and avoid detection. In order to mitigate risk, fast prevention, fast detection and fast reaction are critical – CISOs should work to improve at each phase. At a minimum, CISOs should ensure they consistently apply patches and software to avoid exploitation, educate employees (at all levels) about cyberthreats and social engineering pitfalls and deploy threat intelligence feeds.
The latter helps detect ongoing infections, monitor stolen credentials and data leaks, and increases visibility of potential exfiltrations. This knowledge should then be used to create procedures and protocols that should be activated in the event of an attack.
RD: There are many steps I would recommend CISOs to take when it comes to having a sound malware prevention strategy:
- Deploy anti-malware solutions over all assets that support endpoint agents
- Deploy anti-malware on cloud assets and perimeter to cover the gaps of IOT devices, legacy systems
- Apply a strict patch management process that reduces the infection surface
- Apply proper network segregation to contain malware
- Limit admin privileges to the maximum extent possible to avoid malware privilege escalation
- Train employees on identifying phishing emails and links
Prevention doesn’t always work, so investing in detection and response solutions (deception, EDR, SIEM), is your best bet to have full enterprise wide protection.
NS: I am often surprised by how many cybersecurity teams overlook the fundamental aspects of security. Even though email is known to be the primary infection vector for over 90% of malware, most organisations fail to properly protect their employees from receiving malicious emails in the first place. Or consider the privileges that users have – there is almost no justification for a typical user being granted admin privileges on their endpoint, but this is often the case and allows them to run executables that result in malware infections.
My advice to CISOs therefore is to stop looking for the silver bullet – this simply doesn’t exist in the world of cybersecurity. Instead, carefully analyse your security processes and policies to identify the simple ways in which you can harden your security posture. In the end, attackers too have limited resources and therefore tend to go after the lowest hanging fruit. If you address the critical simple steps, you make your business more resilient to the large volume of malware and other cyberthreats.
How should organisations set about choosing the correct malware prevention tools?
JM: Fighting malware attacks requires several different steps, starting with prevention, followed by detection and then reaction.
The best solution is in fact to combine different security modules to mitigate risk at its different phases. Ideally, a proof of concept phase is required first, so an organisation can evaluate whether a specific tool accomplishes its cybersecurity objectives. Indeed, the perfect tool for one organisation might not work for another, whose objectives and resources are different. Modular cyberthreat intelligence bespoke to an individual organisation can be deployed rapidly and effectively to bolster their security posture.
RD: There are careful considerations to take when selecting a malware prevention tool, such as next generation and behavioural features outside signature-based detection, trusted third party product reviews, detection rates, machine learning, reliance on cloud updates, system impact, etc.
I also invite organisations not to fall for ‘all in one super endpoint protection solutions’ and evaluate independent endpoint detection and response tools to further improve protection and recovery processes.