FireEye Reports That It Detected 89 Million Malware Events That Slipped Right Past Firewalls, IPSs And Other Layers Of Security
FireEye Inc. has just come out with its Advanced Threat Report for the second half of 2012. The content is based on research and intelligence conducted by the FireEye Malware Intelligence Lab and data collected from several thousand security appliances installed at the company’s customer sites around the world.
FireEye threat protection appliances are often an organization’s last line of defense. These appliances are installed behind organizations’ firewalls, next generation firewalls, intrusion prevention systems (IPS), and other security gateways. Nevertheless, the report is based on 89 million detected malware events, which means that these events are evading the types of security devices we all rely on every day.
The malware gets past our defenses because the threats “look normal.” That is, the events don’t have recognizable malware signatures, they don’t come from sources with a bad reputation, and their behavior doesn’t set off any alarms. An event could be something as simple as an email message that includes a harmful embedded link or attachment—and yet the results can be devastating if the recipient opens the link or attachment and unleashes malware onto his device.
The situation is far more common than you might think. According to FireEye’s analysis across all industries, organizations experience malware-related activities, on average, once every three minutes. The technology industry experiences events more often than once per minute. Perhaps this is because technology companies hold the intellectual property and the keys that protect other industries. (Recall RSA’s data breach two years ago where the algorithm for multi factor authentication was stolen, leading to security concerns at every company using RSA’s SecurID technology.)
Regarding the frequent occurrence of malware activity, the FireEye report states:
This nearly continuous rate of attacks and activities is indicative of a fundamental reality: these attacks are working, yielding dividends. Through these mechanisms, attackers are circumventing traditional and next-generation firewalls, IPS, Web and email gateways, and other defenses—and they are then able to achieve their objectives, whether they are looking to make financial gains, steal intellectual property, or advance nation-state objectives.
FireEye reports that spear phishing is the most common method for initiating advanced malware campaigns. Email messages – even ones with malicious links or attachments – can easily pass through firewalls and other security appliances. In fact, zip files sent as attachments are the preferred way to deliver malware in 92% of the events. Attackers use file names that don’t raise flags with the recipients. In fact, a trend is toward naming the malicious files in a way that looks very legitimate. FireEye cites the following examples of files bearing malicious payloads:
Who wouldn’t want to open that budget request document right away? It just goes to show that employees need to be educated about spear phishing techniques and learn to evaluate attachments before opening them.
Another key finding documented in this report is that hackers are increasingly using sophisticated techniques to hide their malware. Two techniques cited by FireEye include:
- Hiding in the sandbox. The malware tries to evade automated analysis that security programs run in sandboxes. The malware isn’t initiated until a user employs a mouse command. Automated analysis programs don’t use mouse commands, so the malware can stay hidden and undetected when inspected in the sandbox.
- Using a fake digital certificate. There’s a rising trend of malware being digitally signed, often with certificates that have been hijacked, stolen, revoked, or otherwise invalid. Many security technologies automatically trust applications that have been digitally signed and so they aren’t scanned.
Malware is growing more sophisticated but we continue to rely on the same old security technologies to try to detect and stop the malicious programs. No wonder 89 million events were able to slip right past the firewalls, IPSs and other means of defense.