Staying on top of the ever-evolving malware cyber threat

20 April 2022 Consultancy.com.au

Malware first appeared in the 1980s, and some forty years later, malware remains a thorn in the side of IT security teams across the world. Joanne Wong, Vice President International Marketing APAC and EMEA at LogRhythm, outlines what IT teams can put into place to stay on top of the ever-evolving threat.

From simple viruses to sophisticated ransomware, malware comes in ever-evolving forms. The cybercriminals who develop malware have three key aims. They want to either steal sensitive data, cause a disruption to an organisation’s operations, or encrypt data after which a ransom will be demanded for the keys.

Faced with these challenges, IT security teams have two ways in which they can gain an understanding of the types of threats they face.

Staying on top of the ever-evolving malware cyber threat

The first is static analysis which involves reviewing a sample of malware code without running it. The second, dubbed dynamic or behavioural analysis, requires a security team to run the code in a protected environment to determine what it is attempting to do.

Unfortunately, it may not be possible for teams to use either static or dynamic analysis if malware has already found its way into a target’s IT infrastructure. The malicious code may have already carried out it intended activity and then removed itself with little or no trace.

Evaluate the damage

If an attack has already taken place, focus should shift from trying to analyse the malware to evaluating the extent of the damage that it has caused. Security teams should work to identify all affected machines, from servers to client devices, and remove them from the network.

The team should also work to determine the level of sophistication of the malware that was used in the attack. This will help to narrow down the list of potential threat actors and assist in determining the origin of the attack.

At this time, the security team should also determine the likely point of entry used by the attackers. This could be via an email message, an infected USD drive, or from a staff member visiting a rogue website.

Developing a full picture of the nature of the malware that was used and how it found its way into the IT infrastructure will aid in planning changes to defensive measures aimed at warding off future attacks.

Interestingly, large numbers of examples of malware share similar underlying technologies. This is because foundational code is often used by multiple cybercriminals who then work to incorporate their own features and capabilities.

Improving defence measures

Faced with an ever-increasing and evolving threat landscape, IT security teams should undertake four key activities:

1. Comprehensive planning
One of the most important things an organisation can have in place is a comprehensive and well-documented incident response plan. When an attack occurs, being able to react immediately is critical to minimising the impact it will have.

Once the plan has been formulated, regular simulation exercises should be conducted. This will help to iron out any areas of weakness and ensure security teams are ready to spring into action should an incident occur.

2. Data collection
If an attack is detected, it is important to collect as much data about it as possible. Network traffic patterns, logs, and endpoint activity data all needs to be analysed so that a clear picture of exactly what has occurred can be created.

As well as helping the organisation recover from this attack, it will help to guide steps that will reduce the likelihood of others in the future.

3. Deploy AI and ML tools
In large organisations or those with complex IT infrastructures, it is impossible for humans to monitor every component around the clock. For this reason, increasing numbers are deploying artificial intelligence (AI) and machine learning (ML) tools to assist. These tools can monitor activity and alert the security teams if anomalies are detected.

4. Leverage automation
So that their IT security teams can respond to an incident as quickly as possible, many organisations are making use of automation tools. These tools free up humans from low-level activities and allow them to focus their time on more complex tasks.

Malware in all its forms continues to remain a significant threat for all organisations. However, by undertaking core steps such as these, IT security teams can sure they are as well placed as possible to respond to an attack when it occurs.