navigating the threat landscape - a practical guide
TRANSCRIPT
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
1/20
NAVIGATINGTHE THREAT
LANDSCAPE
www.kaspersky.com/business#SecureBiz
A practical guide
David Emm, Principal Security ResearcherGlobal Research & Analysis Team, Kaspersky Lab
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
2/20
2
Contents
About the author
David Emm, Principal Security Researcher Global Research & Analysis Team (GReAT)
David Emm is Principal Security Researcher at Kaspersky Lab, a provider of security and threatmanagement solutions. He has been with Kaspersky Lab since 2004 and is currently part ofthe companys Global Research & Analysis Team. He has worked in the anti-malware industrysince 1990 in a variety of roles, including Senior Technology Consultant at Dr SolomonsSoftware, and Systems Engineer and Product Manager at McAfee. In his current role, Davidregularly delivers presentations on malware and other IT threats at exhibitions and events,highlighting what organizations and consumers can do to stay safe online. He also providescomment to broadcast and media on the ever-changing cybersecurity and threat landscape.David has a strong interest in malware, ID theft and the security industry in general. He is aknowledgeable advisor on all aspects of online security.
Chapter 1 The evolution of malware 3Chapter 2 How malware spreads 9Chapter 3 Malware: on the move as much as you are 12Chapter 4 A new era of targeted attacks 14Chapter 5 The human factor in security 15
Chapter 6 Anti-malware technologies 16Chapter 7 Top tips for creating security awareness in your organization 19
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
3/20
3
Chapter 1: The evolution of malware
Its over 25 years since the rst PC viruses appeared. Since then the nature of the threat has changedsignicantly and today the threats are more complex than ever before.
In recent years, the Kaspersky Lab Global IT RisksSurveyhas highlighted changes in working practices,all of which have had a signicant impact on corporate
security. These include growing mobility and thetrend towards BYOD; the storage of business datain the cloud; the increased use of virtualized systems;and the widespread use of social media at work.
Security concerns around these developments continueto gure highly in the survey and, unsurprisingly, the2015 results highlight that preventing and dealingwith security breaches is a primary concern for 50%of companies1and guarding against cyberthreats isthe top security priority for 27% of companies.2
Dealing with security breaches is a primary concern for50% of companies.1
Preventing/dealing with IT security breaches
44%
50%
42%
37%
31%
26%
22%
18%
16%
15%
Understanding the full range of new technologiesthat are available and how to use them
Managing change in IT systems and infrastructure
Making decisions about future IT investments
Dealing with cost constraints/limited budgets
Training users how to use IT systems
Planning for and recovering from failureor destruction of IT infrastructure
Dealing with mobile working patternsand bring-your-own-device (BYOD)
Managing wide range of dierent IT
suppliers/product and service vendors
Complying with industry regulations and standards
VSB (1-49)
SB (50-249)
MB (250-1499)
E (1500+)
By size
54%
50%
48%
46%
1: Kaspersky Lab Global IT Risks Security Survey 2015
2: Kaspersky Lab Global IT Risks Security Survey 2015
TOP CONCERNS OF THE IT FUNCTION1
Dealing with security breaches, understanding new technologies and managingchanges to IT systems are the primary concerns. Security breaches are a concernto companies of all sizes.
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
4/20
4
Guarding against external cyberthreats such as malware
Fraud prevention 27%
27%
25%
25%
22%
15%
21%
21%
14%
19%
13%
19%
12%
19%
17%
Preventing data leaks
Continuity of service of business-crtical systems
Security of cloud infrastructure (public and private)
Compliance with industry/regulatory requirements
Security of mobile/portable computing devices
Physical security of critical business systems
Improving response to information security incidents
Eliminating vulnerabilities in existing systems
Leveraging cloud-based or managed security services
Enhancing disaster recovery measures/planning
Information security training provided to employees
Security of virtualized infrastructure
Protecting against DDoS (distributed denial of service) attacks
COMPANY IT SECURITY PRIORITIES FOR THE NEXT 12 MONTHS2
Guarding against cyberthreats is now the top priority (previously third), supplanting preventing data leaks.
Increasing in scale, increasing in severity
The interconnected world means that attacks can belaunched on victims devices very quickly, and as widelyor selectively as the malware authors and criminalunderground sponsors require.
Malicious code can be embedded in an email, injectedinto fake software packs, placed on grey-zone
webpages, or download by a Trojan installed on aninfected computer.
The scale of the problem has also continued to increase.The number of new malware samples discovered dailyby Kaspersky Lab runs into hundreds of thousands.
2: Kaspersky Lab Global IT Risks Security Survey 2015
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
5/20
5
A problem of perception
In the past 12 months 90% of companies experiencedsome form of external attack and 46% of companiesreported an increase in the number of attacks3, althoughthere is a perception that there were fewer instances
of data theft and obvious malware events in 2015.
90%of companies had experienced some form of external incident.3
3: Kaspersky Lab Global IT Risks Security Survey 2015
But theres a misconception that malware belongson its own, in a discrete category. In fact, malwareforms an essential component of many cyberattacksand remains the most numerous and dangerous
threat to IT security. Targeted attacks, cyberespionage,phishing attacks and more, all incorporate malware.So its not that malware attacks are declining, but thatthey may not be perceived as malware attacks.
EXTERNAL THREATS EXPERIENCED3
90% of companies had experienced some form of external incident.Fewer instances of theft and obvious malware events in 2015 compared to previous waves.
2011 (n=1715)
Signicantly lower YOY
2012 (n=2938) 2013 (n=2164) 2014 (n=2943) 2015 (n=3580)
55%
59%
63%
58%
54%
61%
65%
61%
53%
57%
33%
36%
40%
36%
35%
24%
26%
28%
23%
22%
18%
20%
19%
19%
18%
13%
21%
24%
15%
20%
13%
4%
4%
4%
7%
3%1
3%
11%
9%
8%
9%
13%
12%
16%
16%
17%
1%
1%
Spam
Cyberespionage
EspeciallyManufacturing
Viruses, worms,spyware and
othe maliciousprograms
Especially
Education
& Govt.
Theft of largerhardware
Phishing attacks
Targeted attacks aimedspecically at our
organization/brand
Especially Telecoms
Network intrusion/hacking
Criminal damage
Denial-of-service(DoS), Distributeddenial-of-service
attacks (DDoS)
Especially IT,
Financial services
Point-of-sale (POS)systems intrusion
5% among
consumer
services firms
Theft of mobiledevices by external
party
Attacks on ATMs
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
6/20
6
4: Kaspersky Lab Global IT Risks Security Survey 2015
From cyber-vandalism to cybercrime
Until around 2003, viruses and other types of malwarewere largely isolated acts of computer vandalism anti-social self-expression using hi-tech means.Most viruses conned themselves to infecting other
disks or programs.
After 2003, the threat landscape changed. Muchof todays malware is purpose-built to hijack computersand make money illegally. As a result, the threatsbusinesses now face have become signicantly more
complex. IT administrators have a lot more to contendwith there are more types of threats to protect againstand the damage they cause is likely to be nancial, not
just IT down-time.
1 in 3 companies whove experienced a data breach event sueredtemporary loss of ability to trade and typical direct costs incurred
from a serious event are$38kforSMBsand$551kforenterprises.4
ESTIMATED DIRECT COSTS INCURRED RESULTING FROM ANY SERIOUS DATA LOSS INCIDENT4
Although not every expense is incurred by every business, we can nonetheless estimatea typical loss taking into account the likelihood of an organization incurring each expense.
SMB Enterprise
32% 29%
34% 30%
88% 88%
Typical damageto SMBs from
a serious event
Typical damageto enterprises from
a serious event
ProfessionalServices
$11k
ProfessionalServices
$84k
Lost businessopportunities
$16k
Lost businessopportunities
$203k
Down-time
$66k
Down-time
$1.4m
$38k $551k
+ +
+ +2014 $33K
2013 $36K
2014 $636K
2013 $566K
Each potential cost is multiplied by the likelihood to experiencethat cost then summed to nd the expected overall typical costs.
Potential costIf experienced
Potential costIf experienced
Proportion ofbusiness incurring
this expense
Proportion ofbusiness incurring
this expense
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
7/20
7
New motives, new tactics
The change in motive also brought about a changein tactics. There was a decline in the number of globalepidemics designed to spread malware as far and asquickly as possible. Attacks have become more focused.
The rise of the Trojan
Trojans are the most common type of malware today.They are categorized according to their function: the
most common include backdoors, password stealers,downloaders, and banking Trojans.
They are used to steal condential information
(username, password, PIN, etc.) for bank fraud.
Holding you to ransom
In recent years, there has also been a steady growthin ransomware. This is the name given to maliciousprograms designed to extort money from their victimsby either blocking access to the computer or encrypting
the data stored on it. The malware displays a messageoering to restore the system in return for a payment.
Sometimes the cybercriminals behind the scam tryto lend credibility to their operation by masqueradingas law enforcement ocials: their ransom message
states that access to the system has been blocked,or the data encrypted, because the victim is runningunlicensed software or has accessed illegal content,for which the victim must pay a ne.
The main reason for the change is that attacks nowhave criminal intent and look to steal condential
data, which can then be processed and used. Wheremillions of victim machines are involved, detection is
more likely and it creates a huge logistical operation.Therefore, malicious code authors now prefer to focustheir attacks.
They can be used to spy on victims. They can be usedto install additional malware to suit the needs of the
attackers. They can be used in DDoS (DistributedDenial of Service) attacks on organizations: suchattacks seek to extort money from organizations, usinga demonstration DDoS attack to give the victim a tasteof what will happen if they dont pay up.
While anti-malware can detect ransomware, it may notbe possible to decrypt the data. So its vital to take regularbackups not only to avoid data loss resulting fromransomware, but to safeguard data from loss because
of other computer problems.
Typically, compromised computers are combinedinto networks. The activities of these bot networks,or botnets, are controlled using websites or Twitteraccounts. If the botnet has a single Command-and-Control (C2) server, its possible to take it down onceits location has been identied. But in recent years
cybercriminals have developed more complex botnetsthat employ a peer-to-peer model, to avoid having asingle point of failure. This has now become a standardfeature of botnets.
Malicious code authors now prefer to focus their attacks.
A GReAT tip: Regularly back up your data
Even if you outsource the handling and storage of your data, you cant outsource the responsibilityfor it in the event of a security breach. Assess the potential risks in the same way you would if you were
storing data internally. Data backup can help ensure an inconvenience doesnt turn into a disaster.
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
8/20
8
Phishing masquerading as someone else
The use of malicious code is not the only methodused by cybercriminals to gather personal datathat can be used to make money illegally. Phishinginvolves tricking people into disclosing their personal
details (username, password, PIN or any other accessinformation) and then using these details to obtainmoney under false pretences.
Phishers create an almost 100% perfect replica of achosen nancial institutions website. They then spam
out an email that imitates a genuine piece ofcorrespondence from the real nancial institution.
Phishers typically use legitimate logos, good business
Rootkits and code obfuscation
Rootkits are used to mask the presence of maliciouscode. They hide the changes they have made to avictims machine.
Typically, the malware writer obtains accessto the system by cracking a password or exploitingan application vulnerability, and then uses this to gainother system information until he achieves administratoraccess to the machine. Rootkits are often used to hidethe presence of a Trojan, by concealing registry edits,the Trojans process(es) and other system activity.
style and even make reference to real names from thenancial institutions senior management. They also
spoof the header of the email to make it look likeit has come from the legitimate bank.
The fake emails distributed by phishers have one thingin common: they are the bait used to try and lurethe customer into clicking on a link provided in themessage. If the bait is taken, the link takes the userdirectly to an imitation site, which contains a form forthe victim to complete. Here they unwittingly hand overall the information the cybercriminal needs to accesstheir account and steal their money.
There has been a further development of the rootkit,known as a bootkit. The rst of these found in the eld,
in 2008, was Sinowal (also known as Mebroot). Theaim is the same as any rootkit mask the presenceof malware in the system. But a bootkit installs itselfon the Master Boot Record (MBR), in order to load early(the MBR is the rst physical sector on the hard disk
and code written to this sector is loaded immediatelyafter the instructions in the BIOS are loaded). Sincethat time, there has been a steady stream of bootkits,including 64-bit versions.
A GReAT tip: Develop a security strategy
Your security strategy should be tailored to your business not based on generic best practicesand guesstimates. A thorough risk assessment can determine the risks your business faces.
Youll need a mechanism to measure the eectiveness of your security tools and a process for updatingthe strategy to meet new threats.
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
9/20
9
Drive-by downloads
This is one of the main methods used to spread malware.Cybercriminals look for insecure websites and hide their
code in one of the webpages: when someone views thatpage, malware may be transferred automatically, andinvisibly, to their computer along with the rest of thecontent that was requested. Its known as a drive-bydownload because it doesnt require interaction fromthe victim beyond simply visiting the compromisedwebpage.
The cybercriminals inject a malicious script intothe webpage, which installs malware on the victims
computer or, more typically, takes the form of an iframeredirect to a site controlled by the cybercriminals.The victim becomes infected if the operating systemor applications on their computer are unpatched.
Chapter 2: How malware spreads
Cybercriminals inject a malicious script into the webpage, which installsmalware on the victims computer or, more typically, takes the form of
an iframe redirect to a site controlled by the cybercriminals.
Social networks
Cybercriminals, like pickpockets in the real world,work the crowds. Some social networks have auser-base the size of a large country, thus providinga ready-made pool of potential victims. They usesocial networks in dierent ways.
First, they use hacked accounts to distribute messagesthat contain links to malicious code
Second, they develop fake apps that harvest thevictims personal data (this can then be sold to othercybercriminals) or install malware (for example fakeanti-virus programs)
Third, they create fake accounts that gather
friends, collect personal information and sellit on to advertisers.
Email and instant messaging
Around 3% of emails contain malware, in the form ofattachments or links to malicious websites. In additionto the bulk phishing campaigns, designed to stealcondential data from anyone who falls for the scam,
email is also used in targeted attacks, as a way ofgetting an initial foothold in the target organization(s).In this case, the email is sent to a specic person in
an organization, in the hope that they will run theattachment or click the link and begin the processby which the attackers gain access to the system.This approach is known as spear-phishing.
To maximize their chances of success, cybercriminalstypically send their email to public-facing (often non-technical) sta, such as sales and marketing managers.
The email addresses the person by name, the Fromaddress is spoofed to look like it has come from a trustedinsider in the organization and the content of the emailis tailored to the interests of the organization, so that it
looks legitimate.
Typically targeted attack campaigns vary the content,depending on the specic nature of the company they
are going after. Cybercriminals also make use of instantmessaging to spread links to malware.
To maximize their chances of success, cybercriminals typically sendtheir email to public-facing (often non-technical) sta, such as sales
and marketing managers.
Cybercriminals use dierent techniques to infect their victims. They are outlined individually below:
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
10/20
10
Removable media
Physical storage devices provide an ideal way formalware to spread. USB keys, for example, have beenused to extend the penetration of malware within anorganization, following the initial infection.
They have also been used to help malware to hop acrossthe air-gap between a computer connected to the
Internet and a trusted network that is isolated fromthe Internet.
Often malware uses vulnerabilities in the way that USB
keys are handled to launch code automatically when thedevice is inserted into a computer.
Vulnerabilities and exploits
One of the key methods used by cybercriminals toinstall malware on victims computers is to exploitun-patched vulnerabilities in applications. This relieson the existence of vulnerabilities and the failure ofindividuals or businesses to patch their applications.
Such vulnerabilities or loopholes can be found withinan operating system or the applications running on thecomputer. Cybercriminals typically focus their attentionon applications that are widely used and are likely tobe un-patched for the longest time giving them asucient window of opportunity to achieve their goals.
Zero day exploits
Cybercriminals dont just rely on the fact that peopledont always patch their applications.
Sometimes they are even able to identify vulnerabilitiesbefore an application vendor does and write exploit codeto take advantage of the aw.
These are known as zero-day exploits and providecybercriminals with the chance to spread their malwareon any computer where the vulnerable applicationis found there simply is no patch available to blockthe loophole.
The graph of vulnerable applications shown opposite isbased on information about the exploits blocked by ourproducts. These exploits were used by hackers in internetattacks and when compromising local applications,including those installed on mobile devices.
VULNERABLE APPLICATIONS USED BY FRAUDSTERS
Oracle Java
Browsers
Adobe Reader
Android tOS
Adobe Flash Player
Microsoft Oce
The distribution of exploits used by fraudsters,
by type of application attacked, 2014
45%
42%
5%
4% 3% 1%
Source: Kaspersky Lab
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
11/20
11
Digital certificates
We are all predisposed to trust websites with a securitycerticate issued by a bona de Certicate Authority (CA),
or an application with a valid digital certicate.
Unfortunately, not only have cybercriminals been able toissue fake certicates for their malware using so-calledself-signed certicates, they have also been able to
successfully breach the systems of various CAs anduse stolen certicates to sign their code.
This eectively gives a cybercriminal the status of a
trusted insider and maximizes their chances of success clearly organizations and individuals are more likelyto trust signed code.
A GReAT tip: Deploy comprehensive and integrated anti-malware
Make sure youre always running the latest security software, applying updateswhen they are available and removing software when it becomes superuous.
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
12/20
12
Chapter 3: The growth of mobile malware
Cybercriminals are now turning their attention to mobile devices. The rst mobile threats appeared in 2004,but mobile malware didnt become a signicant threat until some years after this. The tipping point came in2011: the same number of threats was found in 2011 as had been seen in the entire period from 2004 to 2010.This explosive growth has continued since then. By the end of 2014 there were over 470,000 unique mobilemalware code samples.
In 2014 alone more than 295,000 samples appeared.These code samples are often reused and repackaged
many times, so the number of malicious installationpacks far exceeds the number of code samples: bythe end of 2014, the total number of mobile malwareinstallation packs was almost 15 million. During 2014,Kaspersky Lab blocked more than 1.3 million attacksand 19% of people using Android devices encounteredat least one mobile malware threat. Notwithstanding thedramatic growth in mobile malware, many businessesremain unaware of the potential danger and, as a result,many mobile devices go unprotected.
500000
450000
400000
350000
300000
250000
200000
150000
100000
50000
0
Aug 2011 Dec 2011 Dec 2012 Dec 2013 Dec 2014Apr 2012 Apr 2013 Apr 2014Aug 2012 Aug 2013 Aug 2014
MOBILE MALWARE14,643,582 installation packs
The largest share of mobile malware is targetedat Android devices. The main reason is that Android
provides an open environment for developers of appsand this has led to the creation of a large and diverseselection of apps. There is little restriction on wherepeople can download them from, which increasespeoples exposure to malicious apps. By contrast, iOSis a closed, restricted le system, allowing the download
and use of apps from just a single source the App Store.This means a lower security risk: in order to distributecode, would-be malware writers have to nd some way
of sneaking code into the App Store, or conne their
attacks to jailbroken iOS devices. So its likely that, forthe time being at least, Android will remain the chief
focus of cybercriminals.
By the end of 2014, the total number of mobile malwareinstallation packages was almost 15 million.
Codesample
Source: Kaspersky Lab
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
13/20
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
14/20
14
Chapter 4: Are you in the fring line?
A new era of targeted attacks
Targeted Cyberattacks Logbook
Attacks and targeted attacks
The threat landscape continues to be dominated byrandom, speculative attacks designed to steal personalinformation from anyone unlucky enough to fall victimto the attack. Such attacks aect not only individual
consumers but also businesses. Often the aim isto use stolen credentials to gain access to nancialaccounts and to steal money. But its clear that thenumber of targeted attacks on organizations is growingand they have become an established feature of thethreat landscape.
The aim is get a foothold in a target company, stealcorporate data or damage a companys reputation.
CyberweaponsStuxnet pioneered the use of highly sophisticatedmalware for targeted attacks on key productionfacilities. Furthermore, the appearance of othernation-state sponsored attacks Duqu, Flame, Gauss,Careto, Regin, Equation and Duqu 2.0 has madeit clear that this type of attack is far from beingan isolated incident.
We have entered an era of cold cyberwar, where nationshave the ability to ght each other unconstrained by the
limitations of real-world warfare. Looking forward we
Kaspersky Labs Targeted Cyberattack Logbookchronicles all of the ground-breaking maliciouscybercampaigns that have been investigated by GReAT.
Also, we are now in an era where malicious code canbe used as a cyberweapon: and while a particularorganization may not be in the direct ring line it could
become collateral damage if it isnt adequately
protected.
Its easy to read the headlines in the media and drawthe conclusion that targeted attacks are a problemonly for large organizations, particularly those whomaintain critical infrastructure systems within acountry. However, any organization can become avictim. All organizations hold data that could be ofvalue to cybercriminals; and they can also be usedas a stepping-stone to reach other companies.
can expect more countries to develop cyberweapons designed to steal information or sabotage systems not least because the entry-level for developing suchweapons is much lower than is the case with real-worldweapons.
Its also possible that we may see copy-cat attacks bynon-nation states, with an increased risk of collateraldamage beyond the intended victim of the attack.The targets for such cyberattacks could includeenergy supply and transportation control facilities,nancial and telecommunications systems and other
critical infrastructure facilities.
Visit https://apt.securelist.com/ for more information
https://apt.securelist.com/https://apt.securelist.com/ -
7/25/2019 Navigating the Threat Landscape - A Practical Guide
15/20
15
Chapter 5: The human factor in security
The human factor
Humans are typically the weakest link in any securitychain. There are several reasons for this:
Many people are unaware of the tricks used by
cybercriminals
Successive scams never look quite the same, whichmakes it dicult for individuals to know what what
to look out for
The problem can be worse in the case of smartphonesand tablets. Their size and portability can be a greatadvantage, but theyre also easily lost or stolen. If theyfall into the wrong hands, a weak (or non-existent) PINor passcode becomes a single point of failure the onlything between an unauthorized person and the datastored on the device.
Equally, while its a benet to have sta always-on, its
dangerous if sta conduct condential transactions on
untrusted wi- networks or if they inadvertently connect
to a fake hot-spot (the wi- network called coee-shop
might be legitimate, but the one named coee-shop-
fast might belong to a criminal looking to collect data
from the unwary).
Sometimes people cut corners in order to make theirlives easier and simply dont understand the securityimplications. This is true of passwords, for example.Many people use the same password for everything often something thats as easy to remember aspassword, 123456, qwerty or football!
This increases the likelihood of a cybercriminal guessingthe password. And if one account is compromised, itoers easy access to other accounts. Even when they
are made aware of the potential danger, most individuals
dont see a feasible alternative, since they think they cantpossibly remember lots of unique, complex passwords.
A GReAT tip: Keep your password safe
For more information on keeping your password secure read David Emms blog on The Hungton Post.
A GReAT tip: Raise awareness
Cybercriminals are increasingly using public data to launch targeted attacks against businesses.
Tell your colleagues about the risks associated with sharing personal and business information online.
Social engineering
Social engineering is the manipulation of humanpsychology getting someone to do what you wantthem to do. In the context of IT security, it means trickingsomeone into doing something that undermines theirsecurity, or the security of the organization they workin. Phishing emails provide a good example of socialengineering. They generally take the form of spamemails sent to large numbers of people, although spear-phishing is a targeted version designed to trick victimsin specic organizations. They masquerade as legitimate
emails from a bona de organization. They mimic the
logo, typeface and style of the legitimate organization,
in the hope that enough people who receive theemail will be fooled into thinking that its a legitimatecommunication. When the victim clicks on the link, theyare redirected to a fake website where they are asked todisclose their personal information such as usernames,passwords, PINs and any other information thatcybercriminals can use.
The widespread use of social networks has also madeit easier for cybercriminals. They are able to gather datathat people post online and use it to add credibility toa phishing email.
For more tips on how to spread the message with your colleagues check out the 10 top tips at the end of this guide.
http://www.huffingtonpost.co.uk/david-emm/keeping-your-passwords-secure_b_3384533.htmlhttp://www.huffingtonpost.co.uk/david-emm/keeping-your-passwords-secure_b_3384533.html -
7/25/2019 Navigating the Threat Landscape - A Practical Guide
16/20
16
Chapter 6: Anti-malware technologies
Anti-malware technologies used today
Hundreds of thousands of unique malware samplesappear every day. This explosive growth in recent yearshas made it ever more important to block threatsproactively signatures alone are no longer enough.
Some of the main anti-malware technologies used todayare outlined below.
Heuristic analysis
This is used to detect new, unknown threats. It includesthe use of a signature that identies known malicious
instructions, rather than a specic piece of malware.
It also refers to the use of a sandbox (a secure virtualenvironment created in memory) to examine how thecode will behave when it is executed on the realcomputer.
Vulnerability scanning and patch managementSince cybercriminals make extensive use of vulnerabilitiesin applications, it makes sense to be able to identify thoseapplications on a system that are vulnerable to attack,allowing businesses or individuals to take remedial actionwith patch management. Some solutions also includea real time scan of a computer, to block the use ofzero-day vulnerabilities.
Signatures
Traditionally, a characteristic sequence of bytes used toidentify a particular piece of malware. But anti-malwaresolutions today make extensive use of generic signaturesto detect large numbers of malware belonging to the
same malware family.
Behavioral analysis
This involves monitoring the system in real time to seehow a piece of code interacts with the computer. Themore sophisticated monitors dont just look at code inisolation, but track its activities across dierent sessions,
as well as looking at how it interacts with other processeson the computer. To protect against cryptors KasperskyLab uses two technologies: System Watcher, which isa part of proactive protection and Application PrivilegeControl, which can restrict an applications rights.For example it can prohibit applications from makingchanges to systems les.
Whitelisting
Historically, anti-malware solutions have been basedon identifying code that is known to be malicious,i.e. blacklisting programs. Whitelisting and Default Denytakes the opposite approach, blocking it if it is not in thelist of acceptable programs.
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
17/20
17
Reputation services
These days, many solutions make extensive use of acloud-based infrastructure, allowing near real-timeprotection from a newly-discovered threat.
In simple terms, metadata about any program runon a protected computer is uploaded to the vendorscloud-based computers, where its overall reputationis assessed i.e. is it known-good, known-bad, anunknown quantity, how often has it been seen, wherehas it been seen, etc. The system operates like a globalneighborhood watch, monitoring what is being run oncomputers around the world and providing protectionto every protected computer if something maliciousis detected.
Kaspersky Security NetworkKaspersky Security Network (KSN), is Kaspersky Labs
cloud-assisted service. It provides additional valueto customers, even protecting them even from, asyet, unknown threats by constantly monitoring thereputation of executed applications and accessed URLs.If the le reputation suddenly changes from good
to bad, KSN customers are informed within minutesand their corporate assets are immediately protectedagainst them.
Evolved malware requires an evolved solution the riseof integrated platforms
Malware continues to grow in volume and in
sophistication. So for businesses today, there aremore and more attack vectors to contend with.
In particular, keeping up with and controlling web usage,increasingly mobile employees (and data) and updatingan increasingly complex array of applications, mean thatthe average under-resourced IT team often has to makecompromises in its IT security.
As the environment gets more complex, the solution canbe to add new technologies to manage and protect thevarious risk areas but that increases the IT teamsworkload, cost and even risk.
This new threat landscape has led to the rst ever
truly integrated single security platform, developedby Kaspersky Lab. This platform is the best way to bringevery technology area together all viewed, managedand protected in one single management console.
A GReAT tip: Use proactive technology
Deploy anti-malware solutions that bring together dierent technologies to
block known, unknown and advanced threats in real-time, rather than relyingon signature-based protection alone.
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
18/20
18
The GReAT Team
The expert insight in this report is provided by KasperskyLabs Global Research and Analysis Team (GReAT).Since 2008 GReAT has been leading the way in anti-threat intelligence, research and innovation within
Kaspersky Lab and externally.
Why Kaspersky?
Kaspersky Lab is one of the fastest-growing IT securityvendors worldwide and is rmly positioned as a top-four global security company. Operating in almost200 countries and territories worldwide, we provideprotection for over 400 million users and over 270,000corporate clients from small and medium-sizedbusinesses to large governmental and commercial
organizations.
* Notes: According to summary results of
independent tests in 2014 for corporate, consumer
and mobile products.
In 2014 Kaspersky Lab products participated in 93independent tests and reviews. Our products were
awarded 51 rsts and received 66 top-three nishes.5
100%
Kaspersky Lab
1st places 51Participation in 93
tests/reviewsTOP 3 = 71%
0%4020
20%
40%
60%
80%
60
Threat Track (VIPRE)
Kingsoft
Bullguard
AhnLab
Qihoo 360
G DATA
Tencent
Panda Security
Sophos
Microsoft
Avira
Bitdefender
ESET
Symantec
F-Secure
AVGAvast
Intel Security (McAfee)
Trend Micro
80 100
Scoreof
TOP3places
No. of independent tests/reviews
Summary includes tests conducted by the following
independent test labs and magazines: Test labs:
AV-Comparatives, AV-Test, Dennis Technology Labs,
MRG Etas, NSS Labs, PC Security Labs, VirusBulletin.The size of the bubble reects the number of 1st
places achieved.
Our advanced, integrated security solutions givebusinesses an unparalleled ability to control application,web and device usage: you set the rules and our solutionshelp manage them. Kaspersky Endpoint Security forBusiness is specically designed to combat and block
todays most advanced persistent threats. Deployedin conjunction with Kaspersky Security Center, it gives
security teams the administrative visibility and controlthey need whatever threats they face.
GReAT has been at the forefront of analysing someof the worlds most sophisticated threats, includingStuxnet, Duqu, Flame, Red October, NetTraveler,Careto, Equation, Carbanak and Duqu 2.0. In 2013,
GReAT won Information Security Team of the Yearat the SC Awards.
5: http://www.kaspersky.com/TOP3/
http://www.kaspersky.com/TOP3/http://www.kaspersky.com/TOP3/ -
7/25/2019 Navigating the Threat Landscape - A Practical Guide
19/20
19
10 Top tips for creating security awarenessin your organization
Creating awareness in your business about the importance of IT security can be dicult, so weve put together tentips to help make communicating the issues of security to your business a little easier.
1Address your audience correctlyAvoid calling anyone users its impersonal and can leave your audience feeling a littledisassociated from what youre saying. Use employee, colleague or person instead.
2Use the right tone of voice
An approachable and friendly tone will help you communicate to your audience more eectively,
ensuring you can educate your colleagues on what they can each do to protect the business.
3Get support from the HR and legal teams
Where necessary, they can put real policies in place and provide support if it breaches are made.
4Keep colleagues informed
Consider the timing and frequency of your IT security inductions and briengs. Ensure they are
regular and memorable.
5Use your imagination
There are lots of ways to make information more engaging. The more creative and interesting,the greater the chances it will be read. Try comic strips, posters and quizzes.
6Review your efforts
Has your information sunk in? Test your colleagues and see what they have remembered andwhat they have forgotten. A quiz on the top ve IT security issues is a good place to start.
7Make it personal
Tapping into your colleagues self-interests will help them gain a better understanding of theimportance and context of IT security. For example, discuss how security breaches might aect
their mobile devices.
8Avoid jargon
Most people will not have the same depth of knowledge as you, so make sure you explaineverything in a way that is easy to understand.
9Encourage an open dialogue
Ensure people understand the consequences of a security breach; and the importance of keepingyou informed. Some may fear they will be disciplined if they have clicked on a phishing email andas a result avoid notifying the correct people.
10Consult the marketing teamWhen it comes to internal communications within your organization, they are the experts so ask for their help on how to best engage your colleagues.
-
7/25/2019 Navigating the Threat Landscape - A Practical Guide
20/20
Discover how our premiumsecurity can protect yourbusiness from malwareand cybercrime with ano-obligation trial.
Visit kaspersky.com/trialstoday to download full productversions and evaluate howsuccessfully they protect yourIT infrastructure, endpoints andcondential business data.
ABOUT KASPERSKY LABKaspersky Lab is one of the worlds fastest-growing cybersecurity
companies and the largest that is privately-owned. The companyis ranked among the worlds top four vendors of IT securitysolutions (IDC, 2014). Since 1997, Kaspersky Lab has been aninnovator in cybersecurity and provides eective digital security
solutions and threat intelligence for large enterprises, SMBs andconsumers. Kaspersky Lab is an international company, operatingin almost 200 countries and territories across the globe, providingprotection for over 400 million users worldwide.
JOIN THE CONVERSATION#SecureBiz
Watch us onYouTube
Join us onThreatpost
View us onSecurelist
Like us onFacebook
Reviewour blog
Follow us onTwitter
Join us onLinkedIn
View us onSlideShare
kaspersky.com/business#SecureBiz
GET STARTED NOWFREE 30 DAY TRIAL
GET YOUR FREE TRIAL NOW
http://www.kaspersky.com/trials#tab=tab-3http://bit.ly/1F0nnxahttp://bit.ly/193poxq%20http://bit.ly/193poxq%20https://threatpost.com/https://threatpost.com/https://securelist.com/https://securelist.com/http://ow.ly/K9E1Hhttp://ow.ly/K9E1Hhttp://ow.ly/K9EOlhttp://ow.ly/K9EOlhttp://ow.ly/K9Efthttp://ow.ly/K9Efthttp://ow.ly/K9EaIhttp://ow.ly/K9EaIhttp://ow.ly/BQTsehttp://ow.ly/BQTsehttp://www.kaspersky.com/businesshttp://bit.ly/1F0nnxahttp://www.kaspersky.com/trials#tab=tab-3http://www.kaspersky.com/trials#tab=tab-3http://bit.ly/1F0nnxahttp://www.kaspersky.com/businesshttp://ow.ly/BQTsehttp://ow.ly/K9EaIhttp://ow.ly/K9Efthttp://ow.ly/K9EOlhttp://ow.ly/K9E1Hhttps://securelist.com/https://threatpost.com/http://bit.ly/193poxq%20http://bit.ly/1F0nnxahttp://www.kaspersky.com/trials#tab=tab-3