Gaining Visibility on Malware Attacks

Wednesday, August 17, 2016 @ 09:08 AM gHale


Network Monitoring can Help Ward Off Costly, Sophisticated Assaults

Fighting off malware and the havoc it can wreak on a system ends up being a cost that can truly hurt any manufacturer and the catch is, with smarter, more sophisticated types of attacks out there, any company is susceptible at any given point.

Unplanned downtime, remediation, stolen intellectual property and damage to reputation are end results of a malware attack where costs can quickly jump into the millions of dollars. Just last year, the average consolidated total cost of a data breach was $3.8 million up from $3.5 million the previous year, which is a 23 percent increase in total cost of a data breach since 2013, according to a study by the Ponemon Institute.

While the attacks are efficient and thorough, malware has evolved into a commercial off the shelf product and that means anyone can buy it from an underground developer and an attack is only a quick click away.
RELATED WHITE PAPERS
The Wireless Edge
Benefits of Virtualization
Networks from the OT Point of View
The IT/OT Convergence
Wireless Reshaping IT/OT Network Best Practices
Virtualizing Your Network
Proactive Network Management
The loT Part 1: loT’s Impact
The loT Part 2: Virtualizaton & Cloud Technologies
Three Key Challenges for Network Managers
Attacks against manufacturing automation industry companies are well known: Stuxnet, Duqu, Shamoon, and BlackEnergy just to name a few. That is why one strong business move is to understand the network and being able to see attacks forming from the beginning.

One of the traditional tools to ward off a malware attack is antivirus which looks for known code and quickly shuts it down. However, any half way decent malware today can act in stealth mode and elude antivirus.

Network Visibility
With malware getting smarter, that means it is not going away. And some of the numbers back it up.

Malware attacks more than doubled over the past year, one report said. Add in just one company, Dell, had its security products log more than 64 million unique malware samples, which represented a 73 percent rise from 2014 (37 million) and a tripling of numbers from 2013, according to the Dell Security Annual Threat Report.

Additionally, Dell also said it blocked 2.17 trillion IPS (Intrusion Prevention System) attacks and 8.19 billion malware attacks, the last figure representing twice the numbers recorded in 2014 (4.2 billion).

Part of that growth showed most exploit kits added upgrades to their code, such as the usage of a more complex anti-forensic mechanism to evade security software, frequent URL pattern changes to evade easy detection, and new URL redirection techniques to direct users toward the kit’s landing page, where the infection would occur.

While these numbers give a snapshot of overall malware attacks across quite a few industries, manufacturing is not immune. Just ask Saudi Aramco, RasGas, SAFCO, Canadian gold-mining company Goldcorp, the Lansing, MI, Board of Water and Light, and aircraft component maker FACC, just to name a few.

As mentioned, antivirus does work to a degree, but there is more than one way to detect malware on a system.

Another Defense in Depth Tool
While not solely a security tool, network monitoring does provide another element in a defense in depth program.

By logging network traffic and keeping it there forever, it is possible to view an audit trail in an effort to reconstruct a sequence of events.

That means it would be possible to log all the network traffic related to a malware incident. If you are dealing with malware you also have to log data at a higher level: Who connected to what computer? What type of credentials did they use to log in? What applications did they run?
RELATED BLOG POSTS
Secure & Scalable Network Architecture – Check List
Network Management – Coping with BYO Everything
Statseeker Version 5.0 Now Available
Statseeker Exhibited at Cisco Live Las Vegas
Cloud Computing – Where’s My Data Going?
Benefits of Virtualization
Information Technology Infrastructure – The Future
Network Virtualization – the New Norm
Software Defined Network Deployment
Information Technology Infrastructure – The Future
Network Virtualization – the New Norm
Software Defined Network Deployment
Traffic analysis features would work well in those scenarios. That analysis ends up established from a baseline created to understand what the network should look like on a daily basis. That baseline would be running over a period of time and then the user could see the average usage.

Think about the ability to know what is normal for the network so it is possible to rapidly detect abnormalities. This includes monitoring and logging communications that occur between industrial networks and external (office)/public (Internet) networks.

If there was a bandwidth increase from a malware agent working on the network, it would be possible to create an alert that tells you of abnormal traffic and that would help pick up on the attack.

Unmasking Malware
Also if the manufacturer is using NetFlow, it is possible to pull information. NetFlow is a feature on Cisco routers that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, an administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. It will also report back on what type of protocol is being used by any particular software running on the network.

In that case, malware would stand out because it wants to run behind the scenes. The malware would start sending traffic on some unusual port to try and connect out to a remote server to get instructions on what it should be doing. If a user has the ability to report on NetFlow, it is then possible to capture that information from the device and configure alerts to tell you about an abnormal traffic flow occurring on the network.

Getting that information quickly and in understandable form is key in this age of worker shortages, but that also plays into another strength of a network monitoring tool: Once the user sets it up, it does not require any administration. It is almost a set and forget solution.

If some type of attack should occur, the user would have the information and the historical background to see how long it has been occurring.

That is important because malicious attacks can take an average of 256 days to identify while data breaches caused by human error take an average of 158 days to identify, according to a Ponemon Institute study of 350 companies spanning 11 countries sponsored by IBM.

Whether malware is on a system for 256 days or one day, knowing your network and what is on it just makes good business sense.