There are gaps in what cyber security people know of malware and cyber threats, according to a survey by a malware protection product company. Respondents were asked to identify different malware behaviours. Near all were aware that malware can turn a webcam on to see if anyone is sitting in front of the computer (98pc) and can monitor a keyboard to see if a user is typing (97pc), both of which are among the many techniques malware uses to evade detection. However, only 70pc knew that malware is able to avoid being detected by a sandbox.
Brian Laing, VP at Lastline, said: “Malware has been able to sniff out that it resides on a virtual machine (used as a sandbox) for years now, so it is a little worrying that a third of cybersecurity professionals were unaware of this. Malware often plays a game of deception, pretending to be a perfectly benign program when analysed by a defensive tool. Once it is past defences, it can then perform the malicious activities it was programmed for when running on a user’s device.”
Respondents were also asked to identify the behaviours of specific types of malware. While 93pc correctly identified a Trojan as malware disguised as something that a user wants or something legitimate, over three quarters (77pc) agreed with the statement that a virus actively seeks new computers to infect, which is actually the behaviour of a worm. And half indicated that a rootkit creates a network of compromised devices for use in a coordinated attack, which actually is what a botnet does.
Laing argued that this level of knowledge can be crucial in incident response strategies. “When deciding how to prioritize security strategies and technology investments, it’s important to know what types of behaviors a given piece of malware has and how they behave. For example, when reading that WannaCry is a worm, it’s important to know what a worm is and how it spreads so that you know, for example, that cleaning the initially infected machine will not eradicate it from the network.”
Respondents were also given a list of names and asked to identify which ones were strains of malware. Respondents correctly identified the real strains of malware on average 28pc of the time, with the best results attributed to the widespread malware, Slammer (40pc) and SpyEye (37pc).
Laing said: “Given the level of media attention that some malware discoveries get, it is interesting that the majority of respondents couldn’t identify them, but not surprising. It just doesn’t matter when you’re fighting cybercrime today. Given the volume of malware, the pace at which it evolves, and how criminals borrow from each other and re-write the code, there are not clear distinctions or naming connections between one attack and a subsequent attack using what may largely be the same code. What’s important is detecting it, by whatever name, and understanding its behaviours so you can mitigate and remediate.”
Regardless of the malware used, its behaviour, or ability to evade detection, malware clearly causes significant pain to IT security, as highlighted by the final result. The survey found that 44 percent of security professionals would rather have root canal surgery than make a ‘walk of shame’ to the boardroom to explain that they’ve suffered a data breach.
About the survey
With 326 information security people at the Infosecurity Europe 2017 conference in June 6 to 8, 2017, at the Olympia Conference Centre in London.