I currently work for a security vendor that has over 25 years of Information Security experience, a significant majority of that experience in the Anti-Malware, Anti-Virus space.
Having seen the virus distribution industry (nefarious as it is) grow from a new virus every month to over 100,000 new viruses a day, and the hacking culture morph from a teen hobbyist activity to a full fledge career choice (nefarious as it is); it is fair to say we have seen a lot and we have made it our purpose, for our existence, to understand the evolving threat landscape. I mean, what use would a security company be if it doesn’t understand what the threat is?
So what are we seeing? A change in behaviour. It use to be that a virus writer would spend a few month perfecting their newest Trojan and then set about distribution. The traditional and easiest distribution method was to send it to thousands of email addresses as an attachment, if one person in one hundred opened the email and executed your Trojan you had the start of a creditable bot-net. The more emails you sent, the more bots added to your network. The nice thing was once you infected a single machine, you could harvest the emails of that machine and send out more personalised emails from the infected user to their friends, thereby improving your click through and infection rate.
But then those nasty Anti-Malware vendors caught on. They started publishing their own “honey pot” email addresses, so that they would be one of the thousands of users to receive the newly born Trojan. Once they received the email with the attached file they would automatically execute the file in a sandbox environment and monitor its behaviour, if it installed itself as a service, or as a self starting application, opened up a listening port, attempted to communicate with an external machine (most likely a known command and control centre) or attempted to spread to other machines on the network it would be marked as nefarious and be bundled up as a Malware signature and instantly uploaded to the vendors cloud distribution server to inform the other Anti-Virus vendor customers. Essentially you were busted.
What do you do? Change your behaviour. Instead of spamming the world with your newly written Trojan you now needed to be smart about how you distributed it, you do not want your Trojan to end up at a Honey Pot email address, you need to “Target” your victims. This will also help with the other trend in the market, users becoming more savvy and not instantly executing attached files from strangers.
Now you will need to hand pick your “Target” organisation, you will do your reconnaissance, find out who the CEO, COO or other senior members of the organisation are, a quick Google search, no problem. You then send an email to Fred, the CEO, from Helen the COO with the attached “Quarter 1 Sales Figures”, bingo, you are in.
The advantage of this new attack vector is that the Anti-Malware vendors never get to see the attached “Quarter 1 Sales Figures”, as it never gets sent to their “Honey Pot”. They have never seen your new Trojan and therefore do not have a signature for it. Now those corporate suits have a real problem.
What do they do? Change their behaviour. The corporations need to have their own Anti-Malware capability, the ability to take all attached files in emails and execute them in a sandbox environment, that mimics their own internal environment, and monitor the activity. Anything that is nefarious is bundled in to a Malware signature and distributed to the internal Anti-Virus applications, possibly even sent back up to the Anti-Malware vendors cloud for global distribution. Custom security. I would expect this capability to extend to downloaded files from the Internet and possibly files from external portable storage such as USB sticks or mobile phones.
Secondly, if a Trojan does get established in the organisation and starts to leak out data, a tool that analyses the network traffic and looks for suspect behaviour should provide another line of defence. After all Trojans will want to communicate out to their command and control centres and/or spread to other machines in the network. We should be able to detect this behaviour.
Not surprising, with 25 years of experience in this space the organisation I work for does have a response to this changing threat landscape, feel free to get in touch if you would like to discuss options.