A Threat As Old As The Internet: Why We Still Care About Malware (And Why You Should Too)

E very career has defining moments. Most are spread out over years or even decades, but the cybersecurity world has had two career-defining moments just in the past year.

It started with the global shutdown due to the COVID-19 pandemic. Overnight, many organizations were forced to support employees working remotely. CISOs, like me, were expected to keep both our company and its employees safe in a completely unpredictable world. Then came the SolarWinds attacks, a series of supply chain attacks that could turn out to be the farthest-reaching attacks many cybersecurity professionals will see in their entire careers.

It may be years before we know the full scale and impact of these attacks. One thing we do know is that the hackers used a tried and true method: malware, a malicious code designed to damage devices, services or networks. Malware was embedded into the digitally-signed software and multiple organizations were compromised as a result. At least two distinct malware threats — Sunburst and Supernova — were identified.

What made the attacks so unique was their scale. The cyberattacks on SolarWinds happened at a much larger scale than we’ve seen in other similar attacks and set up the potential for other large-scale attacks, unless we’re prepared with the appropriate response.

We’ve seen multiple instances of supply chain attacks over the last few years, the most prominent being NotPetya in 2018, and many of us in the industry thought a high-profile supply chain attack was bound to happen. Cyberspace is where the new wars are fought. In fact, at Splunk, we called out supply chain attacks as a threat to watch in our Splunk 2021 predictions, before the Solarwinds compromise was made public. But we didn’t have some secret knowledge that others in the industry didn’t — several pages in the attacker’s playbook were recycled from other attacks. But unfortunately, as an industry, we didn’t invest enough in mitigation techniques.

Though malware is a problem nearly as old as the internet itself (the first strains of the malicious code date back to the 1980s) decades later, we’re still dealing with it. Countless types of malware exist, and threat actors are always developing unique tactics to deploy them, so hackers have an increasingly sophisticated range of tools to distribute a wide range of malware, further expanding and deepening their reach.

Because malware deployment is such a broad threat category, it requires multiple searches and detection techniques at different stages of the security journey to find it, depending on the particular attack. So as IT and security leaders, we need to come up with comprehensive strategies to specifically mitigate these attacks.

For instance, we need to make sure that effective security measures are multi-layered and achieve a balance between prevention and detection. We can’t predict every tactic an attacker may use, which is why aggressive detection is central to mitigating the risk of advanced attacks. We also need to modernize our security operation centers (SOCs) by increasing analyst efficiency, improving the ability to detect high risks in an ever-expanding attack surface, and reducing dwell time: the time between when a compromise happens and when it’s detected.

In short, we need to optimize resources and find bad actors faster, so it’s imperative that no matter how long you’ve been in the cybersecurity industry, you stay up-to-date with the latest security threats. This is why at Splunk, we provide our customers with Security Analytic Stories so they get the latest security trends delivered directly to their SOCs.

This is also why even after more than 20 years in the security industry, I still have my team develop weekly reports on the latest threats and vulnerabilities. The threat hunter intelligence (THI) team at Splunk is constantly hunting for adversaries and their latest tactics so that we can better prepare for what our adversaries are planning next — just one step in staying a step ahead of cyberattacks.

Beginning with this month’s first issue on malware, we’ll be publishing a monthly Threat Hunter Intelligence Report featuring key insights from Splunk’s THI team on the latest in cybersecurity topics such as malware, nation-state attacks, emerging security threats and more, so that you too be better prepared for the next attack.

----------------------------------------------------
Thanks!
Yassir Abousselham