Kaspersky recently published a report about an APT group called “Equation Group”. Believed to be the NSA, this attack group uses the most sophisticated malware seen to date, including malware designed to retrieve data from air-gapped networks and firmware malware designed to create a hidden partition and protect it from scanning or disk reformatting. In addition to spearphishing and browser exploitation, they show capabilities to intercept and modify physical goods in transit, like CDs. Kaspersky reports that the Equation Group has attacked both government victims and corporate victims across multiple industries, including telecoms, defense industries, financial institutions, energy companies, Islamic scholars, and companies developing sensitive technologies like encryption or nanotechnology.
With all threat intelligence reports, every organization should examine which parts of the report (if any) are relevant to them. However, even if your organization is not in the known target profile of Equation Group, this report is an excellent reminder that sophisticated malware is becoming increasingly available. Even if highly advanced firmware malware is unlikely to be deployed against your organization, rootkits are becoming increasingly common. Even common malware like the Cutwail botnet or the Ruckstock botnet employ rootkit functions. This shows one of the weaknesses of security agents. Like most programs, security agents typically rely on operating system APIs to interact with the host system. The problem is that rootkit functions allow malware to operate on a lower level than the operating system APIs, allowing the malware to modify any interaction between a program and the operating system.
Antivirus and endpoint agents still have a place in a mature security program, but their limitations show the need for other intrusion detection tools. Even advanced malware needs to be able to communicate with the intruders. Where endpoint detection fails, network intrusion detection and log analytics can fill in the gaps to detect intrusions more reliably. A good log analytics product should be able to correlate alerts from all deployed security devices, building a more complete picture for easier validation and faster detection.
Check our thoughts on a wholesome, full threat sequence (kill chain) representation.