Kevin Beaver's Security Blog

Complacency, meet APT – How basic oversights lead to complex malware infections

Low-hanging fruit – that is, the missing patches, default passwords, lack of full disk encryption and so on present in practically every environment – is something I’ve ranted about time and again because there’s no reason to have it on your network. Why? Well, for one thing, rogue insiders may just exploit it for ill-gotten gains. But even worse, low-hanging fruit can be the target of malware exploitations that you’re not prepared to take on. You see a few missing patches and unhardened endpoints combined with users gullible enough to click whatever’s placed on their screens and you’ve got yourself the recipe for disaster.

Low-hanging fruit can turn from “Yeah, I need to get to that stuff…” to “Oh crap, all of our workstations are being controlled by someone on the other side of the world”.

Recent shifts in IT like consumerization, mobility and the desire for instant gratification when it comes to computer and Internet access have made these threats even more formidable. Users are indeed going to do what they want to do. In many cases, management will proudly back them up – even if they have no clue about the long-term impact to the very business they’re responsible for running.

Built-in security controls provide an opportunity for us to save time, effort and money keeping our systems in check without having to spend a dime more than we need to. That said there are certain security controls that operating system and hardware vendors haven’t mastered. One in particular is security controls designed to help with APTs and advanced malware. It’s just not possible to get the specialized protection out of the box from the mainstream vendors that you’re going to get with a the niche technologies I talked about my recent paper The Malware Threat Businesses are Ignoring and How Damballa Failsafe Fits In.

It’s no different than how I buy special tires and brake pads for my race car. When there’s a specific need, odds are the stock equipment just won’t cut it.

One of the most damaging misconceptions about malware is that the big anti-virus vendors are going to keep endpoints safe. It’s this very mindset that’s gotten businesses into hot water recently. I saw it when working on an incident response project that falls under the Operation Shady RAT umbrella. I think it’s safe to say that traditional anti-virus vendors come nowhere close to protecting your network – especially if such an attack is targeted. In fact, the entire concept of APTs and advanced malware is not very well understood by the IT and information security community as a whole.

How are you supposed to protect against something like this? It’s not simple. You’ve got to have the right tools, the necessary documentation and, perhaps most importantly, management that gets it.