In the first article of this series -- Threats! What Threats? -- I mentioned that my colleague, Steve Patton, thought we at Stamus Networks weren’t doing enough to explain what we mean when we say “threats.” His reasoning was that we talk a lot about threats, but we never really explain what we mean.
In an effort to fix that we will dig deeper into a very prolific threat facing nearly every organization - Malware. We’ll look at what we mean by Malware and how Stamus Security Platform (SSP) can help.
What is malware and why is it bad?
Malware, otherwise known as malicious software, is essentially any type of software that is meant to bypass a system's intended operation. The goal of malware is to cause damage to a computer’s systems. It is important to note that not every software that causes damage to a system is malware, and sometimes certain programs just have bugs or are naturally corrupt. The difference between these types of programs and malware is that the latter intentionally seeks to harm a system or the organization and user the system belongs to.
There are many different types of malware which are often classified by the way it infects a system and the type of attack it seeks to carry out. While some malware types are more dangerous than others, without the proper defense systems they all pose a serious threat on any organization’s systems. Here are some of the more common types of malware and their basic functions:
- Viruses: Triggered by an action like opening an attachment or running a newly downloaded program, viruses drop a payload of code that rewrites or destroys critical files or implants other malicious software like trojans or ransomware.
- Worms: This type of malware can infect systems without any user contact, and then spread quickly to other uninfected systems. By using remote code execution, black hats that employ worms can install programs, create new users, and change network settings.
- Trojans: By pretending to be another type of non-malicious program like a PDF file, game, or browser extension, trojans can avoid detection while running malicious tasks in the background. Remote Access Trojans (RATs) are fairly common and allow adversaries to employ command and control servers to remotely gain backdoor access into your system through seemingly normal network traffic.
- Ransomware: This malware uses encryption to lock certain files or block access to a computer’s system until a ransom is paid. Check out this previous article for a closer look at what Ransomware is and how SSP can help.
- Spyware and Adware: These two types of malware tend to infect a computer’s web browsers. Spyware steals data whereas adware displays large amounts of ads which can often contain other malware programs.
Once Malware has infected a system, it might not necessarily act immediately. More sophisticated malware often functions as an Advanced Persistent Threat (APT) and will spend long periods of time attempting to remain undetected to gather more information, access different parts of a system, or wait for a specific trigger or user action to deploy a full payload.
How does Stamus Security Platform help with malware?
It is vital to the safety of an organization to malware is caught before extensive damage is done. By employing the use of a network-based detection and response system like the Stamus Security Platform (SSP), analysts can see threats before they have the opportunity to cause a full-blown data breach.
SSP uses thousands of different detection methods that are each suited for different types of malware infections. These methods help locate and identify various types of malware and then provide valuable context that not only helps security teams stop the threat, but also gives them the opportunity to create automation that can help detect those same threats even faster in the future.
Let’s take a look at one specific type of malware for an example:
Remote Access Trojans (RATs) use backdoor access to control a target machine with administrative privilege. This is typically done invisibly after a user downloads an infected program or file. Using a command and control server, a malicious adversary can send different commands over the network and receive sensitive data back in response.
The Stamus Security Platform is highly effective at catching RATs before they can do too much damage. This is because RATs communicate through the network, piggybacking off of other seemingly innocuous traffic. SSP is a network-based detection and response platform, which uses a number of different detection mechanisms to monitor network traffic.
Currently, SSP has the capability to detect 93 different known RATs using 2,795 different detection methods, although this number is updated daily and is always increasing. SSP goes beyond what other Network Detection and Response (NDR) systems are capable of because it also includes the traditional IDS and NSM threat hunting data. Unlike other security systems, such as end-point detection, SSP is better equipped to detect RATs because of its focus on the network. And because it passively monitors network traffic, SSP is not subject to bypass or direct attacks like an endpoint system might be.
Traditional intrusion detection (IDS) and network security monitoring (NSM) systems are reasonably effective at catching malware like RATs, but their biggest difference from SSP is in how those systems convey their results.
These traditional systems function like an “alert cannon”, blasting off thousands of alerts and leaving the security team with the task of sifting through data looking for meaningful signals of a breach. In contrast, SSP analyzes the alert traffic automatically with prioritization and detection algorithms, issues Declarations of Compromise™ to notify the analyst of only the most serious and imminent threats, and presents the information in an easy-to-understand incident timeline along with a substantial body of contextual evidence.
While RATs are only one example of the way Stamus Security Platform leverages network data, there are numerous other types of malware threats that can be detected anywhere along the kill chain. The threat research team at StamusLabs adds new threats and refines detection methods on a daily basis, and these updates are loaded onto each SSP daily.
More information on Stamus Security Platform
So, next time my colleague Steve asks “why don’t we ever mention the types of threats we’re talking about?” I can thank him and point him to this blog series.
If you’d like to get a live demonstration of Stamus Security Platform or discuss how it might help you detect and respond to threats in your network, please click on the button below to request a demo.