Damballa's Q1 2016 State of Infections Report Highlights how Cybercriminals Evade Detection
If there is one word that applies to cybercriminals, it is resourceful. Even if the brightest minds in the digital world are trying to thwart their efforts 24/7, those with malicious intent still manage to exploit vulnerabilities that defenders can miss. The proof is in headline after headline of the most powerful public and private organizations in the world announcing they have been breached. The new Damballa Q1 2016 State of Infections Report highlights how these criminals are able to move their infrastructure and hide their attacks to avoid being discovered.
The digitization of the world we live in has made it much better, but it has also introduced a new breed of criminals that are wreaking havoc for businesses around the globe. And, there is a significant cost. According to Juniper's recent report, "The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation," the cost of data breaches will jump to $2.1 trillion globally by 2019. The figure is almost four times more than the current $500 billion plus in losses annually.
Damballa has a network security monitoring system that leverages its patented technology to scour big data from close to 15 percent of the world’s Internet traffic. It then combines it with machine learning to discover and stop criminal activity, stop data theft, minimize business disruption, and reduce the time to response and remediation automatically.
The company's Q1 2016 report reveals how cyber criminals evade detection using many resources that are available to them in an underground community. Stephen Newman, CTO of Damballa, said, "Attackers have an incredibly vibrant underground community where they can buy or rent anything from command & control (C&C) infrastructure to sophisticated exploit kits to bare metal malware."
Editor’s Note: This underground community will be the subject of an insightful event, Inside the Dark Web, to be held May 12, 2016 at the Museum of Jewish Heritage in New York City.
One of the biggest problems in identifying the infrastructure criminals use is, its transience, meaning they don't get comfortable and settle for too long at any location. This makes it that much harder to identify and stop potential attacks. The eight month study conducted by Damballa looked at the Pony Loader malware and the actions the criminals took to avoid detection. The report found the criminals have used 281 domains and more than 120 IPs spread across 100 different ISPs just in that time period.
The effort to avoid detection also included changing their malware and configuring it to be several banking Trojans and ransomware from September to December of 2015.
Another technique uses Trojans to delete files of an infected device. In this case, it was the Destover Trojan, which allows attackers to stay undetected inside the network while they expand their presence and download large volumes of valuable and sensitive data. Damballa said this particular Trojan was used in the Sony Pictures Entertainment and Saudi Aramco breaches.
Damballa concludes its report by saying antivirus, firewalls and sandboxing still play a valuable role in a defense strategy, but the need for robust detection and response has never been more apparent. As Newman goes on to say, the hope for the company is, "To shed light on common techniques, so enterprises can reassess and improve their existing security controls."
Edited by Peter Bernstein