It’s easy to focus on the different kinds of malware threats. Data exfiltration, phishing, ransomware, Trojans, cryptomining and all the other threat vectors present sufficient challenges to cyber security teams. But the reality on the ground is more complicated, and these complications are only expected to become more common.
As threat actors evolve and successfully create components to compromise systems, expect and prepare for more synergistic threats.
What’s a Synergistic Threat?
Much as a bank robbery may involve multiple actual crimes (assault, grand larceny, and various traffic violations, along with actual armed robbery), carrying out a successful cybercrime can entail using various tactics for one nefarious goal. Take for instance a phishing attack that opens the door to a classic Trojan scheme, enticing a user to download a file that sets up a C2 connection.
Most cybersecurity teams have seen this gambit. But if one leaves it at that and mistakes the tactic for the strategy, s/he runs the risk of missing a larger attack that the obvious one hides.
For instance, what if the C2’s ultimate goal is to ascertain a system’s overall capacity to host different kinds of malware threats and deploy whichever will do the most damage? Your damage after all makes their payday.
Malware evolves. That happens in many ways, including by leveraging synergies to more efficiently and effectively exploit existing malware programs, effectively making them components. Just as your company may look to synergies to improve performance and innovate, bad actors can do the same.
GandCrab, very widely distributed ransomware, provides an example. It uses multiple vectors (botnets, phishing, trojanized programs and exploit kits just to name a few) to gain entry. Once inside it executes its programs — all pretty standard for ransomware. But consider why it’s very widely distributed. Utilizing collaboration with other criminal groups (exploit kit creators, as well as its own criminal customers), many call GandCrab ransomware-as-a-service. The threat actors behind GandCrab license it to others to deploy at will. So those bad actors don’t need to have any particular tech savvy to use and profit from GandCrab. Further, its originators don’t just offer it as, but run it as a service, providing frequent updates. In one year GandCrab’s reached version 5.0.5.
Prepare for More Complicated Attacks
If it’s possible, be more suspicious. Assume that connections may exist between simple, unilateral threats and, as with a Trojan, consider that you may not be seeing all there is to see, even when you detect a threat. You can incorporate this kind of perspective in your post mortem meetings. It would enrich the time you spend evaluating the incident response and help keep a ‘resolved’ attack on the radar when reviewing the next threat and its response.
Consider having post-mortem meetings if you don’t already. They give companies an opportunity to hone best practices and get into the details that should be informing high-level decisions and resource allocation.
Greater complexity in your cybersecurity approach won’t necessarily neutralize complex attacks. Sophistication can. What’s the difference? Sophistication requires knowledge, awareness and an attention to simplicity, in this case simple solutions. If one assumes that synergies may be in play, it’s half the battle. Looking at malware threats from this perspective enables companies large and small to choose the right suite of security solutions and adopt a holistic approach.
By Tenea D. Johnson
Founder, Progress By Design