Contagion: collaborating to fight the malware pandemic

Opinion by Terry Greer-King

"A characteristic feature of pandemics is their rapid spread to all parts of the world ... We are all in this together, and we will all get through this, together." Dr Margaret Chan, director-general of the World Health Organisation said this at the start of the 2009 H1N1 'swine flu' pandemic. However, she could just as easily have been talking about malware outbreaks.

“A characteristic feature of pandemics is their rapid spread to all parts of the world … We are all in this together, and we will all get through this, together.” Dr Margaret Chan, director-general of the World Health Organisation said this at the start of the 2009 H1N1 ‘swine flu' pandemic. However, she could just as easily have been talking about malware outbreaks.

According to a May 2012 Ponemon Institute survey, 35 per cent of UK companies have experienced web-based malware attacks, and 29 per cent have been targeted by advanced persistent threats (APTs) over the past two years. Yes less than half of firms have protection to fight advanced threats and it is these threats that are operating on a truly global, pandemic scale.

It's been estimated that up to a quarter of all computers connected to the internet are part of a botnet. In 2011, the TDL Botnet reportedly infected more than 4.5 million computers and approximately 100,000 unique addresses per day.

One of the key reasons for the rapid spread of bots and other forms of advanced threats is that the cyber criminals using them often target several companies, to increase the likelihood of their attack's success. Like their infectious counterparts in the natural world, malware is growing in sophistication.

Botnets are polymorphic in nature, mimicking normal application and traffic patterns – making it difficult for traditional signature-based solutions, to combat them.

What's more, bots are designed to be stealthy, so many companies aren't aware that their networks have been infected and security teams often lack proper visibility into the security-breaching actions that botnets are performing. Hence the continued rapid spread of new threats, high global infection rates and ongoing damage and losses.

There's another critical contributing factor to this rapid spread. Even though thousands of companies are targeted by bots, each organisation typically tries to fight the threat separately and often after they have already been infected.

In many cases, the organisation's anti-malware defences may not have the update that enables them detect the infection, or the layered defences to block its actions. It's the equivalent of trying to fight a disease only by treating those who have already become ill with the infection. Wouldn't it be a better approach to inoculate against the infection – to contain and block its ability to spread to others?

After all, it's through global collaboration that the medical industry managed to contain the H1N1 epidemic, with the World Health Organisation working locally with individual countries' health ministries and using information from this to coordinate and drive an international response. So why can't organisations collaborate in the same way, and share data on new threats as they emerge?

In effect, this would enable companies to become part of a global network of threat sensors – closing the time window between the discovery of a new attack, and the ability to defend against it.

In a recent study, it was noted that 85 per cent of breaches from cyber attacks took weeks or more to be discovered. If companies could share information about new bots or malware threats when they are identified on their networks, key descriptors of the threat (such as the IP address, URL or DNS) could be shared in the cloud, and updates on the specifics of the new threat shared globally in a matter of minutes.

For example, this would enable the key details of a new threat or attack that is discovered in Japan to be quickly shared with organisations worldwide, providing enriched threat intelligence so defences can be updated to block the attack. This may involve closing a firewall port, updating Intrusion Prevention systems or applying a patch – but with that intelligence, organisations can pre-emptively protect themselves.

This not only benefits individual companies, but also the wider business and internet community. By reducing the number of networks and machines infected by a given agent, the spread of that infection is slowed – which in turn reduces the chances of an outbreak achieving critical mass and becoming an epidemic. As Benjamin Franklin observed, an ounce of prevention is better than a pound of cure.

So to stay ahead of malware threats, businesses should start to collaborate in sharing threat data, to slow the spread of malware, reduce its impact, and improve security for all. When it comes to internet security, we are all in it together: so we should collaborate to get through it, together.

Terry Greer-King is UK managing director of Check Point

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events