(Written prior to the WannaCry '30-day' attack)
Recent headlines reported that 42 percent of large UK organisations have been hit by cyber-attacks, so it's only natural that the threat of a zero-day attacks should be in every business' expectations. However, the apparent acceptance of current threats should be of great concern when coupled with the notion that businesses are unwilling to actually protect themselves against such attacks.
As the threats intensify and the dreaded Locky ransomware returns in a new form, businesses must shed this negligent, apathetic outlook and begin to take responsibility.
This year, FireEye, a leading cyber-security vendor claimed to have discovered “29 of the last 53 zero-day attacks” which seems a short-sighted form of self-satisfaction when taking into consideration the victims of the undetected 24 exploits.
On a positive note, the penny seems to be dropping with businesses that familiar names in anti-virus technology are not going to protect us sufficiently, yet many organisations seem to regard extortion via cyber-attack as an inevitable cost of business. Given the level of protection now available from more innovative vendors using file-regeneration technology, there is no need for this defeatism.
Zero-day exploits, lest we forget, are unrecognised attacks that come in a form not previously detected, and more often than not are hidden in email attachments until some unfortunate member of staff unwittingly clicks one open, triggering the download of ransomware or a massive theft of data. It is a type of crime that brings criminals serious rewards. One version of the CryptoWall ransomware is reckoned to have generated US$ 325 million (£250 million) in 2015.
Unfortunately evidence is growing that conventional anti-virus defences are simply redundant as hackers and cyber-criminals become more sophisticated. Analysis by threat intelligence experts Virus Bulletin, for instance, shows that between 2015 and 2016, detection of previously unknown threats by many of the big names in anti-virus technology decreased from a midpoint around 80 percent to between 67 to 70 percent. Even detection of known threats fell from between 90 and 95 percent to about 90 percent.
But what really shoots the wheels off the anti-virus industry, is the survey's revelation that some vendors achieved better testing results with their free products than they did with their premium. What do these vendors imagine is the point of paying for a premium service that is less effective than the free?
The analysis is no more reassuring about the security solutions specific to email offered by the likes of Kaspersky or Sophos. What appear to be high scores in eradicating spam still leave organisations wide open to zero-day threats, given the huge volumes of emails transmitted by every business on a daily basis. Hackers only need to get lucky once.
Despite this, remarkable claims are made by cyber-security companies. Trend Micro has certification for 99.48 percent protection against zero-days, “compared with a vendor average of 97.77 percent”. Mimecast and Symantec both lay claim to 100 percent effectiveness, while McAfee, asserting that most zero-day threats come from the web, says it can achieve 99.5 percent effectiveness by adding in-line file and code emulation technology to its web gateway solution.
Whatever the claims, it only takes one attack to devastate an organisation. All these technologies have, for instance, failed to prevent the recurrence of Locky, which is now in a “double-zip” form and often accompanied by the Kovter Trojan which is left behind to run click-fraud and malvertising even after organisations have paid up.
Surely everyone understands that statements about “100 percent” effectiveness cannot be substantiated and are not borne out by the analysis? Perhaps, but we don't have to lapse into fatalism about zero-day attacks.
Innovation and new approaches to security are available that will lock out all malware whether zero-day or an adaptation of what has been previously detected. The fact is that email attachments are now the main vector for attacks on businesses for the simple reason that there are billions in circulation every day and they are essential to everyday operations.
Research (from respected cloud services and threat intelligence company Webroot) has for example, demonstrated that 97 percent of malware is now unique to a specific endpoint. This renders signature-based security virtually useless because such heavily customised malware is extremely difficult to detect.
Instead, file regeneration technology keeps every form of malware at the door. It checks that the common file-types used by criminals to hide their zero-day exploits conform to the manufacturer's standard, conducting deep inspection of every email attachment down to byte-level. Within fractions of a second a clean, sanitised version of the file is rebuilt, which the organisation can use without any disruption to business operations.
Instead of throwing up their hands in the air or relying on claims of “100 percent effectiveness” that they know cannot be fulfilled, organisations can use this kind of technology to regain control, setting their own policies and levels of risk in relation to the requirements of departments or employees. It is a question of only allowing the known good to enter an organisation and being fully confident that the main source of zero-day threats has been completely blocked. Far more effective than relying on old perimeter anti-virus security or sitting there waiting to pay up and then deal with the appalling consequences after the attack has succeeded.
Contributed by Greg Sim, CEO, Glasswall Solutions
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.