Defending Against the Evolving Infostealer Malware Threat
Infostealer malware is becoming more sophisticated and complex, making it increasingly difficult for defenders to detect and prevent and requiring robust employee training.
Organizations must enforce security policies that can have a profound impact on mitigating the effectiveness of infostealers with a paradigm shift that needs to happen in the C-suite.
Infostealer malware is a type of malicious software that is designed to steal sensitive information from a victim's computer system, which can include login credentials, financial information, and personal data that can be used for identity theft or sold on the dark web.
Smarter infostealing malware forces defenders to adopt a more comprehensive approach that includes endpoint security, network segmentation, and data encryption.
Adam Flatley, vice president of intelligence at Redacted, says C-level company officers need to recognize the level of threat infostealers pose. “They need to fund their security teams appropriately and give them the security-policy authority they need to mitigate the threat,” he explains.
Flatley says enforcing web browser updates and disallowing web browser-based credential storage (using password managers instead) are examples of actions that can prevent infostealers from executing in the first place or mitigate damage from a successful breach.
“Only allowing authorized browser plugins to be installed and enforcing multi-factor authentication are also steps organizations should consider taking,” he adds.
He points out infostealers evolve daily to integrate exploits for new vulnerabilities, which is why aggressive patch management is essential.
“The time between a new vulnerability being announced and the implementation into the infostealer exploit chain has dramatically decreased,” he says. “Often today, the time lag is less than 24 hours.”
Work From Home Era Complicates Security Stance
Gideon Hazam, co-founder and COO at Memcyco, says the work from home and distributed workforce era complicates how to combat infostealing malware because it increases the attack surface and weakens traditional perimeter-based defenses. “With employees working from remote locations and using personal devices, it is more difficult for organizations to enforce security policies and monitor user behavior,” he explains.
For example, employees may use unsecured Wi-Fi networks or download software from untrusted sources, which can increase the risk of infostealer attacks.
“Additionally, employees may not have the same level of security awareness as they do in the office, making them more susceptible to social engineering tactics such as phishing emails,” he says.
Randy Abrams, senior security analyst at SecureIQLab, says IT professionals have a lot more experience in dealing with a traditional distributed workforce, but says work from home is a bit of a security red herring.
“What we’re really talking about is the bring-your-own-device [BYOD] model,” he says. “Primarily the security challenge is in securing a device that does not belong to the company.”
Enterprises can mandate what is and isn’t allowed to be on an asset, while a personal device not only receives work-related emails, but personal email as well.
“This more than doubles the phishing and social engineering attack surface,” Abrams notes. “The real question is how does the BYOD model complicate the issue.”
The answer to that, however, is complex. The maturity of the security team, budget for security technologies, and C-level support for processes are major factors in the efficacy of the defenders. Specific industries may have entirely different targets to protect. “Work from home is a distraction -- the history of BYOD contains the lessons that security professionals should be versed in, in order to enhance security,” Abrams says.
Employee Education Key
Flatley says employee education is very important in this space, as helping employees understand why following security policies is important will encourage compliance. “People are more apt to follow the rules if they understand the consequences. However, no amount of training will reduce this risk enough,” he says.
That means security policies need to be enforced by technical means that are designed to prevent accidental or intentional non-compliance. “Even more important, we must understand that no amount of training or technical defenses will entirely stop this threat,” he says.
Organizations must not only instrument a network to detect malicious activity and craft formal plans for remediating stolen identity information well in advance, but they must also practice them well so an attack can be acted upon quickly.
Hazam points to education training tools such as simulated phishing attacks, which can help employees recognize and respond to real phishing emails, and gamified training programs, which can make the training more engaging and enjoyable for employees.
“Additionally, regular training refreshers can help reinforce the importance of cybersecurity and keep employees up to date on the latest threats and best practices,” he says. “We also need to extend awareness to our customers and partners who are now also targets of such attacks.”
Abrams agrees that while employee education is paramount, bad education is highly ineffective. “When you hear an IT professional claim that user security awareness education doesn’t work, they are generally making one or two mistakes,” he explains.
The first, and most common mistake is defining “work” as perfection or near perfection.
“If that level of success is how ‘work’ is defined, then the best baseball players in the world are incompetent,” he says. If you define “work” from the point of view of an insurance actuary, then it works quite well; it manages risk, and managing risk is the definition of security. Abrams says the second mistake is trying to create and present the education using people who have neither the training nor the aptitude to develop effective strategies. “Typically, companies that specialize in end-user education are the most appropriate tool,” he notes. “These companies are well aware of the advances in the science of learning.”
What to Read Next:
How Cyberattackers Are Cultivating New Strategies and Reconfiguring Classic Gambits
Top Secret: Pentagon Leak Sheds Light on Insider Attack Threat
About the Author
You May Also Like