Question

Describe leading threats (Virus, Worm, Trojan Horses, Rootkits, Social Engineering, and Botnet). Describe the malware detection symptoms. Describe defense in depth.

Answer 1

Viruses, worms, Trojans, and bots are all part of a class of software called "malware." Malware is short for "malicious software," also known as malicious code or "malcode." It is code or software that is specifically designed to damage, disrupt, steal, or in general inflict some other "bad" or illegitimate action on data, hosts, or networks.

There are many different classes of malware that have varying ways of infecting systems and propagating themselves. Malware can infect systems by being bundled with other programs or attached as macros to files. Others are installed by exploiting a known vulnerability in an operating system (OS), network device, or other software, such as a hole in a browser that only requires users to visit a website to infect their computers. The vast majority, however, are installed by some action from a user, such as clicking an email attachment or downloading a file from the Internet.

Some of the more commonly known types of malware are viruses, worms, Trojans, bots, ransomware, backdoors, spyware, and adware. Damage from malware varies from causing minor irritation (such as browser popup ads), to stealing confidential information or money, destroying data, and compromising and/or entirely disabling systems and networks.

In addition to damaging data and software residing on equipment, malware has evolved to target the physical hardware of those systems. Malware should also not be confused with defective software, which is intended for legitimate purposes but contains errors or "bugs."

Classes of Malicious Software

Two of the most common types of malware are viruses and worms. These types of programs are able to self-replicate and can spread copies of themselves, which might even be modified copies. To be classified as a virus or worm, malware must have the ability to propagate. The difference is that a worm operates more or less independently of other files, whereas a virus depends on a host program to spread itself. These and other classes of malicious software are described below.

Ransomware

Ransomware is a type of malicious software that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way that is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, which encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.

Viruses

A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels. Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing denial-of-service (DoS) conditions. Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program. When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after it is infected by the virus. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected email attachments.

Worms

Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. To spread, worms either exploit a vulnerability on the target system or use some kind of social engineering to trick users into executing them. A worm enters a computer through a vulnerability in the system and takes advantage of file-transport or information-transport features on the system, allowing it to travel unaided. More advanced worms leverage encryption, wipers, and ransomware technologies to harm their targets.

Trojans

A Trojan is another type of malware named after the wooden horse that the Greeks used to infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojans are also known to create backdoors to give malicious users access to the system. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Trojans must spread through user interaction such as opening an email attachment or downloading and running a file from the Internet.

Bots

"Bot" is derived from the word "robot" and is an automated process that interacts with other network services. Bots often automate tasks and provide information or services that would otherwise be conducted by a human being. A typical use of bots is to gather information, such as web crawlers, or interact automatically with Instant Messaging (IM), Internet Relay Chat (IRC), or other web interfaces. They may also be used to interact dynamically with websites.

Bots can be used for either good or malicious intent. A malicious bot is self-propagating malware designed to infect a host and connect back to a central server or servers that act as a command and control (C&C) center for an entire network of compromised devices, or "botnet." With a botnet, attackers can launch broad-based, "remote-control," flood-type attacks against their target(s).

In addition to the worm-like ability to self-propagate, bots can include the ability to log keystrokes, gather passwords, capture and analyze packets, gather financial information, launch Denial of Service (DOS) Attacks, relay spam, and open backdoors on the infected host. Bots have all the advantages of worms, but are generally much more versatile in their infection vector and are often modified within hours of publication of a new exploit. They have been known to exploit backdoors opened by worms and viruses, which allows them to access networks that have good perimeter control. Bots rarely announce their presence with high scan rates that damage network infrastructure; instead, they infect networks in a way that escapes immediate notice.

Advanced botnets may take advantage of common internet of things (IOT) devices such as home electronics or appliances to increase automated attacks. Crypto mining is a common use of these bots for nefarious purposes.

Rootkit

Programs that hide the existence of malware by intercepting (i.e., "Hooking") and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower to include a hypervisor, master boot record, or the system firmware. Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems.

Social Engineering

Anytime perceived trust is used to elicit information from groups or individuals, it is referred to as "social engineering." Examples include individuals who call or email a company to gain unauthorized access to systems or information.

Symptoms of Malware: How do you know you are Infected?

The eerie pop-up messages, slow, clunky booting up processes and unusual warnings and errors. These are the kinds of symptoms that bring sweat to any security professional’s brow. If the following list sounds a little bit too familiar, then we have bad news: These are possible signs of a malware infection.

1. The Dreaded Slowdown

If you have not installed a RAM hogging application, like Photoshop, but are experiencing a sluggish computer experience, this could be an indication that you are a victim to a strain of malware. Malware is known to significantly slow down applications and greatly impact general computer performance.

If your computer is lagging on start-up, leisurely in opening applications, and behaving generally obtuse – this a critical symptom that malware is on your device. If you feel these effects it’s probably time for a deep scan or a tune-up.

2. “Unusual” Browsing Experience

Did a new browser toolbar pop up out of nowhere? Did you try to find your favorite website, but were mysteriously redirected to an entirely different address? These are urgent red flags that you have malware on your computer. Generally, this variant of malware is used to generate advertising revenue for attackers and it will greatly hinder your browsing experience. At best, it’s annoying, at worst it is registering your credit card information or leaving back doors for ransomware to access your system.

3. Annoying Pop-ups

One of the most annoying symptoms of malware is unexpected, noisy, poorly designed pop-ups. This is a typical sign of malware, not only are the pop-ups annoying and hinder your navigation, the advertisements themselves could conceal more malware within them. Often these strains of malware can be far more destructive for your system than the initial variants.

4. New Desktop Icons

If you have noticed unusual new icons on your desktop, you may have contracted Potentially Unwanted Programs (PUPs). They are considered a variant of malware that can collect your private information, spy on your browsing experience and add pop-ups, and toolbars to your browser.

5. Hard Drive Issues

It is concerning if loud noises and excessive activity are registering on your computer particularly when you are not downloading or running a program, this could be a sign you have contracted malware. Also, if you notice that your hard drive is running out of space quickly, even though you are light on applications this is another key sign of infection. It is common for malware to target and use up all available free space on a hard drive.

6. Continuous Crashes

Constantly crashing systems or programs, or even worse, you are consistently witnessing the infamous Blue Screen of Death, this a clear critical warning that you need to consider evaluating your system. If your programs are crashing regularly this indicates things are not well and you are experiencing a common effect of a malware infection.

7. Fake Security Programs

If you start seeing threatening warnings from a mystery anti-virus product you have never installed, chances are this is Malware. The creation and distribution of malware is a very lucrative business. Naturally, to use this software, you will need to pay to “fix” your problems. Be wary of unrecognized applications or software that you have not downloaded. If in doubt Google is your friend, you won’t be the first to have been infected.

8. Your security is disabled

If your antivirus solution doesn’t seem to work, or the update module within the software appears broken this could be a self-defense mechanism of the malware that is infecting your system. If your troubleshooting efforts are unfruitful you should consider the possibility that you have a malware infection.

9. You can’t access critical applications

Restricted access to the Control Panel, Task Manager, Registry Editor or Command Prompt are other common defense tactics for malware and another common sign that your computer has been corrupted by malware. To keep your PC safe and protected, it’s recommended to run a full scan of your system regularly to help iron out any issues.

10. Everything seems okay….

Yes, probably the most worrying symptom is that malware can hide on your system without influencing anything. Some of the worst damage that can be done just by keeping tabs on you while you browse and registering your private information. It is essential that you keep active computer and network security.

Where does defense in depth come from?

Defense in depth comes from the National Security Agency (NSA). It was conceived as a comprehensive approach to information security and cyber security. The term was inspired by a military strategy with the same name.

In practice, the military strategy and the information assurance strategy differ.

Defense in depth as a military strategy revolves around having a weaker perimeter defense and intentionally yielding space to buy time to build a counter-attack.

As a cyber security strategy, defense in depth involves parallel systems of physical, technical and administrative countermeasures that work together but do not intentionally cede control to an attacker. A honeypot is akin to the military version of defense in depth.

Many people refer to defense in depth as the castle approach as it mimics the layering of defenses used by medieval castles. Before attackers could get to the castle, they had to beat the moat, ramparts, drawbridge, towers and battlements.

How does defense in depth work?

The most important thing to understand about defense in depth is that a potential attack should be stopped by several independent methods. This means security solutions must address security vulnerabilities over the life cycle of the system, rather than at one point in time.

The increasing sophistication of cyber attacks means organizations can no longer rely on one security product to protect them.

Security professionals need to apply defense in depth across all IT systems. From employee laptops needing protection from Wi-Fi based man-in-the-middle attacks to domain hijacking prevention with DNSSEC.

There is no one layer of security that protects against all cyber threats. Cybercriminals are becoming increasingly sophisticated in their attacks and organizations need to respond by improving their defense in depth.

Poor access control, phishing, email spoofing, ransomware, data breaches, data leaks, typosquatting and different types of malware can all be used in combination to attack your organization. The daily growth of CVE highlights how vulnerable every organization is.

A great example for the need for defense in depth was the spread of the WannaCry. It highlights how poor global cyber resilience is.

Organizations need multiple security layers including firewalls, antimalware and antivirus software, intrusion detection systems, data encryption, physical controls and security awareness training to reduce the range of possible attack vectors.

What are the elements of defense in depth?

There are three core parts of any defense in depth strategy namely:

1. Physical controls: Security measures that prevent physical access to IT systems such as security guards, keycards and locked doors.
2. Technical controls: Security measures that protect network security and other IT resources using hardware and software, such as intrusion protection systems, web application firewalls, configuration management, web scanners, two-factor authentication, biometrics, timed access, password managers, virtual private networks, at rest encryption, hashing and encrypted backups.
3. Administrative controls: Security measures consisting of policies and procedures directed at an organization's employees and their vendors. Examples include information security policies, vendor risk management, third-party risk management frameworks, cyber security risk assessments and information risk management strategies.

Together physical, technical and administrative controls make up a basic defense in depth strategy. Additionally, many security professionals use security tools that continuously monitor them and their vendors for potential holes in their security defenses.