Wednesday , 13 December 2017
Home » NEWS » THIS WEEK’S GURUS » Tackling the malware machines
Chau Mai, Skyhigh Networks

Tackling the malware machines

Take any movie where robots rise up against their human makers, and you’ll see fear and panic set in.


This happens in films such as The Terminator (1984), Screamers (1995), and I, Robot (2004). Why? Because robots operate on autopilot and are not constrained by human limitations: the need for food, water, or sleep. Similar can be said for certain types of malware.


Malware is neither exclusively driven by machines nor humans. From studying different types of malware we see both types are in action within the UK, penetrating networks and disrupting day-to-day business. Learning how malware operates is critical to deciding how best to combat.


Does malware sleep?

One of the most significant points to the rise of ‘malware machines’ is its activity at night. By looking at Skyhigh data, which is based on more than 13 million users, we discovered that malware activity occurred consistently regardless of time of day, and was actually 118 per cent more active at night when employees are sleeping.


The data, which was normalised across time zones, shows that 2,157 malware incidents occurred during non-working hours (8pm – 8am), as opposed to 987 malware incidents during working hours (8am – 8pm).


This underlines the need for security teams to be able to continuously monitor behaviour, regardless of when it happens. Just because we’re not at our desks doesn’t mean that the malware isn’t actively trying to penetrate the network. Failing to have continuous monitoring tools in place could leave malware undetected on the network for enough time to deepen its penetration into company systems. It’s critical that these sorts of attacks are identified and stopped early enough to protect corporate data as much as possible.


How can security teams combat tireless attackers? Activity monitoring pits machine against machine by relying on automated software to crunch big data. Effective monitoring analyses cloud traffic to identify abnormal behaviour.


Machine-learning algorithms establish a baseline for normal usage of each cloud service; factors for this benchmark include geographic location, number of uploads, size of uploads, and even the number of pages visited within a session on the cloud service.


These high-risk anomalies could be indicative of automated malware, as in the case of an infected Twitter account sending out 100,000 tweets in one day or a human attacker, such as an abnormally large download from an enterprise cloud service.


Hacking as a full-time job

Having continuous monitoring also allows security teams to better understand human-led malware activity. As FireEye’s recent findings confirmed, hackers in China had mobilised as part of the People’s Liberation Army Unit 61398 and were actively targeting US-based companies. The members of this highly-specialised operations unit stood out because, based on Dynamic DNS data captured by FireEye, they were highly consistent. They worked approximately from 8am to 5pm – highly typical of a person’s normal workday. Furthermore, 98 per cent of the connections occurred Monday through Friday. Even hackers get the weekend off!


Though they were not mindless drones working around th
e clock, these hackers acted as a highly organised force. According to FireEye, the team consisted of specialised workers who had assigned roles to play, from coders working on intrusion to sniffers collecting data once the target was breached.


These operations were more thought-out and tightly orchestrated than the activities of an amateur hacker poking around; they show an alarming amount of efficiency and focus. Monitoring allows an organisation to identify the characteristic of the threat – which, as in this case, may be far more persistent and adaptable than that from a malware machine – and build an effective response.


The importance of continuous monitoring

These observations – both of non-human and human hacking – show that malicious activity has become more sophisticated. The line between bot and human becomes blurred as both parties show a machine-like dedication to infiltrating their target companies.


Working to avoid detection while compromising as many systems as they can, these hackers literally treat intrusion as a full-time job. Except in this case, their salaries are made from the backs of the companies who are the unknowing victims. These findings illustrate the necessity of real-time alerts and close monitoring, because the frequency and timing of the attack may not be so intuitive.



Chau Mai, senior marketing manager at Skyhigh Networks

About Dan Raywood

Dan Raywood is the editor in chief of the IT Security Guru. A journalist with more than 13 years experience, Dan has been at the forefront of the information security industry.

As the news editor of SC Magazine he covered breaking stories such as Stuxnet, Flame and Conficker and the online hacktivist campaigns of Anonymous and LulzSec, and broke the news on the EU’s mandatory data breach disclosure law and a vulnerability which affected more than 200 sites.

Contact Dan on, by phone on 0207 1832 839