Bears Can Stop Malware SpreadThe True Evil of Malware

There is a massive effort to prevent the intrusion of malware on devices and, while that may or may not pan out, at Bear, we wonder if that is the root issue.  It used to be the case that malware attacks would infect a network and rapidly expand to infect every computer.

That rarely happens these days but isn’t the spread of malware still the root problem?

Think about it a minute.  Hackers want to access sensitive data and they spend years hacking various data repositories to build profiles of people just to get one target person to click on a link that loads malware on their device.  Even if the hackers get the ideal person, what are the chances that person actually has the target data sitting on their device?  For ransomware, how likely is it that holding one user’s computer hostage will result in significant financial reward?

Instead, we feel that the hackers are looking for the users with the best access to their actual targets – most of which are unassailable directly.  Instead of infecting every computer in the enterprise, malware is now quiet and only wakes up enough to check its local environment, look for a path to another device and then hop to that device.  From a processing perspective, it is a blip.  From an on-the-disk storage perspective, these malware files are spread out and, unless they have been seen before, completely invisible to anti-malware efforts.

Smart malware even cleans up after itself to scrub away the trail and this ability means that anti-malware has to find the exact device upon which the malware is resident before the malware reaches a high-value destination.  When the malware gets there, it either finds target data and blasts it out before anything can stop it or it locks down a system and turns into yet another zero-day ransomware attack.

At least this is our theory…

If this is indeed how malware operates today then the chances of finding and stopping it are exceedingly hard given that most anti-malware efforts require a running program in order to have something to scan.  Sure past breaches can be examined to look for on-the-disk storage patterns but storing files in new places, under new names, is easy and there is no end game that works in this scenario.

So what is left?

We think the way to stop malware is to prevent its proliferation through an enterprise.  To do that, we feel that devices need to be locked down at the level of communications – regardless of applications.  If an accountant should never access an IT project server then why can those underlying devices still talk (and they do)?  If a CEO needs to pull reports from a BI server, then why can he send more information back to that server that he received?  We feel that locking down communications effectively, and handing that control to experts and not users, is key is stopping malware proliferation.  If malware cannot spread then its effectiveness is significantly diminished.

We might be wrong in our hypothesis and, if you disagree, please let us know what you think!