In the first article of this series -- Threats! What Threats? -- I mentioned that my colleague, Steve Patton, thought we at Stamus Networks weren’t doing enough to explain what we mean when we say “threats.” His reasoning was that we talk a lot about threats, but we never really explain what we mean.
In an effort to fix that we will dig deeper into a very prolific threat facing nearly every organization - Malware. We’ll look at what we mean by Malware and how Stamus Security Platform (SSP) can help.
Malware, otherwise known as malicious software, is essentially any type of software that is meant to bypass a system's intended operation. The goal of malware is to cause damage to a computer’s systems. It is important to note that not every software that causes damage to a system is malware, and sometimes certain programs just have bugs or are naturally corrupt. The difference between these types of programs and malware is that the latter intentionally seeks to harm a system or the organization and user the system belongs to.
There are many different types of malware which are often classified by the way it infects a system and the type of attack it seeks to carry out. While some malware types are more dangerous than others, without the proper defense systems they all pose a serious threat on any organization’s systems. Here are some of the more common types of malware and their basic functions:
Once Malware has infected a system, it might not necessarily act immediately. More sophisticated malware often functions as an Advanced Persistent Threat (APT) and will spend long periods of time attempting to remain undetected to gather more information, access different parts of a system, or wait for a specific trigger or user action to deploy a full payload.
It is vital to the safety of an organization to malware is caught before extensive damage is done. By employing the use of a network-based detection and response system like the Stamus Security Platform (SSP), analysts can see threats before they have the opportunity to cause a full-blown data breach.
SSP uses thousands of different detection methods that are each suited for different types of malware infections. These methods help locate and identify various types of malware and then provide valuable context that not only helps security teams stop the threat, but also gives them the opportunity to create automation that can help detect those same threats even faster in the future.
Let’s take a look at one specific type of malware for an example:
Remote Access Trojans (RATs) use backdoor access to control a target machine with administrative privilege. This is typically done invisibly after a user downloads an infected program or file. Using a command and control server, a malicious adversary can send different commands over the network and receive sensitive data back in response.
The Stamus Security Platform is highly effective at catching RATs before they can do too much damage. This is because RATs communicate through the network, piggybacking off of other seemingly innocuous traffic. SSP is a network-based detection and response platform, which uses a number of different detection mechanisms to monitor network traffic.
Traditional intrusion detection (IDS) and network security monitoring (NSM) systems are reasonably effective at catching malware like RATs, but their biggest difference from SSP is in how those systems convey their results.
These traditional systems function like an “alert cannon”, blasting off thousands of alerts and leaving the security team with the task of sifting through data looking for meaningful signals of a breach. In contrast, SSP analyzes the alert traffic automatically with prioritization and detection algorithms, issues Declarations of Compromise™ to notify the analyst of only the most serious and imminent threats, and presents the information in an easy-to-understand incident timeline along with a substantial body of contextual evidence.
While RATs are only one example of the way Stamus Security Platform leverages network data, there are numerous other types of malware threats that can be detected anywhere along the kill chain. The threat research team at StamusLabs adds new threats and refines detection methods on a daily basis, and these updates are loaded onto each SSP daily.
So, next time my colleague Steve asks “why don’t we ever mention the types of threats we’re talking about?” I can thank him and point him to this blog series.
If you’d like to get a live demonstration of Stamus Security Platform or discuss how it might help you detect and respond to threats in your network, please click on the button below to request a demo.