One of the most effective ways for threat actors to infiltrate a network’s defenses is through the use of malware. As I discussed in our Security Effectiveness Report: Malicious File Transfer video, there are a few main ways that malware enters a network: malicious websites, social engineering, insider threat, and phishing.
As shared in M-Trends 2020, 41% of the year’s malware families were never seen before, and many breach and attack cases studied in the report began with phishing, one of the most prevalent ways that malware gets into a network. Common tactics include widespread phishing, where emails are sent to hundreds or thousands of users, and spear phishing, which involves sending carefully crafted emails to specific users.
The biggest concern with malicious file transfers via phishing is the research findings on the ability of organizations to detect and prevent the delivery of the malware into their networks. The statistics show that 48% of the time security controls in place could not prevent or detect this type of activity. In fact, only 23% of malicious activity was alerted on, 29% was detected, and 37% was prevented.
Some of the reasons for this include misconfiguration of existing security controls and environmental drift. Environmental drift typically occurs when a configuration is incorrectly changed (human error), or when some other outside modification—such as an update—changes configurations and causes controls to no longer catch behaviors. Other ways malware can enter a network include vendors removing malware signatures without informing their clients, and threat actors changing hashes in documents so that they are no longer recognized as malicious hashes.
Improving Prevention and Detection
So, what can organizations do to improve prevention and detection? First and foremost, they can educate employees of the dangers of unknown emails—especially if they come with links and attachments. Next, have a plan in place, such as a reporting protocol for how employees should deal with suspicious emails. And last, but just as important, identify high-risk individuals such as your finance and HR staff. Train them extensively to recognize malicious emails and documents, and how to proceed if they receive a malicious email—or later realized they may have opened a suspicious attachment or clicked a potentially dangerous link.
In addition to training, organizations need to incorporate continuous security validation to test security controls and identify when a misconfiguration or environmental drift occurs. Security validation is a way to test security controls against existing threats to either validate that security controls are working as they should, or to help find gaps in current security infrastructure. Continuous security validation is an ongoing and reoccurring strategy to catch any changes that might be made to the network. Just because the network is vulnerable to a particular threat today, doesn’t mean that might not change in the future.
Interested in learning how to expose and uncover malicious files by validating controls against current and actual attacks? Download a full copy of the Mandiant Security Effectiveness Report 2020, including a list of the fundamentals for successful cyber security effectiveness validation.