Eyes Wide Shut, or is This a Repeat of the Same Old Thing?

On July 31, US-CERT released a report on a Point of Sale (POS) targeting malware called BackOff. In the last week, we’ve seen news coverage of multiple highly recognizable corporations being compromised by this threat. Some of these new attacks are minor variants of the original threat, which is the standard procedure for successful malware attacks dating back to the earliest infectors of the ‘80s and ‘90s. When the bad guys find a model that works, they like to refine it or copy it.  There’s little difference in that the criminal organizations, like legitimate businesses, like to duplicate business models that work.

There’s little difference in that the criminal organizations, like legitimate businesses, like to duplicate business models that work.

Those who follow Tenable Network Security know that we released a technical notice about Backoff on August 1. We mentioned the indicators of compromise, and other security vendors updated their products to look for this threat. This included the anti-virus/anti-malware vendors who updated their signature bases. Some are asking why these corporations are being hit now. Without access to the full information we can only speculate, but common causes are that the updated security software has detected the threat that has been running for some length of time, or something triggered a security investigation, which uncovered the malware in action.

This is a very common scenario, and is one of the leading reasons that people continue to parrot the false claim that anti-virus is dead or useless. When properly deployed, monitored and maintained, traditional anti-virus does an outstanding job (better than any other tool) of keeping out the MILLIONS of known malware variants. That is both its strength and its weakness; the malware must be known, and the anti-virus application must be up-to-date. One minor change in the malware (and face it, the criminals are testing against the known anti-malware applications) and the product is unable to detect it until the industry obtains a sample. This is why anti-virus has to be used in a comprehensive defense, in-depth model, augmented by continuous network monitoring and other defenses.

Many companies overlook basic augmentations and practices that can greatly improve their security posture. While working in a corporate data security role, I often heard that things like file-level permissions were too difficult and time consuming to implement. Some low cost monitoring techniques such as honey pots, unprotected monitored systems, or network sniffers were too complex to deploy or monitor. My response was to ask, “What is more time consuming: detecting early or mass remediation?” Corporate security is performed by applying risk management: the cost of implementing a solution versus not having it implemented. Often, the negative cost is not calculable. What I mean by this is that when budget time comes, IT departments are asked, “it costs us this much to implement security practices, so justify it: how many events have you prevented?” This is the wrong question, but it’s often the only tangible one that some people have.

When properly deployed, monitored and maintained, traditional anti-virus does an outstanding job (better than any other tool) of keeping out the MILLIONS of known malware variants.

In our “Indicators of Compromise and Malware” discussion forum, we try hard to keep out FUD (fear, uncertainty, and doubt) and hype. We take high-profile or high-threat malware and discuss how to detect it using tools other than anti-malware. While we would love to have you using the Tenable Network Security line of products, the indicators are written in a way that you can leverage them with the tool of your choice.

Until corporations and users start looking at computer security in a holistic approach, we are doomed to repeat the past. In many ways, things have not changed for most companies between the Michelangelo warnings/hype of years ago to today’s BackOff situation. Yes, there is more complexity and a greater financial loss for not detecting the threat, but the reactions by the computer-using community is the same. The best protection is to leverage best practices, as well as specialization protections (like host-based anti-virus, anti-malware, intrusion detection, firewalls, etc.) and passive monitoring (like Tenable’s SecurityCenter CV with PVS, sniffers and honeypots) to form a holistic approach. When this happens, security staff and C-level executives can sleep easier. The answer becomes, “it’s another threat of the day; I’ve added some additional checks to verify we’re not affected, but we haven’t seen abnormal traffic that can be attributed to this threat.”