News
New Study Finds Significant Gaps in Security Analysts’ Knowledge of Malware
July 2017 by Lastline
Malware protection firm Lastline announced the results of a survey
conducted with 326 cyber security professionals that tested their
knowledge of malware and current cyber threats.
Respondents were asked to identify different malware behaviours. The
overwhelming majority were aware that malware can turn a webcam on to see
if anyone is sitting in front of the computer (98 percent) and can monitor
a keyboard to see if a user is typing (97 percent), both of which are
among the many techniques malware uses to evade detection. However, only
70 percent knew that malware is able to avoid being detected by a sandbox.
"Malware has been able to sniff out that it resides on a virtual machine
(used as a sandbox) for years now, so it is a little worrying that nearly
a third of cybersecurity professionals were unaware of this," explained
Brian Laing, VP at Lastline. "Malware often plays a game of deception,
pretending to be a perfectly benign program when analysed by a defensive
tool. Once it is past defences, it can then perform the malicious
activities it was programmed for when running on a user’s device."
Respondents were also asked to identify the behaviours of specific types
of malware. While 93 percent correctly identified a Trojan as malware
disguised as something that a user wants or something legitimate, over
three quarters (77 percent) agreed with the statement that a virus
actively seeks new computers to infect, which is actually the behaviour of
a worm. And half indicated that a rootkit creates a network of compromised
devices for use in a coordinated attack, which actually is what a botnet
does.
Laing argued that this level of knowledge can be crucial in incident
response strategies. "When deciding how to prioritize security strategies
and technology investments, it’s important to know what types of behaviors
a given piece of malware has and how they behave. For example, when
reading that WannaCry is a worm, it’s important to know what a worm is and
how it spreads so that you know, for example, that cleaning the initially
infected machine will not eradicate it from the network," he said.
Respondents were also given a list of names and asked to identify which
ones were strains of malware. Respondents correctly identified the real
strains of malware on average 28 percent of the time, with the best
results attributed to the widespread malware, Slammer (40 percent) and
SpyEye (37 percent).
"Given the level of media attention that some malware discoveries get, it
is interesting that the majority of respondents couldn’t identify them,
but not surprising. It just doesn’t matter when you’re fighting cybercrime
today," said Laing. "Given the volume of malware, the pace at which it
evolves, and how criminals borrow from each other and re-write the code,
there are not clear distinctions or naming connections between one attack
and a subsequent attack using what may largely be the same code. What’s
important is detecting it, by whatever name, and understanding its
behaviours so you can mitigate and remediate."
