How to keep on top of the malware threat 

Davey Winder

Last year (2015), Symantec discovered more than 400 million pieces of 'new and unique' malware. That’s over a million bits of new malware code produced every single day, and was up a third on the previous year. 

It’s clear from this that malware isn't going away. However, nor is it going far in terms of evolutionary development; 90% of that new malware was actually just existing family variations. Coding 100% new malware from nothing is not easy, and the bad guys like the easy route to riches (just look at the rise and rise of ransomware for proof of that). 

Knowing that just 10% of the malware threat out there is an unknown quantity is your first step towards becoming Threat Intelligent. But what do we mean by that?

Threat Intelligence has become something of a buzzword, although more often than not one reserved for the larger enterprise with a fully dedicated IT security department.

However, becoming Threat Intelligent isn't just about scale. If you really want to keep on top of the malware threat then you need to embrace Threat Intelligence in the broadest sense. To do that, you need to start by understanding how intelligence differs from information. 

Information v Intelligence

Information is simply raw data (for example network activity logs). Intelligence, on the other hand, is information that has been analysed and refined (for example suspicious network activity that is put into context). 

From this simple definition, we can see how Threat Intelligence can help businesses to understand risk by determining the likely actors and threats they pose. This means that educating staff in how to avoid becoming the next victim is a less onerous task.

Now consider how that threat intelligence is presented to the business; the most common being by way of a tactical approach using Indicators of Compromise (IoC). 

Sticking with our network log analysis example, there may be IoCs present that reveal IP and email addresses or hashes that are associated with known malware families. Armed with these IoCs, responding to the threat and negating it is made a lot easier.

Any size of business can embrace and benefit from the threat intelligence ethic. Becoming Threat Intelligent is the goal, and that doesn't have to require any investment beyond a desire to be secure and the will to make it happen. 

Two steps to Threat Intelligence

Importantly, this means two things:

  1. You don't have to reinvent the wheel
    As with so much of the security debate, education and awareness is a great place to start. In terms of malware threat intelligence, that means keeping up to date with attack trends and methodologies. This doesn't have to mean doing an evening class in cyber security. 
  2. You don't have to start from scratch
    Start by picking a couple of respected research resources and read them regularly. Try We Live Security from ESET and the independent Security Bloggers Network for starters.

What you do have to do, though, is keep in the vulnerability alert loop. Security alerts provide ready made 'intelligence' in its most basic but effective form – making knowledge a level playing field. 

Closing the window

Not every cybercriminal is a master computer coder or hacker, sitting in a basement and uncovering new ways to get around your defences and at your data. The majority, in fact, are chancers who look for known vulnerabilities to exploit. Even these most often come in the form of ready made, “point and shoot” exploit kits. What they do rely upon is the window of opportunity being open long enough to exploit. 

Which means the quicker you close it the more secure you are. So another vital part of your armoury are resources such the US 'Computer Emergency Readiness Team' or SecurityFocus, which publish vulnerability data and software update announcements.

While the Internet is unquestionably a scary place, and the threat of malware is very real and ever present, developing a culture of Threat Intelligence is not as complex as you might think. However, it is a vital first step towards ensuring that your business or your customers make themselves hard to hack.