Tuesday, August 13, 2019

The Magical Malware Deception


When we lived in caves, fire used to be magic. We couldn’t control fire until we realized that fire requires heat, fuel, and oxygen. With more knowledge, fire wasn’t magic anymore. 




We may still be in caves with malware. That's because malware is treated as magic within some security programs. Even experienced security practitioners often treat malware like magic. We’ve been deceived. And, that deception leads us to keep buying cyber security solutions as if we are regular customers at an alchemist’s shop. 


But, like fire, malware isn’t magic.


While malware may captivate us much like fire, malware requires less elements than fire. Fire requires three elements while malware requires two. 


What are the two?  A process to run in and sufficient privileges to do damage. Nothing else. 


Without a process, malware is just an unwanted artifact on a hard drive. 


Without sufficient privileges to do damage, malware is simply an unwanted application. 

What may surprise you are the things I left out. Things like a remote connection. Things like a file on the file system. Things like persistence. Malware almost always will have one or all of these for very good reasons. But they certainly aren’t required. There are examples of malware that have none of these.

Yet, we spend considerable amounts of time and resources hunting all sorts of artifacts, many of which malware doesn't need. .


Don't confuse malware with vulnerabilities. Vulnerabilities are the door through which malware enters.   You should be hunting every sort of vulnerability and closing them.

But, even if malware finds its way in through a vulnerability, you can control processes and privileges. That way, malware quickly loses its magic. And your security team will stop flailing. And they’ll be far more effective in prevention and response. 

And you’ll have made sense of magic.  

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1 or, have your own examples? Use #crazygoodcyberteams on twitter or Linkedin and I'll read it.

SEE ALSO

 The Breach Sure Bet

The Cloud Security Automation Realization  

The Vulnerability Management Fantasy
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)