Back in November 1988, the Morris worm started the first widely recognised and reported malware-based cyberattack, infecting around 5% of all the computers connected to the emerging Internet.
The malware, developed by graduate student Robert Morris as a benign program intended to estimate how big the Internet was, infected its target machines multiple times, causing them to slow down and crash.
The U.S. Government’s Accountability Office assessed the damage caused by the worm to be in the $100,000 to $10 million range, as disinfection required two days per computer, in addition to the downtime caused by the infection.
It led to the first US conviction under the 1986 Computer Fraud and Abuse Act, and to the creation of the first Cyber Emergency Response Team (CERT). So how far has the IT industry come since this first, large-scale cyberattack?
28 years later, malware has gone from being an isolated incident to an epidemic.
Check Point’s latest annual Security Report, which analyses security incidents from tens of thousands of organisations globally, found that 89% of organisations had downloaded a malicious file, up from 63% the previous year.
That’s a dramatic increase compared with the 5% global infection rate of the Morris worm.
What’s more, nearly 12 million new malware variants are being discovered every single month: this means that more new malware has been discovered in the past 2 years than in the previous 28 years combined.
Modern malware also takes many forms: from ransomware, which has grabbed headlines over the past three years, to advanced persistent threats targeting critical industrial systems, to stealthy bots which sit quietly on networks and are harnessed by criminals to send spam, participate in DDoS attacks, exfiltrate data or download additional malware into organisations.
What you don’t know can hurt you
However, the really insidious element of the evolving malware landscape is the rise of unknown variants.
These may be slightly amended or edited versions of existing malware, just different enough from their ‘parents’ to be able to bypass conventional signature-based antivirus.
They may also be brand new, never-before-seen variants, designed to target previously unidentified zero-day vulnerabilities in software or devices – although this is a costly, labor-intensive process, which is usually associated with state-sponsored hacking.
Unknown malware is a particularly attractive option for cybercriminals.
It enables them to infect many more PCs and networks with minimal extra effort.
>See also: How does advanced malware act like AI?
Put simply, it makes the criminals’ business more efficient.
What’s more, creating unknown malware is easier and more cost-effective than ever for the criminals.
Tweaking existing malicious code just enough to bypass conventional antivirus can be achieved using off-the-shelf toolkits in a matter of minutes – saving the effort of building a completely new infection from scratch.
It’s this ease of development which led to the explosion of unknown malware, causing security headaches for organisations.
On average, an unknown malware type is downloaded to enterprise networks every 4 seconds, compared with less than 2 per minute in the previous 12 months – a nine-times increase in frequency.
For comparison, known malware is downloaded to corporate networks every 81 seconds.
The fact that 20 unknown variants are being downloaded for every single known variant shows just how real the risk of contracting unknown malware infections is, for any organisation.
To defend against this persistent onslaught of unknown and known attacks, organisations need to move beyond the traditional single layer of protection offered by conventional anti-virus tools.
No individual technology or technique can hope to provide complete protection from all threats, but a layered approach combining multiple methods of protection and detection can minimise the chance of an attack being successful.
Combining and orchestrating protective technologies including antivirus, anti-bot systems, anti-spam and email security, application control, identity awareness and next-generation firewalling is the foundation of a strong defence.
>See also: Ransomware is spreading through cloud apps
These foundations should be extended with real-time threat prevention, which stops even unknown malware before it can touch the corporate network.
This includes aadvanced sandboxing, working together with threat extraction.
Advanced sandboxing is not signature-based: it inspects incoming files for suspicious elements using CPU-level detection, enabling it to see through any evasion techniques built into the malware by its authors, and block the potential infection.
Threat extraction works on a simple premise: the majority of malware is distributed via email, in attached Word documents, PDFs, Excel spreadsheets and so on.
So from a security standpoint, it’s best to assume that any email attachment is always infected – and to extract any potential threats from it before passing it to the user, giving them quick access to the content they need.
When combined, these techniques prevent infection by the overwhelming majority of unknown malware variants.
With additional protections at the post-infection stage, organisations can limit damage by malware even in the rare cases that it’s able to breach the layers of defence.
Forensic tools are able to identify a live infection in seconds, and take action to mitigate its impact – triaging the attack to help IT teams resolve it quickly, and even ‘rolling back’ to a backup of the machine created before the infection took hold, to nullify the malware’s effects.
In conclusion, 28 years after the Morris worm, the malware landscape is far beyond anything that could have been imagined at the time.
The big difference is, in 1988, organisations were defenceless. Now, they have multiple layers of protection to help them keep their networks secure.
Sourced by Aatish Pattni, head of threat prevention, northern Europe for Check Point