Cisco researchers found that the number of unique malware attacks that can lead to advanced persistent threats has quadrupled since the beginning of the year
Malware is increasingly being used as advanced persistent threats against enterprises, according to the latest quarterly report
There were 287,298 "unique malware encounters" in
June 2011, double what was found in March, according to a Global Threat Report
from Cisco Security Intelligence Operations released Aug. 1. Since the
beginning of 2011, unique malware encounters have nearly quadrupled, Cisco
In the report, Cisco researchers did not restrict a malware
encounter to just malware infecting a single system. It can also include
incidents when a system was initially infected by a basic downloader, which
analyzed the system and downloaded even more sophisticated data-collecting
"Malware has evolved along with the Internet and is now
the tool of choice for would-be attackers," wrote Gavin Reid, manager of
the computer Security Incident Response Team at Cisco.
Cyber-attackers rely on malware to "remain surreptitious"
so that they can continue to remotely manipulate a system while remaining
virtually invisible, Reid said. Detecting APTs like unique malware is not an
easy task because there is no "silver bullet" such as a software
signature that would identify them on a network, he said.
"If anyone attempts to sell your organization a
hardware or software solution for APTs, they either don't understand APTs,
don't really understand how computers work or are lying, or possibly all three,"
On average, enterprises had 335 malware encounters per
month, Cisco researchers found. March had the highest malware activity during
the second quarter, with enterprises seeing an average 455 pieces of malware,
followed by an average 453 encounters in April.
The majority of the "malware encounters" occured
over the Web, the report said, as employees surf the Web and land on malicious
sites. Despite the increase in encounters, the number of unique malware hosts
and unique IP addresses remained relatively consistent between March 2011 and
June 2011, according to the report.
Companies with between 5,000 and 10,000 employees and more than 25,000 employees
"experienced significantly higher malware encounters" compared to
other smaller companies. Companies in the pharmaceutical, chemical, energy and oil
sectors continued to be at highest risk of Web malware, according to Cisco,
although transportation, agriculture, mining and education were also at high
Organizations can improve their abilities to detect and
respond to APTs if they have some form of deep packet inspection technology
that covers all the important points in the network where traffic is entering or
leaving the enterprise. The ability to quickly query network connections or
flows through NetFlow or a similar service will also help security managers
detect malicious activity.
The organization should also be able to produce, collect and
query logs such as host logs, proxies and authentication and attribution logs.
"The more the better," Reid wrote.
Organizations that have not seen any APT attacks should be
concerned, according to Reid, as it doesn't mean that attackers haven't
targeted it or that the security defenses are working. What's more likely is
that the defenses aren't picking up on the attack itself. "If you have
something of interest and you're not seeing APT attacks in your organization,
you may need to rethink your detection capabilities," Reid said.