Enterprises Hit With More Advanced Malware-Based Attacks in 2011: Report

Cisco researchers found that the number of unique malware attacks that can lead to advanced persistent threats has quadrupled since the beginning of the year

Malware is increasingly being used as advanced persistent threats against enterprises, according to the latest quarterly report from Cisco.

There were 287,298 "unique malware encounters" in June 2011, double what was found in March, according to a Global Threat Report from Cisco Security Intelligence Operations released Aug. 1. Since the beginning of 2011, unique malware encounters have nearly quadrupled, Cisco said.

In the report, Cisco researchers did not restrict a malware encounter to just malware infecting a single system. It can also include incidents when a system was initially infected by a basic downloader, which analyzed the system and downloaded even more sophisticated data-collecting malware.

"Malware has evolved along with the Internet and is now the tool of choice for would-be attackers," wrote Gavin Reid, manager of the computer Security Incident Response Team at Cisco.

Cyber-attackers rely on malware to "remain surreptitious" so that they can continue to remotely manipulate a system while remaining virtually invisible, Reid said. Detecting APTs like unique malware is not an easy task because there is no "silver bullet" such as a software signature that would identify them on a network, he said.

"If anyone attempts to sell your organization a hardware or software solution for APTs, they either don't understand APTs, don't really understand how computers work or are lying, or possibly all three," Reid said.

On average, enterprises had 335 malware encounters per month, Cisco researchers found. March had the highest malware activity during the second quarter, with enterprises seeing an average 455 pieces of malware, followed by an average 453 encounters in April.

The majority of the "malware encounters" occured over the Web, the report said, as employees surf the Web and land on malicious sites. Despite the increase in encounters, the number of unique malware hosts and unique IP addresses remained relatively consistent between March 2011 and June 2011, according to the report.

Companies with between 5,000 and 10,000 employees and more than 25,000 employees "experienced significantly higher malware encounters" compared to other smaller companies. Companies in the pharmaceutical, chemical, energy and oil sectors continued to be at highest risk of Web malware, according to Cisco, although transportation, agriculture, mining and education were also at high risk.

Organizations can improve their abilities to detect and respond to APTs if they have some form of deep packet inspection technology that covers all the important points in the network where traffic is entering or leaving the enterprise. The ability to quickly query network connections or flows through NetFlow or a similar service will also help security managers detect malicious activity.

The organization should also be able to produce, collect and query logs such as host logs, proxies and authentication and attribution logs. "The more the better," Reid wrote.

Organizations that have not seen any APT attacks should be concerned, according to Reid, as it doesn't mean that attackers haven't targeted it or that the security defenses are working. What's more likely is that the defenses aren't picking up on the attack itself. "If you have something of interest and you're not seeing APT attacks in your organization, you may need to rethink your detection capabilities," Reid said.