FireEye Study: Evasive Malware Rises Nearly 400 Percent

A new survey released by FireEye, a Milpitas, Calif.-based company that specializes in defense against advanced targeted threats, indicates that malware that can slip through signature-based detection has nearly quadrupled in the past year. The report also names financial services, technology, healthcare and energy as the key verticals most likely to be targeted.

"The FireEye Advanced Threat Report focused on the analysis of traffic that comes in after it has been scanned by antivirus, IPS, firewall and similar security technologies," said Phil Lin, director of product marketing at FireEye. "And, when it comes to malware that can slip through the net of signature-based detection, we're looking at an increase of 392 percent in the past year alone."

Compared to the second half of 2011, the number of infections per company rose by 225 percent in the first half of 2012.

[Related: Java 7 Zero-Day Attack Could Impact Enterprise BYOD ]

Sponsored post

Meanwhile, the dangers posed by email-based attacks continue to escalate, with both link-based attacks and attachment-based attacks growing in number and severity. In addition, cyber criminals are more frequently leveraging customized domains that are only used for short periods of time in support of spear phishing emails.

Click image for full-sized view.

"There's a greater focus on the Web, more money in it than ever before, and more people going into cyber crime than ever before," explained Ali Mesdaq, security researcher at FireEye. "There's government involvement and all types of participation by nation-states, and a lot of similar factors that would drive up the number of attacks."

According to the report, organizations are experiencing 643 weekly Web-based attacks in which their security infrastructure is penetrated to some extent. This statistic represents a wide variety of file-based threats, but it does not include callback activities, which largely happen over the Web.

"The problem with signature-based defenses is a scaling issue," added Mesdaq. "There are so many new exploits coming out every day that the signature databases can't scale to that level. Some sort of technology development will be needed before they will be able to handle the rapid increase in volume."

The report goes on to say that attack patterns are highly variable based on vertical markets. Attacks on healthcare, for instance have apparently doubled, whereas attacks against the energy industry are up 60 percent. The financial services industry is still near the top of the food chain, although the law of large numbers is keeping the percentage increase in check.

"In healthcare, a lot of it has to do with the digitization of patient records," explained Lin. "As the use of tablets and other devices in healthcare continues to become more pervasive, this industry becomes a much more viable target."

NEXT: Partners Need To Rethink Security

Financial services saw a spike in May of both 2011 and 2012, according to the report. FireEye speculates that this might have something to do with the income tax cycle or some other repeatable event within that industry.

Meanwhile, technology remains the number one targeted industry by volume. But, it also tends to be the vertical market most attuned to information security and thus in the best position to defend itself. Energy and utilities, on the other hand, are still playing catch-up.

"Energy is realizing that they are living on borrowed time, but now they're becoming increasingly aware of the risk around cyber terrorism cyber war," said FireEye’s Mesdaq. "So they're looking for new ways to secure both their IT infrastructure and their more industrial focused architecture."

The report also points out the degree to which email-based attacks have become more intense, leveraging both web links and attachments. Between first quarter 2012 and second quarter 2012, there was a 56 percent increase in the amount of email-based attacks that successfully penetrated organizations' traditional security mechanisms, and recently the emphasis shifted away from malicious attachments and towards malicious Web links.

"This is probably driven by effectiveness," speculated Mesdaq. "The attachments that were being used are probably a mix between PDF exploits and various other types that became less effective over time as the security products became more capable of identifying them. So, the cyber criminals suddenly began switching over to links because those were becoming more successful."

The cyber crime industry also appears trending towards limited use Web domains used to support of spear phishing attacks. This strategy is designed to circumvent defenses around backward-facing signatures, domain reputation analysis and URL blacklists. Therefore, there is an emerging tendency to use the malicious domain names for only a short period of time before moving onto others.

"Channel partners need to truly rethink their security practices," summarized FireEye’s Lin. "Traditional security needs to be augmented with new approaches to these new trends because the more typical strategies are not very effective anymore. Defense in depth is an architecture that has value, but if you're deploying the same sort of technology at each and every layer, you're not applying defense in depth; you're just repeating the same protection. Defense in depth, while valid, needs to add a variety of different components in order to work."

The analysis in the report is based on data collected by FireEye Web and email malware protection systems in the field. The sample size represents several million incident submissions drawn mainly from large and medium-sized enterprises in many different vertical segments.