Happy Independence Day, Now be Dependent

Intrusion Team
Jul 01, 2021

The young American colonists in the early 1770s needed help. They were on a journey and destined to become independent from tyranny, but it required help. It required relationships and partnerships with countries and people that were also competitors, consumers, and suppliers. At INTRUSION, we are grateful to be in a cyber space full of competitive, savvy, incredibly smart and talented cybersecurity experts on a mission to make the world independent from the tyranny of cybercrime, cyber criminals, and pure intellectual espionage.

Based on their vast fleets of deployed solutions, nothing highlights the gap our INSTRUSION mission fills better than the outstanding vendor’ s quarterly threat reports. We are grateful for all they do for businesses and governments around the world in this global epidemic of cybercrime. As we head into the annual celebration of our nation’s independence this 4th of July, our friends at Watch Guard’s Q1 2021 report [1]could not have better timing.

We have been warning you that the red coats aren’t coming, they’re here. They are Russian Red, Chinese Red, all shades of red and various colors. As a matter of fact, they are everywhere and have been here awhile.

[1] Internet Security Report – Q1 2021 | WatchGuard Technologies

Your current approach to a comprehensive cybersecurity solution is leaving a hole. Watch Guard’s Q1 2020 Report Executive Highlights point out that Zero-Day malware reached an all-time high of 74% in Q1. As they say: “This means you will miss almost three quarters of malware if you rely only on signature-based protections. You need proactive malware detection to survive today’s threats. As a reminder, Zero-Day malware is our name for polymorphic, evasive malware that bypasses signature-based protections on day “Zero” of its release.”

We understand how firms claim percentages of Zero-Day malware, for a set of malware that evades detection. At INTRUSION, it is our core belief your network is already infected on the inside. So far, we have proved it with every customer.

Additionally, Watch Guard says just under 44% of malware enters your network through encrypted connections. Deloitte[1] says 91% start with an email phishing campaign and Malware Bytes claims in bold type on its LinkedIn advertisement that 63% of ransomware invades through brute force attacks.

What do you do?

Note how they are all focused on outside-in detection and prevention. We are grateful for their service and encourage all businesses to continue to invest in these protections. As the colonists in the early 1770s needed an ally, you need one that can help and detect and kill malicious cyber actions from the inside-out. You need help identifying the intruder already in your network. How they snuck in is irrelevant as every vendor will tell you there is only so much effectiveness they can achieve. But what if that effectiveness came with a 99.999% accuracy rate and caused zero latency on your network traffic flow?

At INTRUSION, we know the malicious code has already snuck past your cyber defense stack, whether through phishing email campaigns or supply chain attacks that occurred long before you purchased your IT, IOT and IIoT. We also know that code is useless unless it calls-home (inside-out), or beacons to its owner, a command-and-control server, direct to a cyber malicious actor on keyboard, or to a shared drive on a lesser-known domain that serves up stage two malware to enable a continued attack. We know this is happening and you, your AV and IDSP do not see it. We do.

The Colonial army had its own Nathan Hales, and you do too. We believe you should set aside the noise of hundreds of cyber news articles and endless statistics on outside-in attacks and start to focus on inside-out risks. Your approach should consider a behavioral analysis at the network level and ask questions like: “Why on earth would anyone in my organization be talking to a Russian gaming website on a company resource?” The answer is easy: they are not, and someone else is.

Watch Guard says they have found only 20% of devices inspect encrypted HTTPS traffic, meaning, our overall malware trends speak more to unencrypted malware. Meanwhile, we know more and more attackers use encrypted connections for their attacks. We’re not sure what devices they’re speaking of, but we are intimately familiar with a solution that inspects 100% of all header packets, over all protocols and ports and introduces zero latency into your network.

Our allies at Watch Guard also supplied nicely done analysis on a piece of evasive Zero-Day malware known as XML.JSLoader that opens a shell to execute a PowerShell command. The crucial piece of the file is the final body of the command that attempts to reach out to (‘http://safe[.]dashabi[.]nl/networks[.]ps1’) to download additional malware. We would like you to know that according to VirusTotal.com this should clearly be identified in anyone’s blacklist as a malicious URL on a malicious domain. It has been identified in our rule sets as high-risk domain since we have released our solution to the field, essentially protecting clients from the IP space and killing any attempted connections from it, or better, to it.

Your approach should consider relying on a solution whose artificial intelligence reputation logic is focused on calculating the risk of outbound connections from internal infrastructure to low reputation destinations, while allowing common connections to well-known, highly reputable destinations. You might consider a solution that leverages a vast threat reputation database to protect enterprise networks against inbound and outbound threats at an IP and DNS level. We recommend a solution that is optimized to protect end users and internal networks from outbound user-centric threats such as phishing attacks, drive by downloads, poor reputation websites and IoT devices, but we also think it should be used in datacenter environments to protect critical corporate servers against APTs, malware call-homes and attacks tunneled through high-risk infrastructure.

Enjoy your Independence Day this 4th of July. Consider how often George Washington wondered if he had all the resources necessary before getting in that boat and crossing the Delaware river with his rag-tag army, wishing his partners and allies could only show up sooner.

In today’s world of cyber defense, if you had your pick, wouldn’t you go with an ally that has a secret weapon?

[1] https://www2.deloitte.com/my/en/pages/risk/articles/91-percent-of-all-cyber-attacks-begin-with-a-phishing-email-to-an-unexpected-victim.html

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.