Indications of Compromise: A Guide to Spotting and Preventing Malware Infection

  • Security discussions with IT providers and MSPs inevitably turn to the effectiveness of anti-malware defenses.
  • Without some context to the threat intelligence, it may not be relevant to block an IP address that’s not in the midst of attacking you.
  • The success rate of phishing emails, with an astounding 30% open rate, makes malicious email attachments and links embedded in emails the epicenter of the fight against cyber criminal attacks.

Defending networks from attack is no easy task for IT professionals. Attacks range in capability and threat; and overreacting or implementing the wrong technology can be costly and make it easier for the bad guys.

Ultimately, treat this guide as a first step in designing your defense-in-depth strategy. IT professionals must truly understand the risk to the business and that IT security does not have ”magic” solutions. There isn’t a single technology that can prevent all the bad scenarios, despite what vendors say.

Cyber attacks, malware, and system vulnerabilities have been mystified and media-hyped beyond any sort of reasonable analysis. In fact, the most effective IT strategies against all unknown and known threats are generally the same. Patch and update the operating system, patch and update third party applications, restrict administrative access, and use malware defenses. These recommendations come from years of analysis by government and security organizations around the world.


Security discussions with IT providers and MSPs inevitably turn to the effectiveness of anti-malware defenses—to the question of antivirus software’s effectiveness against ransomware in particular. To answer that question, it helps to understand the relationship between exploit, Trojan, and payload.

Part 1 —Understanding Cyber Attack Delivery

“Most MSPs and IT service providers fall into the category of threat intelligence services”

The lockheed martin cyber kill chain

The diagram above shows the complete Cyber Kill Chain with two gray arrows under reconnaissance and weaponization. These two areas are generally out of scope for all but the largest organizations; most MSPs and IT service providers fall into the categories of threat intelligence services.

Over time, as the industry learns more about the complete life cycle of a malware attack, machine learning and artificial intelligence may help provide warning of an imminent attack in the first two stages of the Kill Chain. But as of now, little can be done to degrade the capabilities of cybercriminals in the first two stages.

In fact, criminal psychology/ sociology, geopolitics, economics, and regional disparity will motivate individuals and groups to troll social networks and build exploit kits, sophisticated Trojan programs, and malware/ ransomware payloads.

Understanding Cyber Attack Delivery

Across the top of our adapted “Kill Chain” diagram is a non-exclusive list of mitigation solutions (including user awareness training and a range of technology solutions) mapped to the various stages of infection. The middle section displays the various Lockheed Martin Cyber Kill Chain phases. The bottom section displays the stages of the infection and where the opportunity is to detect, prevent, and recover from the cybercriminal attack.

Understanding Threat Intelligence

Threat intelligence services should be approached with a note of caution. Simply receiving a list of IP addresses and updating firewall solutions is not a practical approach. Many countries use dynamically allocated IPs, so an IP address designated hostile today may change tomorrow; also, administrators occasionally clean malware off machines. Without some context to the threat intelligence, it may not be relevant to block an IP address that’s not in the midst of attacking you.

Organizations seeking to extend their defenses into the first two phases of the Cyber Kill Chain are advised to create and maintain a “Honeypot” environment, which is a trap set up to detect or deflect cybercriminal activity from a network. Current threat intelligence service offerings present a plethora of data without context. Knowing that a South Korean IP address is attacking a Russian IP address may be interesting, but if your business is not located in either country, it’s not helpful information. Setting up your own “Honeypot” to collect intelligence from actual attacks on your infrastructure helps mitigate these challenges.

“Simply knowing that a South Korean IP address is attacking a Russian IP address may be interesting, but if your business is not located in either country, it’s not helpful information.”

Unless MSPs, IT providers, and organizations are prepared to invest technological effort and implement specific hardware, their limited budgets and IT resources will force them to focus endpoint defenses on the last five opportunities of the Cyber Kill Chain to prevent, detect, and react to a cybercriminal attack.

The first practical step where technology can help prevent the full Cyber Kill Chain from occurring comes in the delivery stage of a cyber attack. In the vast majority of cases, the threat vector is very obvious. The graphic on page 13 is taken from the 2016 Verizon Data Breach Investigations Report, and shows the most frequent methods of malware delivery.

The success rate of phishing emails, with an astounding 30% open rate, makes malicious email attachments and links embedded in emails the epicenter of the fight against cyber criminal attacks.

The data also shows we should not neglect the dangers of unprotected web surfing. It’s hard to argue against the fact that email filtering, web filtering, and user security awareness training are the keys to successfully interrupting cyber attacks at the delivery stage of the Cyber Kill Chain.

The Role Of Cloud-Based Services

With a plethora of cloud-based services, including Gmail and Office 365, the delivery stage is perhaps the most inexpensive phase for businesses to implement malware interception today. It is also relatively easy to implement, with little if any impact on business operations. Email scanning and web surfing proxy services located on-premises or in the cloud provide the majority of cyber attack defenses at this stage.

Cloud-based services push defenses outside the organizational perimeter and provide cyber defense value by preventing the attack from even arriving at the endpoint. Even though many of these services have multiple virus definition engines and heuristic analysis capabilities, cybercriminals do occasionally sneak malware past these defenses using old fashion cunning and guile, enticing an employee to click on a link and/or execute a payload.

“Cloud-based services push defenses outside the organizational perimeter and provide cyber defense value by not even allowing the attack to arrive at the endpoint.”

Part 2 —The Role Of Antivirus And Patch Management

“The Windows Authentication mode is less vulnerable to brute force attacks, as the attacker is likely to run into a login lockout after a finite number of attack attempts.”

State 1: Machine Is Fully Patched, Antivirus Is Installed  and Up To Date

The only vulnerabilities that exist here are either “human” (end users tricked into installing malware) or zero-day attacks/exploits that would go undetected by the antivirus.

Clearly, user awareness training is the only effective defense against “trickery” or social engineeringbased attacks. Only if warnings are dismissed can the exploit successfully deliver its payload. This is the case with Visual Basic Macro exploits found in phishing emails. Robust antivirus featuring definitions of malware signatures, heuristic detection of exploit activity, and behavior-based analysis of exploit activity may protect the endpoint, but this is frequently not the case.

State 2: Machine  Is  Not  Patched, Antivirus Is Installed And Up To Date

The vulnerabilities here are related to exploits that have been developed for the lack of a specific patch. Although antivirus may be up to date, it’s questionable whether the exploit will actually be detected.

In this scenario, the machine could be easily infected by an exploit designed to bypass antivirus. Research from Recorded Future indicates that Adobe Flash, Java, and Internet Explorer are the most frequent targets of exploit kits.5 Not having the exploitable software installed in the first place is the only effective defense.

State 3: Machine Is Not Patched, Antivirus Is Installed, But Not Up To Date

The vulnerabilities here are greatly enhanced over the first two states, as the machine is open to a wide range of exploits, not just the latest versions of exploits kits. Similar to state 2, a machine in this state can be easily infected, however it is also likely to be infected over and over again. IT providers and MSPs find themselves in this scenario in all too frequently.

The emphasis has to be placed on patching due to the exploit package’s ability to execute and deliver a Trojan, which in turn delivers a payload against an unpatched machine. Antivirus definitions do include the actual malware signatures, but more sophisticated behavioral and heuristic engine updates provide antivirus software with “indications to look for” (such as network traffic to a certain set of IPs) or “suspicious events” such as invoking JavaScript from a document in email. These are all telltale signs of an endpoint about to receive a Trojan.

State 4 : Machine Is Patched, Antivirus Is Installed, But Not Up To Date

This state is similar to state 1, but cybercriminals have better success as the majority of the cyberdefense is provided by patch installations. The attack surface is the same as State 1, however the machine is more susceptible to a “human” vulnerability, as an entire range of Trojans (installed via phishing email) can infect the machine.

This is probably the second most common scenario shortly after patches have been delivered to endpoints. With the patches in place, the IT provider or MSP has reduced the likelihood of exploitation considerably, however the danger remains from Trojans delivered in the form of email. The combination of phishing emails and social engineering attacks can be conducted using families of older Trojans if the target’s antivirus is not up to date.

In states 3 and 4 where the antivirus is out of date, the best course of action is to update to the latest definitions and run a complete scan on the endpoints. There is a good chance malware may have been installed while the machine’s antivirus defenses were “down.” Many users will not admit they may have accidentally clicked on something they shouldn’t have, so a Trojan may be lurking on the endpoint waiting to download a payload, held at bay by your other network defenses.

For special purpose systems, such as payroll, accounting, and point of sale, removal of the frequently exploited software, weekly patching, and updating of exploit-friendly software like the aforementioned Adobe Flash is essential. If the software cannot be removed, then robust antivirus with frequent malware signature updates, behavioral, and heuristic-based analysis offers the best route to protecting these systems.

Part 3 —Attack Surface  Reduction  And  Behavioral Based Antivirus

According to the table in the lower right, if you can’t commit to a rapid patching of endpoints, then you can often improve security by simply removing the most targeted software. There are a number of reasons businesses may not feel able to commit to a quick-fire patching program, including the lack of an automated process or tool, institutional anxiety over self-inflicted downtime, or the lack of IT attention or cycles to this task.

A business workstation without Flash, Java, IE, Firefox, Adobe Reader, or Silverlight that encounters a modern exploit may emerge completely unscathed, as the exploit kit would be unable to find an avenue of attack. This is a very significant finding for regulated industries or organizations concerned about the confidentiality and integrity of their data systems. In Part 1 we discussed how definition-based anti-malware technologies, such as endpoint antivirus, web filtering/ protection, and mail scanning—combined with user awareness training—can be helpful for stopping the delivery of Trojans and payloads. There is a significant role for endpoint antivirus with behavior-based capabilities and user awareness training at the point of exploitation as well.

Definition-Based Antivirus

Definition-based (or signature-based) antivirus compares the signatures (MD5 or SHA-1 hashes) of the files encountered to see if they match a list of known malware. Depending on the capabilities of the software, it may look inside the file for telltale signs of malware. Typically, when signature-based technologies encounter a signature match the file is quarantined.

Cybercriminals writing exploits and Trojans know their malware may encounter endpoint antivirus, so they frequently include malicious code that disables antivirus and prevents updates or network communication. In highly specialized attacks, the presence of the antivirus software can be used to actually install malicious code. In May 2016, a security researcher, Tavis Ormandy, identified an exploitable overflow in, “the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products.”

“Typically when signature based technologies encounter a signature match the file is quarantined.”

Behavior-Based Antivirus

Behavior-based antivirus watches processes for characteristic signs of malware, then compares these signs against a list of known malicious behaviors. For example, given the list of vulnerable software packages above, a document being opened in an email that invokes JavaScript or Adobe Flash could be viewed as “highly suspicious or malware-like behavior.”

Behavior-based detection is required because many malware creators have started using obscuration techniques such as polymorphic or encrypted code segments, which are very difficult to create a hashed signature for. So, an easier way to detect these is to watch for a particular pattern of behavior.

Of course, it’s highly desirable to have layers of defense in place to intercept the delivery of exploits, Trojans, and payloads before they arrive at the endpoint. But, if those defenses are breached, the combination of removing the targeted software (attack surface reduction), antivirus with a behavior-based engine, aggressive patch management, and end user awareness training can help ward off the most persistent attacks (as well as those accidental visits to dangerous websites).

Part 4 —Securing The LAN To WAN Communications

Once malware has landed, or more specifically once a Trojan has been installed on an endpoint, it must reach out to a command-andcontrol (C2) bot network to receive instructions. This is perhaps one of the easiest areas to implement firewall architecture, logging, and network controls to detect or prevent endpoint compromise.

C2 infrastructure is provided by previously infected or compromised servers and workstations. These networks can either be rented from Crime as a Service (CaaS) sources or purposely built by cyber-criminals to support a Trojan attack. Virtually all modern malware has to “reach” back to a C2 source to download a payload attack. In some cases, detailed metrics on infection success, geographic distribution, and detailed system information are captured for CaaS marketing purposes. Yes, cyber-criminals attempt to collect as much success data about infection as modern companies collect about website visits and customer interactions.

Take, for instance, the “typical” network communication example of a Trojan that has a hard-coded C2 domain of (see below). The Trojan reaches back out to this domain, using a standard DNS query and then attempts to “GET” the ransomware payload GORsjo.exe from the C2 server. In this case, the communication was not conducted stealthily; nor was it encrypted (https).

Most web filtering products would quickly identify the IP address ( or domain as being a dangerous place for an endpoint to visit. Keep in mind DNS protection such as Open DNS and other products provide a valuable layer that can work even against malware using https for communication. Furthermore, downloading an executable (.exe) onto an endpoint would be something that either the firewall or web protection product should hopefully block.

Learn More About Indications of Compromise: A Guide to Spotting and Preventing Malware Infection Download Whitepaper Now.

Only $1/click

Submit Your Ad Here

techcloud link

Tech Cloud Link is the place to get free technology whitepapers downloads in a variety of formats, including PDF versions of popular articles tech briefs, tech whitepapers, and research articles into profoundly diverse spectrum within IT landscape. Here you will resolve trending IT concerns on topics like – Network Communication – Storage – Data Center – Server – Network Security. The whitepapers accurately address convergence between industrial and enterprise networks and collections of Articles, Features, Slide Shows and Analysis on Enterprise IT, Business and Leadership strategies that focus on critical

Leave a Reply