Symantec’s discovery of state-backed malware should serve as warning to firms.
Symantec’s uncovering of the Regin virus has generated plenty of publicity for the malware, thought to have the backing of a state and taken years to create.
It is thought to have operated in the wild since at least 2008, and has been used to spy on governments and business alike. But what lessons should corporations and states draw from the attack, and what can be done to mitigate against similar threats in the future?
1) Greater focus should be placed on detection
Aviv Raff, CTO of Seculert, argues that the lifespan of the malware shows that "traditional security solutions" are falling short of their intended goal. He blames this on an emphasis to prevent attacks instead of detect them.
"Fortunately, we now see more and more enterprises moving budget away from prevention focused solutions and investing more in detection and response. As long as this budgetary trend continues, so will the presence of wide-scale undetected attacks. Something needs to change, and quickly."
2) Software is now more valuable than hardware
The need to protect and control software is taking precedence over the need to do the same to hardware, according to Jamie Longmuir, software monetisation expert at security firm SafeNet. Often this means protecting programs across devices, which can also be challenging.
"Various attacks show that the perceived secure environments are vulnerable, often because of the complexity of the system," he said. "So even the crucial application code of the system itself needs to get protected to limit the attack surface and therefore allow protecting the core in the most efficient way.
3) Malware is evasive, which perhaps explains its lifespan
We are now used to seeing long-term malware threats in the wild, particularly given some of the zero-day bugs found this year that have lurked unseen on systems for years. Pedro Bustamante, director of special projects at the security firm Malwarebytes, told us why the virus could escape detection for so long.
"The analysis shows it to be highly adaptable, changing its method of attack depending on the target," he said. "It also has some very advanced evasion techniques that make it suitable for spending long periods carrying out undercover surveillance. This is all complemented by the fact that it appears to be dropped via exploit, taking advantage of vulnerabilities in everyday applications."
4) It is also a platform with modular capabilities
A report from Kaspersky Lab, a security company, found that the virus was not merely a single tool, but a platform with an array of capabilities. The modular nature of the malware meant it can infect entire networks and "seize full remote control at all levels".
"The ability to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations," said Costin Raiu, director of global research and analysis at Kaspersky. "In today’s world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user."