Malware is a ubiquitous term that’s infiltrated mainstream nomenclature.
Unfortunately, just because there’s awareness around malware doesn’t mean there’s proper understanding about how malware is propagated to exploit businesses, organizations, governments, schools and people.
Just like a burglar robbing a house, malware needs a way onto a network or device before it can do its bidding. Cybercriminals have engineered a wide range of attack vectors to accomplish that objective via different file types, communications standards, social-engineering exploits and network traffic egresses.
But there are two attack vectors that are alarmingly disregarded: encrypted malware and attacks over nonstandard ports.
Now, before you dismiss this commentary as technical nonsense that doesn’t relate to you, I want to double down on the key takeaway: Cybercriminals and malware authors are focusing on exploits where you aren’t looking. They’re evolving away from guarded attack vectors in favor of easier targets. And they’re counting on you not paying attention.
Encrypted attacks still largely go unchecked
No matter how many times I warn organizations about encrypted threats, businesses are still victimized by malware deployed over transport layer security (TLS) and secure sockets layer (SSL) encryption standards.
According to research my company conducted, through the third quarter of 2019, encrypted threats were up 58% over 2018. Gartner predicted that this number could top 70% by 2020. As more and more web traffic becomes encrypted, the issue will only escalate.
This isn’t some impossible-to-defend attack method, either. There are many commercially available TLS/SSL inspection solutions that can responsibly mitigate encrypted attacks without affecting performance. In some cases, this is offered as an option on next-generation firewalls. Other vendors sell dedicated appliances.
Another problem? Too many organizations wrongly believe that you must take a performance or economic hit to properly inspect encrypted web traffic. For some vendors or cases, this may be true.
But if encrypted threats are something you want to stop — and I’m suggesting you absolutely do — then shop around for a security vendor that can deliver both high-performance and cost-effective TLS/SSL inspection capabilities. Never compromise on either.
Malware using nonstandard ports is on the rise
Encryption isn’t the only tactic cybercriminals are employing to circumvent security controls. More and more cyberattackers are leveraging nonstandard ports to hide their exploits.
According to another report from our company, an average of 14% of malware came across nonstandard ports through the first three quarters of 2019. To put that into perspective, if that percentage was applied to a more complete dataset for malware volume, more than 1 billion malware attacks have come across nonstandard ports so far in 2019.
Without getting too technical, a port helps complete the destination or origination network address of a message. The port is associated with a host IP address and the protocol type of the communication.
In many environments, Ports 80 and 443 are standard ports for web traffic, which is where most firewalls focus. In some cases, however, organizations are channeling services or traffic through a port other than its default assignment (i.e., nonstandard port), usually as defined by the IANA port numbers registry.
But organizations also aren’t focusing on securing nonstandard ports like they are with standard ports. For many, this is a technology problem (i.e., firewall can’t or doesn’t do it), but there’s a lack of awareness (i.e., admins don’t know they need to guard nonstandard ports), too.
Cybercriminals are fully aware of this breakdown, so they send malware through nonstandard ports to help deploy their payloads undetected in target environments — like your network.
Similar to encrypted threats, stopping malware attacks across nonstandard ports is possible with the right technology. But you have to be aware. You have to pair the right technology with the right expertise. And you have to make it a priority.
Making this a best practice — likely as a component of an un-siloed, unified and layered cybersecurity strategy — is the smart approach to keeping pace in the cyber arms race.
