What malware means and how to identify an attack

With more than one billion known malware programmes in circulation and over half-a-million new ones detected daily, organisations are only ever a click away from an attack. Creative CTO, Rob Smith, discusses current trends and effective risk mitigation strategies.

What is malware?

Malware is harmful software deployed by a threat actor to wreak havoc on an organisation or, even, an individual.

Common forms include adware that can hamper hardware performance and/or lead users to inadvertently download harmful code, along with replicating viruses that corrupt, delete, or relocate data. Increasingly, both businesses and individuals are falling victim to ransomware, which threatens to publish personal information or permanently block system access unless a payment is made.

Malware infections extend to trojan software that delivers ransomware and steals users’ data. In addition, worms can attack computer memory and hard drives or SSD arrays, often relying on security failures to spread from network to network. Cybercriminals also employ malware to cause a device to become locked, unusable or primed to attack other organisations. Similarly, the motive could be to obtain credentials to access internal systems or data, and install services that rack up charges, such as premium-rate phone calls.

Detection is becoming harder with the rise of fileless malware that hides within Microsoft Office macros, PowerShell, WMI, and such objects. Other types include bots, spyware, keyloggers and rootkits.

Where malware is located or stored

Malware can usually be attached to emails, embedded in fraudulent links, or lying in wait on websites for unsuspecting employees to click on. Once activated, it can infect computer hard drives (often hidden out of sight in temp folders), mobile phones, tablets, and even critical IT infrastructure like routers. Basically, any computing or networking device.

How to find malware

The first vital step is to aggregate log data from all network devices, security solutions and SaaS applications for deep analysis. Second, security teams must be able to spot suspicious command and control traffic, including well-masked threats that bypass initial defences. That demands 24x7x365 monitoring using machine learning-based threat hunting techniques employed by human security analysts.

How to prevent a malware attack

The difference between a malware attack failing or succeeding largely depends on speed of action. Traditional defences include:

  • Employing monitoring and detection tools to alert security teams to unusual behaviour.
  • Regular scanning to highlight patching vulnerabilities.
  • Zero trust frameworks that enforce user authentication before access is granted.
  • Security awareness training helping users understand how they are both the first line of defence – and the prime target – for hackers.

Today, as malware sophistication has increased, the most diligent organisations using next-generation firewalls and application whitelists can miss zero-day and zero-footprint attacks like fileless ransomware. Even when they invest in the latest technologies to boost threat detection and response, breaches still occur.

Often the problem is not because a tool failed to raise an alert, but because it was simply missed or ignored. Known as ‘alert fatigue’ this can be compounded by floods of false positives triggered by existing security tools.

SOCaaS model

With two in five UK IT teams overwhelmed by security alerts and over a quarter not feeling equipped to spot a cyberthreat, organisations are adopting a new security model. Security Operations Centre as a Service (SOCaaS) solutions combine the latest cloud services technologies with human expertise, making it quick to deploy world-class security to continuously guard against attacks – efficiently and sustainably. Ensuring rapid, real-time threat responses, SOCaaS applies that learning to strengthen cyber postures and resilience.

SOCaaS with Creative ITC

Delivered 24x7x365, Creative SOCaaS comprehensively adheres to the five NIST Cybersecurity Framework principles (identify, protect, detect, respond and recover). Working alongside internal IT teams, Creative security experts limit the attack surface and guard against threats before they occur.

Powered by the Arctic Wolf cloud-native platform, which processes over 200 billion events daily, they focus on: tactical response to incidents as soon as they arise; collaborating with the customer until they are resolved; and assessing strategic attack implications and identifying areas for long-term improvement.

Creative clients no longer incur the cost of highly skilled cybersecurity staff or the headache of arranging sickness and holiday cover. Instead, they benefit from:

  • Cost-effectively acquiring cybersecurity expertise with predictable pricing.
  • Around-the-clock monitoring and proactive threat hunting.
  • Faster detection, response, and recovery from attacks.
  • Fresh actionable insights to strengthen security policies and harden defences.

Combining the Creative SOCaaS solution with complementary capabilities like Backup as a Service, Disaster Recovery as a Service and Office365 as a Service means Creative clients stay ahead of an ever-evolving threat landscape.