The latest edition of Microsoft’s Security Intelligence Report provides some interesting analysis as to how computers get infected with malware. Microsoft’s dataset is pretty large, comprising some 600 million computers equipped with Microsoft’s Malicious Software Removal Tool (MSRT) which reports details of malware infections back to the mother ship in Redmond. The numbers hold some important lessons for security professionals.
Don’t get your knickers in a twist about zero day exploits. While the press loves a good zero day story, only 0.12% of the infections seen by Microsoft used unpatched vulnerabilities. Zero day vulnerabilities are valuable commodities which attackers will not waste on run of the mill cyberattacks. Don’t center your anti malware program on the latest zero day vulnerability of the week.
Vulnerabilities are sooo last year – your users are the weakest link. Only about 6% of malware infections seen by Microsoft were the result of vulnerability exploitation. In contrast, almost half of all malware infections in the study required the user to take an action (clicking a link, running a program, opening an attachment, etc.) in order for the infection to be successful. In most cases, no vulnerability was used – the user simply gave the malware permission to run. Spending some time and effort edumacating your users to be skeptical and think before they click that link or open that attachment has the potential to significantly reduce your malware attack surface.
You still need to keep software up to date. Testing and installing patches from Microsoft and other vendors will protect your systems from the 7% of attacks which use exploits to worm their way in (get it?) to your systems. This is a small portion of the malware threat, but once you get patching and updating to be part of your normal automated business processes, it is a low touch, low cost addition to your malware defenses.
Filtering and monitoring your outbound web traffic is a must – if malware is unable to download code, connect to command and control servers or exfiltrate data, the threat it poses is greatly reduced. Keep your filter lists up to date with the latest known malware URLs – the subscription fees are a small price to pay for preventing access to the malweb in the first place.
Monitoring your network traffic, proxy logs, and changes to the services running on your hosts for strange patterns can pay off big time. Since we can’t count on signatures to find every type of malware you may encounter, look for strange behavior for the early warning signs.
I found Microsoft’s analysis of the malware problem to be pretty interesting and I am looking forward to reviewing the rest of the Security Intelligence Report for nuggets of wisdom – I’ll post more soon!