Kobi Eisenkraft – Malware Research & Protection Team Leader at Check Point. Software developer, cyber security expert, and malware analyst, with more than a decade of experience. Graduate of Check Point Security Academy, with a BSc (Computer Science and Mathematics) and M.B.A from Bar-Ilan university in Israel.
In this outstanding interview, Check Point’s Malware Research & Protection Team Leader, Kobi Kisenkraft, discusses the latest malware trends, security best practices and more.
What is it like to be on the frontlines of malware research?
One thing that can be said is that it’s not boring in this area, as everyone knows the evolution of malware does not stop. Every day, new vulnerabilities are discovered that attackers exploit. It is a constant game of cat and mouse and we, as defenders, always try to think about how to block known and unknown attacks.
The challenge is very big, but the level of personal satisfaction is also quite high because, on a daily basis, we are able to see a lot of attacks that we have managed to stop in our customer environment.
What are you working on these days in terms of malware research (if it’s not top secret)?
Recently, my teammates published research that deals with the question: Can You Trust a File’s Digital Signature?
The obvious answer is yes, but unfortunately the correct answer is that it is not true and in most existing cases, it is possible to change the contents of digitally signed files and the signature will still remain valid. This situation is not just a theoretical situation and we have seen attackers using this technique to evade security products.
Those interested in expanding on the subject are invited to read the full article here.
At present, what are the most typical attack vectors allowing malware to get into businesses?
The most common attack vector is undoubtedly phishing emails, which cause the recipient of the email to click on a malicious file or link. Protection systems today detect and block many malicious emails, but it is important to remember that no defense system is 100 percent immune, so people’s awareness is very important. I recommend not opening documents or clicking on links from emails received from an unknown source or if the email’s content conveys some urgency. In this case, curiosity is a bad thing.
Is most of the malware today related to ransomware or are there any other critical trends?
Ransomware attacks are still very common and they affect not only individuals and companies…Nowadays, we see attacks on governments and public health systems like in Costa Rica and Peru. We see today’s ransomware economy is a complex operation, extorting millions of dollars per ransom, holding entire organizations captive under the threat of total system shutdown. The evolution of the ransomware business model is at the core of this phenomenon.
Ransomware-as-a-Service (RaaS) introduces affiliate programs at low on-boarding costs, enabling any attacker to easily participate in the trend. The attacker selects one of the leading ransomware “projects” and follows the detailed, easy-to-follow complimentary operations manual, which contains complete instructions for every stage of the attack.
After Check Point Research (CPR) analyzed leaked Conti group documents, we found out new details on the inside-operations of Conti, the notorious Russian ransomware group. Conti is structured like a high-technology company, with clear management, finance and HR functions. Conti recruits not only from underground, but via legitimate sources, borrowing CV pools without permission. In addition, some employees at Conti have no clue that they are part of a cybercriminal operation.
Based on everything that you are seeing, what would you recommend that businesses do differently when it comes to malware or ransomware protection?
I think that there are simple ways to prevent ransomware attacks.
#1. Mitigate the impact of a ransomware attack by doing robust data backup. If systems are backed up regularly, then the data lost to a ransomware attack should be minimal or non-existent.
However, it is important to ensure that the data backup solution can’t be encrypted as well. Data should be stored in a read-only format to prevent the spread of ransomware to drives containing recovery data.
#2. Cyber Awareness Training. Phishing emails are one of the most popular ways to spread ransom malware. By tricking a user into clicking on a link or opening a malicious attachment, cyber criminals can gain access to the employee’s computer and begin the process of installing and executing the ransomware program on it.
Frequent cyber security awareness training is crucial to protecting the organization against ransomware.This training should instruct employees to do the following:
- Do not click on malicious links
- Never open unexpected or untrusted attachments
- Avoid revealing personal or sensitive data to phishers
- Verify software legitimacy before downloading it
- Never plug an unknown USB into their computer
- Use a VPN when connecting via untrusted or public Wi-Fi
#3. Strong, Secure User Authentication. Cyber criminals commonly use the Remote Desktop Protocol (RDP) and similar tools to gain remote access to an organization’s systems using guessed or stolen login credentials. Once inside, the attacker can drop ransomware on the machine and execute it, encrypting the files stored there.
This potential attack vector can be closed using strong user authentication. Enforcing a strong password policy, requiring the use of multi-factor authentication and educating employees about phishing attacks designed to steal login credentials are all critical components of an organization’s cyber security strategy.
#4. Up-to-Date Patches. Keeping computers up-to-date and applying security patches, especially those labelled as critical, can help to limit an organization’s vulnerability to ransomware attacks.
How can automation be used for better malware prevention and detection?
Automation and machine learning are important ways to do detection and prevention. Today, we have a lot of data from malicious and benign behavior, and we can easily create machine learning models. For example, we have a model based on MITRE techniques\sub techniques to decide if a file is malicious or benign.
In addition, we built a fully automated protections generator in our products. The automation has many feeders that give malicious files as an input. Then we run the malware automatically inside our sandbox and create protection based on the malicious activity that we observe.
Automation gives us the ability to create many protections in a short time.
Anything else that you wish to share with the CyberTalk.org audience?
Keep in mind that even if you have the best security products you are not 100% protected, because most security holes are due to misuse, incorrect configuration or a conscious and wrong choice to prefer connectivity over security. Be safe and remove all unnecessary exclusions in your security products.
For more on malware trends, see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.