How Concerned Should We Be About Regin Malware?
Submit your questions to: [email protected]
This week David Rosenberg from New York City asks:
Q: “What are some immediate steps our enterprise (we have 1,200 employees) can take to discover if we are targeted by Regin malware? How concerned should we be?”
Well, David, I give you a few thoughts specifically on Regin in a bit. Let me first give you some pushback.
Each week I’m sure your local newspaper has a list of robberies in your area, as well as articles containing the names of burglars and bank robbers that were arrested or convicted in your area. Each week do you wonder if you should be concerned about your house being broken into? I hope you wouldn’t look for different strategies for burglar A one week, Peeping Tom B the next and car thief C after that etc.
No, you’ve probably identified a few common vulnerabilities (unlocked doors windows, mail/newspapers piling up when you are away, valuables in view from windows, don’t leave the keys in the ignition, etc.) that you’ve learned to mitigate You’ve also probably developed a few common strategies for noticing if someone has been inside your house or car or whatever.
Now, those simple strategies won’t keep out a motivated criminal who has decided to break into your house, or steal your car – but there are two things to remember: (1) The basic things will cause the most common attacks to fail; and (2) you can never, ever prevent or detect the complex attacks if you aren’t doing the basic things right first.
So, my apologies for that bit of sermonizing – back to your question. The perpetrators of Regin seem to have mostly targeted telecoms providers and small businesses or individuals. At your size you are probably borderline – but it is always healthy to be worried.
Since details about Regin have been made public, all the major anti-malware have post facto signatures that you can use to see if the common file types and executables used by Regin exist on your endpoints, and most next generation firewall, intrusion detection, web security gateways and network behavior monitoring products can tell you if the command and control communication methods used by Regin are seen on your network.
Which brings us back to those basic things – (1) either preventing unknown executables from being installed (via whitelisting or app store approaches) or at least quickly noticing when a new executable is installed on an endpoint; and (2) continuously monitoring network traffic and identifying unusual traffic are two of those basic things that add up to knowing what your “safe” baseline is and being able to notice when today’s Regin or next month’s YadaYada malware hits you – without having to wait for press to popularize the name.
“Basic” doesn’t always equal “easy” – “Buy low, sell high” is a basic, but not easy, guide to wealth, too… But maintaining an accurate baseline, implementing server-side baselining without impacting business, and quickly spotting when things are moving away from that safe zone is not as difficult as it was in the past. Once you do that well, you’ll be able to focus more on advanced targeted threats – and you will have likely actually made it a whole lot easier to detect and deal with those threats.