The New Need to Create a Secondary Perimeter to Detect for Malware’s Presence

Malware – and specifically ransomware – tends to regularly make headlines with some business somewhere in the world reporting having its data encrypted by it. Due to this routine occurrence, companies need to acknowledge that their standard first line defenses such as cybersecurity and backup software no longer completely suffice to detect malware. To augment these defenses, companies need to take new steps to shore up these traditional defenses which, for many, will start with creating a secondary perimeter around their backup stores to detect the presence of malware.
The size of companies getting infected by malware are not what one may classify as “small.” By way of example, a story appeared earlier this week about an 800-bed hospital in Malvern, Australia, that had the medical records of 15,000 of its patients in its cardiology unit compromised and encrypted at the end of January 2019.
While I am unfamiliar with both this hospital’s IT staff and procedures and the details of this incident, one can make two educated observations about its IT operations:

  • One, the hospital is sufficiently large that it likely had anti-virus software and firewalls in place that, in a perfect world, would have detected the malware and thwarted it.
  • Two, it probably did regular backups of its production data (nightly or weekly.) Even if the malware attack did succeed, it should have been able to use backups to recover.

So, the questions become:

  1. Why is his hospital, or any company for that matter, still susceptible to something as theoretically preventable as a malware attack in the form of ransomware?
  2. Why could the hospital not use its backups to recover?

Again, sufficient details are not yet publicly available about this attack to know with certainty why these defenses failed or if they were even in place. If one or both these defenses were not in place, then this hospital was susceptible to becoming a victim to this sort of attack. But even if both these defenses were in place or even if just one was in place, it begs asking, “Why did one or both of these defenses not suffice?
The short answer is, both these defenses remain susceptible to malware attacks whether used separately or together. This deficiency does not necessarily originate with poorly designed anti-virus software, backup software or firewalls. Rather, malware’s rapid evolution and maturity challenges the ability of cybersecurity and backup software providers to keep pace with them.
A 2017 study published by G DATA security experts revealed they discovered a new malware strain about every four seconds.  This massive number of malware strains makes it improbable that anti-virus software and firewalls can alone identify every new strain of malware as it enters a company.  Malware’s rapid evolution can also result in variations of documented ransomware strains such as Locky, NotPetya, and WannaCry slipping through undetected.
Backup software is also under attack by malware. Strains of malware now exist that may remain dormant and undetected for some time. Once inside a company, it first infects production files over a period of days, weeks or even months before it detonates. During the malware’s incubation period, companies will back up these infected production files. At the same time, they will, as part of their normal backup operations, delete their expiring backups.
After a few weeks or months of routine backup operations, all backups created during this time will contain infected production files. Then when the malware does detonate in the production environment, companies may get caught in a Zero-day Attack Loop.
Using cybersecurity software on the perimeter of corporate IT infrastructures and backup software inside the IT infrastructure does help companies detect and prevent malware attacks as well as recover from them. However, the latest strains of malware’s reflect its continuing evolution and growing sophistication that better equips them to bypass these existing corporate countermeasures as is evidenced by attacks on this hospital in Australia and the ones too numerous to mention around the world.
For these reasons, backup software that embeds artificial intelligence, machine learning, and, yes, even cybersecurity software, is entering the market place. Using these products, companies can create a secondary defense perimeter inside their company around their data stores that provides another means for companies to detect existing and new strains of malware as well as better position them to successfully recover from malware attacks when they do occur.

Click Here to Signup for the DCIG Newsletter!


DCIG Newsletter Signup

Thank you for your interest in DCIG research and analysis.

Please sign up for the free DCIG Newsletter to have new analysis delivered to your inbox each week.