Nadradený pojem:
Susedné pojmy:
TTE Analysis: Kryptik
Description
Kryptik, like Adwind RAT malware, had a median TTD that was consistently
higher (about 20 hours) than other malware families Cisco analyzed for
the TTE study from November 2015 through October 2016 (Figure 36). However, by October, Cisco products had reduced the median TTD window for Kryptik malware to less than 9 hours (Figure 36).
The Kryptik malware family also used a wider range of hash ages than the other malware families we analyzed, particularly during the first half of 2016. The ability of Kryptik’s authors to rely on older hashes for so long indicates that defenders had trouble detecting this malware type.
During the period that we observed, Kryptik’s authors employed a wide range of payload delivery methods through the web attack vector. The authors used JavaScript files and archive files such as .zip files in file extension and MIME combinations for both web and email. (See Figure 34.) Some of the combinations date back to 2011.
In our analysis of the six malware families, we find that adversaries must shift tactics frequently to take advantage of the small window of time during which their threats can operate successfully. These adjustments indicate that defenders are getting better at detecting known malware quickly, even after a threat has evolved. Attackers are under pressure to find new ways to avoid detection and keep their campaigns profitable.
In this complex landscape of rapid evolution, where all malware families behave differently, human expertise and point solutions are not enough to identify and respond quickly to threats. An integrated security architecture that provides real-time insight into threats, along with automated detection and defense, is essential for improving TTD and ensuring swift remediation when infections occur.
The Kryptik malware family also used a wider range of hash ages than the other malware families we analyzed, particularly during the first half of 2016. The ability of Kryptik’s authors to rely on older hashes for so long indicates that defenders had trouble detecting this malware type.
During the period that we observed, Kryptik’s authors employed a wide range of payload delivery methods through the web attack vector. The authors used JavaScript files and archive files such as .zip files in file extension and MIME combinations for both web and email. (See Figure 34.) Some of the combinations date back to 2011.
In our analysis of the six malware families, we find that adversaries must shift tactics frequently to take advantage of the small window of time during which their threats can operate successfully. These adjustments indicate that defenders are getting better at detecting known malware quickly, even after a threat has evolved. Attackers are under pressure to find new ways to avoid detection and keep their campaigns profitable.
In this complex landscape of rapid evolution, where all malware families behave differently, human expertise and point solutions are not enough to identify and respond quickly to threats. An integrated security architecture that provides real-time insight into threats, along with automated detection and defense, is essential for improving TTD and ensuring swift remediation when infections occur.
Importance
High