Sage Advice - Cybersecurity Blog

Does Malware Have Citizenship?

does-malware-have-citizenshipIn talks with information security professionals at security conferences, user group events, and customer sites, Chester Wisniewski frequently fields questions about country-based blocking as a network defense tactic. Though he couldn’t find any published data to confirm his assumptions, “I couldn’t see any meaningful correlation between the countries from which traffic originates and attack patterns,” said Wisniewski, a principal research scientist at Sophos.

So, in 2018, leveraging petabytes of malicious samples captured by SophosLabs, he launched his own project to determine if region-blocking was a practical weapon for slashing malware volumes. In his CyberCrime Symposium keynote, he detailed his findings and how attendees could apply the information to better defend their networks. 

Malicious Matters

For his research, Wisniewski analyzed a month’s worth of malicious data. Beyond segmenting threats by type and location, he wanted to drill-down to identify the countries of traffic origin, autonomous systems (ASs) — blocks of IP addresses controlled by ISPs and other large network operators — and sketchy ISPs.

From the month’s sample, Wisniewski pulled almost 1.2 million unique blocked network items containing malicious content, which he grouped into three primary classifications:

  • Command and control (C2) traffic (~12k items). Comprises bots calling back to C2 servers for instructions and ransomware servers requesting encryption keys from distributed contact points.
  • Temporarily infected websites (~18k domains/pages). Legitimate sites that get blocked until they’re cleaned of detected infections.
  • Malware repositories (~1.1m sites). Owned by cyber-criminals, these repositories exist to distribute malicious content. “Once we put a site into this bucket, they’re condemned,” said Wisniewski.

For validity purposes, he eliminated hosts and IP addresses with random malware anomalies to identify strictly malevolent host servers. The final tally: around 152,000 unique domains, hosted on 43,000 unique servers. “In the end, just 43,000 actual computers were hosting all that noise,” said Wisniewski.

Location, Location, Location

Where were all these noisy servers based? Wisniewski wasn’t surprised to discover that 46% of the world’s malicious content is hosted on US servers. “If you really want to secure your networks, block America,” he joked, noting audience laughter at the absurdity of such action. “No country in the world could do it, nor would they, because US networks are the ones they most want to access.”

Among those he called “the usual suspects,” China finished second, hosting 7% of the bad content, while Russia was fifth, with 3.5%. However, he noted, these two together accounted for fewer malicious hosts than Germany and The Netherlands combined.

Drilling down, findings showed that most of the world’s C2 infrastructure is on US servers. This makes sense, said Wisniewski, as most malware resides on compromised websites, and US cloud providers host more web content than any other country.

The US also led the two other content segments, but by smaller percentages. In the malware repository category, China and the Netherlands gained ground. China, Wisniewski speculates, reuses IP addresses from major Chinese universities by design. Because they conduct joint research with American universities, they can’t be patently blocked.

Meanwhile, Wisniewski’s efforts to identify ISPs that host large numbers of malicious IPs, and organizations that use such addresses, “provided a bit more intelligence into who might be facilitating criminal actions.” However, this data’s not reliable, as players often mask their identities.

Knock-Out Punch Damages

“Obviously, organizations can’t use geo-location data to simply knock out the country hosting the biggest chunk,” said Wisniewski. “They’re unlikely to block as much malicious content as they think, and far more likely to block content they need because they don’t realize what’s hosted where.”

The same goes for blocking ISPs — the benefits pale when compared to the collateral damage, as network providers host high-traffic legitimate IPs as well. However, he advised attendees to use their wallets to force network providers to better monitor their customer base.

Given the web content hosted in the US, Wisniewski was pleased to see its relatively low “infected website” percentage. A review of historical data showed that the number of infected sites in the US has dropped continually over the last 10 years — a trend he partially attributes to shifting attitudes toward cloud services.

“Fewer businesses are deploying non-critical systems — like their websites — on their own servers, where maintenance lapses expose them,” he said. “Instead, they're turning to cloud-hosted systems, maintained by teams of cybersecurity experts.”

For a growing number, the same goes for network-blocking functions. “The key to fighting malware is automation, as IPs are constantly reassigned,” said Wisniewski. As a cybersecurity tactic, network-blocking is most effective when it’s backed by dedicated cybersecurity teams, live cloud-lookups, and threat intelligence feeds that dynamically update network-security products.

Info-security teams have gotten pretty good at building layered security defenses, so, while bots might bypass a firewall or antivirus, it’s much harder when all layers work in tandem. Motivated talent can always find a way in, but that requires a much higher investment, said Wisniewski.

Based on their objective, cyber actors will continue to take this route, but more are pointing their talent at their opponent’s talent. “Are cyber actors going to put a lot of effort into getting past the firewall, antivirus, sandbox, and other layers or are they going to try to get someone to open an attachment?” he asked attendees.

Therefore, it’s critical that organizations raise their employee cybersecurity awareness game. Wisniewski recommends that they formalize incident-reporting processes, designate a “security advocate” in each department, and reward employees for reporting suspicious activities.

“Facebook makes sharing frictionless,” he said. “You need to make threat-sharing within your organization frictionless.”

This is the seventh in our series of posts presenting key takeaways from our 2018 CyberCrime Symposium, held November 1-2, 2018. The program — “The Future of Privacy and Security” — featured an incredible line-up of speakers. If you couldn’t get a seat at the event or want a refresher on various sessions, this is a not-to-be-missed series!

Penetration Testing Guide Banner CTA

Topics: CyberCrime Symposium, Threat Intelligence, Threat Hunting


The Sage Cybersecurity Lifecycle

The Sage Data Security Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More