While meeting with a customer last week, we looked through the detections report to see if some of the new algorithms we released had produced detections. I noticed the lines for all categories of detections dropped precipitously and then increased nearly as rapidly two days later. Nearly as fast as I pointed my finger at the screen, he said, "Yeah, that's the weekend."It took 3 seconds for us both to say, "Laptops." If you ever wanted evidence that most malware is walked in the front door on mobile devices like laptops, tablets and smartphones, then this is the graph for you.
Since you may be seeing this for the first time, allow me to explain what you are seeing. This graph is over a one-week period. Our X-series platforms listen, learn and correlate detections over weeks, so you can look at the same graph for one day, one month or increments in between. The lines are color coded so you can quickly get a sense of the volume of opportunistic botnet detections vis-à-vis targeted attack phases including command and control, reconnaissance, lateral movement and exfiltration detections indicative of a targeted attack.
On Friday, there were over 35 command and control detections. On Saturday and Sunday, there were fewer than 5 each day. But on Monday, there were over 25 command and control detections. There is a similar drop-off for botnet activity, reconnaissance and exfiltration, but not lateral movement.
We decided to dig in a bit more to see what we could learn. One of the hosts detected for command and control behavior on Friday was guilty of External Remote Access activity toward the end of the day. External Remote Access activity is an important behavior to detect in a targeted attack because a human, rather than a machine, is likely to be manually controlling the host through a connection the host established after being infected. With the scale of a botnet attack, machines automate the remote control of infected hosts. Targeted attacks represent higher risk to you – and greater reward to the attacker – and are typically manually controlled by a person rather than a machine.
The last External Remote Access command and control detection was detected at 4:11 PM on Friday – probably when the laptop was closed and taken home. On Monday, the detections started again at 8:38 AM and within a few hours, the host started to perform a brute password attack, behavior indicative of lateral movement. Our customer later learned the host is a laptop of a contract employee who has access to the company intranet. Our meeting paused while someone on the security team quarantined the laptop and contacted the user regarding remediation. It was wicked cool to quickly and easily catch – and stop – an attack in progress that was being perpetrated through a BYOD laptop!
Jon Oltsik of Enterprise Strategy Group recently wrote a blog titled "Has Mobile Computing Had a Positive Impact on Cyber Security?" Jon suggests that "the whole notion of 'shadow IT' and mobile computing suggest that the IT department will have less control in the future."
I am interested in what you have to say about this. We are sponsoring the 2014 edition of the BYOD & Mobile Security Survey performed annually by the LinkedIn Information Security Community.
Take a few minutes to complete the survey and share your current state and challenges of securing BYOD and mobility. The survey explores how companies respond to the security risks associated with mobile devices and their technology preferences. The results of this unique survey will be compiled into a report full of valuable metrics against which you can benchmark your own BYOD security efforts.