You’re likely familiar with the names of common malware strains such as MOUSEISLAND, Agent Tesla and TrickBot. But do you know how new malware threats get their names?

As a cybersecurity writer, I quickly add new strains to my vocabulary. But I never knew how they came to have those names in the first place. After writing numerous articles on malware, I decided to dig deep into the naming conventions to shed some light on that question. As it turns out, a name can tell you a lot about the malware itself — but it can also sow some confusion. 

Threat Group Names

First, let’s talk about the difference between group names and malware strain names since they often intertwine and sometimes impact each other. With a one-hit-wonder group or a group with no known name, occasionally, the malware shares the group name. However, in most cases, there is a unique name for both the group and the malware.

You can often learn a lot about a group from its name. Group names often reference the nation-state associated with the group, such as Bear for Russia and Panda for China. The name often reflects the group’s motivation as well. “Spider” in the name means that money motivates a group, and “Jackals” refer to hacktivists.

A Few Common Naming Conventions

Now let’s get back to the question of how malware strains themselves are named. The short answer is that strains are named in several different ways. Of course, there are always outliers that get their names in a totally different way, so these are just common examples.

Typically if a cyber criminal doesn’t name their strain themselves, a cybersecurity researcher creates the name. The primary researcher of the strain or attack will usually come up with the name, and they sometimes assign one that seems random — but there is usually a pattern or at least some loose methodology.

And yes, that has led to many issues — especially misidentification and misnaming. Without an industry-wide database that lists the official names of all strains, some strains even end up with multiple names. Because many strains turn into families, researchers and the media must use consistent naming conventions. Otherwise, these labels can cause confusion when experts most need clarity. 

6 Common Ways Malware Strains Get Their Names

1. Target of the Attack

Sometimes the simplest (and most notable) thing about a strain is what the attack is trying to disrupt. For example, the Olympic Destroyer malware got its name because it was trying to shut down the Winter Olympics systems in South Korea in 2018.

2. Computer Antivirus Research Organization (CARO) Conventions

Sometimes malware strains have both a formal name and a nickname, just like people. In many cases, we never know or use the name researchers use formally — or the one their mom uses when they’re in trouble. The CARO creates the name based on the strain’s type, platform, family, variant and suffix. Companies such as Microsoft and CrowdStrike often stick to formal names.

3. Unique Aspects of the Attack

When researchers were studying the HeartBeat malware strain, they noticed an echoing sound that mimicked a heartbeat, which coined its name. Meltdown got its name because of what the attack did: break the isolation between applications and the operating system, which opens up the network to attacks leading to a meltdown.

4. Variant of the Threat

Malware often has many strains. And since each strain can vary in significant ways, we need to be able to differentiate between them. This is when the suffix of the CARO name comes into play. The suffix also suggests how the variant is used.

5. Cyber Criminals

Sometimes the threat actors themselves name the strain when they take credit for the malware. Other times, the name is integrated into the attack, such as in the case of WannaCry. Some groups actually create logos for their strains for marketing purposes. 

6. Functionality

The action of the malware is sometimes the reason behind the name, such as Banker or Downloader. In some cases, that functionality combines with another descriptive word to distinguish it from other strains.  

Malware naming conventions can be confusing. But by understanding a bit about common origins, you get a head start on knowing about the strain from the first time you hear the name.

The post Six Common Ways That Malware Strains Get Their Names appeared first on Security Intelligence.

With the cost of data breaches at an all-time high, organizations are working to proactively identify areas of risk on the network. Using pentesters to conduct penetration (pen) testing is becoming more common. To protect themselves, businesses must know their risk areas before hackers find vulnerabilities. Organizations can lower their attack risk by protecting against weaknesses or eliminating them.

The 2022 IBM Cost of a Data Breach found that data breaches cost an average of $4.35 million per breach, an increase of 12.7% from 2020. For many businesses, breaches are becoming a “when”, not an “if” proposition. Of the organizations participating in the study, 83% have experienced more than one data breach — and only 17% said it was their first time.

As a result, many organizations are turning to pen testing to improve their overall security. 

What is Penetration Testing?

During pen testing, pentesters determine how secure an app or network is by trying to break into it. Pentesters often use black box testing, where the tester does not know the underlying infrastructure, apps or code. The process allows pentesters to conduct the tests from the perspective of an outside hacker and uses automated processes to test vulnerabilities.

Other forms of pen testing can be used as well. White box pen testing relies on the tester’s knowledge of the infrastructure to quickly test security using specialized tools. Gray box testing blends white box and black box testing as the tester uses personal knowledge of the infrastructure and both manual and automated tools to exploit weaknesses.

Pen testing provides numerous benefits to companies, including infrastructure knowledge and fewer errors. While some companies balk at the initial price, the approach saves significant costs by reducing risk and the likelihood of a breach. Companies regulated by compliance guidelines often turn to pen testing as part of their compliance process.

While penetration testing is similar to ethical hacking, some differences exist. Mainly, penetration testing focuses on breaching specific systems to take over the environment. Ethical hacking, on the other hand, uses all hacking techniques. Ethical hackers are usually not company employees, although some companies hire ethical hackers as full-time employees. Bug bounty programs are a bit similar, but they’re more focused on all types of bugs instead of just breaching a system. Because bug bounty programs are open to the cybersecurity community, external hackers typically participate as well as the occasional internal employee.

Responsibilities of a Pentester

Pentesters who work as contractors are typically responsible for following testing protocols designed by the hiring agency or organization. Full-time pentesters usually start with a goal and then determine which tools and methods will best help them reach it. After completing their tests, pentesters write documentation detailing the results to help make security changes.

In addition to technical skills, pentesters need good written and verbal communication skills. Pentesters often need to collaborate with the IT department to help create solutions based on the results of the tests. Because of the types of attacks happening in the real world and the technology used by cyber criminals, pentesters need to stay on top of the latest trends in the cybersecurity industry.

Pursuing a Career as a Pentester

Some companies require pentesters to have a computer science degree or cybersecurity certificate. However, many others accept on-the-job experience — especially experience in the cybersecurity industry. While some companies may require a bachelor’s degree, others look for candidates with digital badges or certifications.

Some companies hire internal pentesters, especially for white box pen testing. However, contract pentesters hired for specific projects typically conduct black box pen testing to ensure they don’t have prior knowledge of the infrastructure. If you are looking for a job as a pentester, consider looking for both full-time employment and contract gigs.

Pentesters looking for full-time employment often find jobs at non-technical companies that want to ensure their infrastructure is secure. Other testers work for cybersecurity firms that offer services to other companies. With IT spending on cybersecurity increasing as risks escalate, the demand for pentesters will also likely continue to climb.

Overall, pen testing is a great entry-level career for tech workers or people who want to enter the cybersecurity field. While some technical knowledge is needed, many of the tools and techniques are learned on the job.

The post What is a Pentester, and Can They Prevent Data Breaches? appeared first on Security Intelligence.

Neil Wyler started his job amid an ongoing cyberattack. As a threat hunter, he helped his client discover that millions of records had been stolen over four months. Even though his client used sophisticated tools, its threat-hunting technology did not detect the attack because the transactions looked normal. But with Wyler’s expertise, he was able to realize that data was leaving the environment as well as entering the system. His efforts saved the company from suffering even more damage and disruption. 

Wyler shows that threat hunters can help prevent a cybersecurity catastrophe. But what is a threat hunter, and how can they improve an organization’s security posture?

What is Threat Hunting?

While enterprise security systems are a key part of cybersecurity, threat hunters provide organizations extra protection. A threat hunter reviews all the security data and systems to look for abnormalities and potential malware issues. Threat hunting complements automated security tools and is best used in conjunction with that technology. By combining the strengths of both human expertise and artificial intelligence (AI) tools, companies can find cyber threats faster and reduce damage.

Responsibilities of a Threat Hunter

Threat hunters search, log, monitor and neutralize threats to find issues before they become serious problems. In some companies, threat hunters design the threat-hunting program, which starts by building the hypothesis the program is looking to answer, such as searching for malware with specific criteria. Threat hunting typically involves looking for malware threats incorporated into commercial technology but not yet known.

Threat hunters use three approaches: structured, unstructured and situational.

During structured tests, the threat hunter leverages indicators of attack (IoAs) and the tactics, techniques and procedures (TTPs) of an attacker. Unstructured hunts occur when a trigger indicates a compromise, and the hunter looks at patterns before and after the detection. Situational hunts commence when a risk assessment is warranted, such as knowing attacks are happening at similar companies.

What makes threat hunting different from other cybersecurity tasks is that they don’t just use security information and event management (SIEM), endpoint detection and response (EDR) and other typical processes. Instead, threat hunters search through security data to look for patterns that indicate malware or attackers. Once they discover a cyber criminal’s potential entry method, they work to patch the issue to prevent future incidents.

Pursuing a Career as a Threat Hunter

Threat hunting is often one of the responsibilities of a cybersecurity analyst. However, some managed service professionals (MSPs) hire threat hunters whose primary responsibility is threat hunting for clients. Cybersecurity firms also hire threat hunters to provide the service to their clients. Additionally, threat hunters can work freelance for companies that need threat-hunting expertise but don’t want to hire an MSP.

Companies often look for certifications or bachelor’s degrees when hiring for analyst and threat-hunting positions. Candidates can also go into threat hunting with digital badges or certifications. However, cybersecurity analysts can learn threat-hunting skills on the job and then move into a threat-hunting role.

Threat hunters need strong technical skills and expertise with cybersecurity tools. However, the most important skills are problem-solving and analysis because the role requires manually reviewing data. Threat hunters must also have a strong interest in cybersecurity and a willingness to continually stay updated on cyber criminals’ latest TTPs. Additionally, threat hunters need good written skills to communicate findings to IT leaders. Because threat hunters often work on a team with other cybersecurity professionals, they also need the ability to collaborate and verbally communicate with others.

As cybersecurity risks and threats continue to increase, threat hunting is apt to become an even more crucial facet of cybersecurity. Organizations need the human touch to catch sophisticated threats, even using sophisticated tools. Cybersecurity professionals specializing in threat hunting or adding it to their skill set will likely have solid employment opportunities.

The post How Do Threat Hunters Keep Organizations Safe? appeared first on Security Intelligence.