Threat detection firm Damballa has released its State of Infections Report for the second quarter of 2014.
The company has been monitoring active infections on enterprise networks and found there is no correlation between the size of an organization and the proportion of machines infected with malware. For example, Damballa has seen enterprises with more than 200,000 devices and only a handful of infections, but it has also spotted a large number of active threats on the networks of companies with roughly 500 machines.
According to the security firm, the ratio of active infections ranged between 0.1% and 18.5% on any given day. However, the company noted that not all infections are active every single day because advanced malware can stop communicating with its command and control (C&C) server for certain periods of time in an effort to evade detection.
“Traditional malware relies on remaining hidden so it can conduct criminal activity unimpeded. The longer it goes undetected, the more damage it can do. Hidden infections bedevil enterprises who spend a lot of money and manpower to prevent malware from entering their networks,” Damballa noted in its report.
Infection rates don’t depend on a company’s size as much as they do on its policies and the security team’s ability to deploy tight controls. For example, a small company could have a high malware infection rate because their distributed network is used by third-party contractors who work mainly from outside the corporate network. This makes the task difficult for the security team since it doesn’t have control over the contractors’ devices and it can’t prevent them from downloading malware. Furthermore, network security solutions might only detect threats that directly target the organization.
On the other hand, large enterprises can be better protected if the security team denies administrative rights to general users, disables email links and USB ports, restricts inbound files, and prohibits Web browsing, Damballa said.
“As the report reveals, managing infections requires constant vigilance; advanced malware is designed to be evasive and threat actors are constantly seeking the next weakness to exploit,” said Brian Foster, CTO of Damballa. “As this report notes, there is no correlation between size of the enterprise and the rate of infected devices. Smaller organizations can have a very high ratio of infected devices and large enterprises can have low infection rates. It depends on the security controls in place. We recommend that security teams work under the assumption that prevention is not fail proof, so the ability to automatically detect and accelerate the time to response is essential to minimizing risk.”
The report also warns of a sharp increase in Kovter ransomware attacks, with the largest number of infections detected by Damballa for a single day reaching 43,713 devices.
One thing Damballa’s report failed to mention, but is important to consider, is budgets. Larger enterprises typically have bigger budgets and more money to spend on IT security solutions and staffing–a combination that makes a difference in maintaining the ability to keep threats outside of a company network.
Additional reporting by Mike Lennon