Telecommunications networks are a proving ground for cybercriminals and their malware, according to Lastline's Global Threat Intelligence Network.
The company recently released the Malscape Monitor report for telecom for the fourth quarter of 2017. It is based on examination of the 100 latest malicious samples and statistical data for threats seen in the 30 days prior to the report.
The firm found that one out of every 370 submissions from telecom networks was malicious and evaded typical security controls. That compares to one in 500 from the overall global sampling.
Likely explanations, according to the firm, are that telecom companies are attacked more often than the other types of companies or that security in telecom networks is better and thus they find more malicious files than general networks before submission to Lastline.
The firm found that only 15 types of files were used to deliver malware—compared to the global average of 40 file types. Email is the most common point of attack. Since the telecom industry is seen as especially vigilant against malware, the findings can be seen as leading indicators of attacks that will hit other industries.
"Telecom services, given higher levels of security capabilities than most industries, can be seen as a barometer of tactics that will be seen in other vertical markets if the new tactics used against telecom companies are successful," Andy Norton, Lastline's director of Threat Intelligence, told FierceTelecom.
Another indication that telecom networks are gaining special attention is that about 90% of the malware found had not been seen before by the industry group VirusTotal, and so they are unlikely to be neutralized by typical AV software. That is more than the 65% global average and much higher than the 20% on finance networks.
"This delta could be explained by the implementation of state of the art email security controls in Telecom Services companies that have necessitated that the threat actors, in order to penetrate defenses, constantly evolve their attacks creating a perpetual Day0 campaign of rotating file types, exploits, and social engineering schemas," the report says. The firm uses Day0 to denote known attacks that have been changed in some way to appear new.
In many cases, only general descriptions of the virus are known. Typically, the response is to restore from a backup or reimage completely. But this is insufficient as the sophistication of these attacks grows. The key is real-time behavioral analysis that can respond as the attacks unfold.
"The issue with providing generic guidance is that it does not address the very significant threat posed by malware that is designed to steal credentials, for example," the report reads. "Without knowing what the malware is actually capable of doing, it’s impossible to effectively and completely remediate it and protect against subsequent attack using stolen credentials."
Lastline also found that a higher percentage of dangerous malware is aimed at telecommunications companies. This malware navigates around "static" analysis, uses advanced evasion techniques, compromises a host and remains undetected and/or steals credentials and surveils the user to gain further access. One in 10 pieces of malware seen by Lastline had some of these characteristics, while the global average was one in 12.
Norton suggests that telecom companies could react proactively.
"Telecom companies could offer, possibly at an additional cost, a level of security check based on the dynamic analysis of the email contacts intended for their customers," he wrote. "This would break the cat and mouse game played by the cyber criminals and the antivirus industry, greatly reducing the encounter rate with malware that current email subscribers face."