The Problem is the Detection Gap
The New York Times attack is all over the news this morning. We’re lucky in some ways that this happened to the Times. As their security beat reporter, Nicole Perlroth, noted in an interview on NPR this morning, as a media company, the NYT staff was more willing to talk publicly about what happened than most organizations would be. We don’t often see coverage of advanced attacks in such detail, but the problem is widely known, if not widely understood.
I applaud the Times for recognizing a possible threat, being proactive in starting to monitor its network, and following through with strong incident response. However, the account noted that there was evidence that the attackers had been in the NYT network for months before perpetrating this attack. Indeed, Perlroth reported that, “Investigators still do not know how hackers initially broke into The Times’ systems.”
In our view, the key underlying problem is the Detection Gap. The article noted that the attackers installed 45 pieces of custom malware, of which, only one was detected. This is not uncommon. Look at the latest statistics from VirusTotal.
This data clearly shows a huge gap between the number of known malware and the number that can be detected by at least one of the existing anti-malware engines. As part of CounterTack’s ongoing Cyber Counter-Intelligence Research, we see that this gap persists. On any given day, some 50 percent or more of known malware is undetectable.
There are many reasons for the Detection Gap, from persistent attackers who take the time to modify their attack code to foil signature detection, to polymorphic malware and other evasion techniques. Of course, this is just the tip of the iceberg. The Gap we see in the VirusTotal data is only for known malware. Beyond that are directed, personalized, and insider threat attacks.
“Houston, we have a problem.”
We need new ways to detect attacks. More on that later. For now, what do you say? Are you seeing the Detection Gap too?