Malware development continues to remain healthy. The Intel Security Group's August 2015 McAfee Labs Threat Report shows malware quarterly growth at 12% for the second quarter of 2015. In totality, the overall count of known unique malware samples has reached a mesmerizing 433 million.
Oddly, this has become a very stable trend. For many years malware detection rates have remained relatively consistent at about ~50% increase annually.
Which makes absolutely no sense!
Cybersecurity is an industry of radical changes, volatile events, and chaotic metrics. The growth of users, devices, data, new technologies, adaptive security controls, and dissimilar types of attacks differ each year. Yet the numbers of malware being developed plods on with a consistent and predictable gain.
What is going on?
Well colleagues, I believe we are witnessing a macro trend which incorporates the natural equilibrium occurring between symbiotic adversaries.
Let me jump off topic for a moment. Yes, cyber attackers and defenders have a symbiotic relationship. There, I said it. Without attacks, security would have no justification for existence. Nobody would invest and most, if not all, security we have today would not exist. Conversely, attackers do need security to keep their potential victims healthy, online, and valuable as targets. Just as lions need a healthy herd to hunt, to avoid extinction, attackers need defenders to insure computing continues to grow and be more relevant. If security was not present to hold everything together, attackers would decimate systems and in short order nobody would use them. The herd would disappear. So yes, a healthy electronic ecosystem has either a proper balance of both predator and prey, or a complete omission of both.
Back to this mind boggling trend. I believe the steady growth of malware samples is a manifestation, at a high level, of the innumerable combined maneuvering of micro strategies and counter tactics. As one group moves for an advantage, the other counters to ensure they are not defeated. This continues on many fronts all the time. No clear winner, but no complete loser either. The players don’t consciously think this way, instead it is simply the nature of the symbiotic adversarial relationship.
I have a Malware Theory and only time will tell if this turns into a law or dust. My theory “malware rates will continue to steadily increase by 50% annually, regardless of the security or threat maneuvering” reflects the adversarial equilibrium which exists between attackers and defenders. Only something staggering, which would profoundly upset the balance will change that rate. If my theory is correct, we should break the half-billion mark in Q4 2015.
So I believe this trend is likely here to stay. It also provides important insights to our crazy industry and why we are at this balance point.
Even in the face of new security technologies, innovative controls, and improved configurations, malware writers continue to invest in this method because it remains successful. Malware continues to be the preferred method to control and manipulate systems, and access information. It just works. Attackers, if nothing else, are practical. Why strive to develop elaborate methods when malware gets the job done? (See my rants on path of least resistance for more on understanding the threats.)
Defensive strategies are not slowing down malware growth. This does not mean defensive tools and practices are worthless. I suspect the innovation in security is keeping it in check somewhat, but not slowing it down enough to reduce the overall growth rates. In fact, without continued investment we would likely be overrun. We must remain vigilant in malware defense.
The rate increase is a reflection on the overall efficacy of security. Malware must be generated at a rate of 150% per year, in order compensate for security intervention and achieve the desired success. Flooding defenders is only one strategy as attackers are also demanding higher quality, feature rich, smarter, and more timely weapons.
Malware must land somewhere in order to operate and do its dirty deeds. PC’s, tablets, phones, servers, cloud and VM hosting systems, and soon to be joined more prominently by droves of IoT devices, are all potential hosts. Therefore, endpoints will continue to be heavily targeted and defense will continue to be hotly contested on this crucial battleground. Ignore anyone who claims host based defenses are going away. Just the opposite my friends.
At a rate of over three-hundred thousand new unique samples created per day, I speculate much of the malware is being generated automatically. It is interesting on the defensive side, anti-malware companies are beginning to apply machine-learning, community reporting, and peer-validation to identify malicious code. It is showing promise. But just wait. The malware writers can use the same type of machine-learning and community reporting to dynamically write code which either subverts detection or takes advantage of time delays in verification. Malware code can quickly reinvent itself before it is verified and prosecuted. This should be an interesting arms race. Can the malware theory sustain? Strangely, I suspect this battle, although potentially significant, may be exactly what the malware model anticipates. The malware metronome ticks on.
Connect with me:
Intel IT Peer Network: My Previous Posts