As it turns out, what you don’t know can most definitely hurt you. Recent research by HP revealed that 29% of malware captured by security teams was previously unknown. Also, because unknown threats could slip beneath information security radar for an average of 8.8 days, threat actors had enough time to execute attacks even before threat intelligence systems could detect the malware. But with real-time threat information exchange, organizations can reduce the impact of malware.
Below, we'll dig into the role unknown attacks play in the cybersecurity landscape and how collaborative threat exchange can be used to flag them early on.
The threat of the unknown
Unknown threats give malware actors two advantages they desperately need:
- The ability to get past threat detection systems: Because their signatures can’t be recognized by threat intelligence systems, they can wriggle through cyber defenses undetected.
- Time to execute their attacks: You can't fight what you can’t see. Malicious actors leverage the temporary invisibility of unknown threats, buying time while they attack networks and compromise data.
How common are unknown threats? Every day, the AV-TEST Institute registers 450,000 previously unknown malicious programs and potentially unwanted applications (PUAs). That’s more than five new threats per second, and the volume of these attacks has been increasing: AV-TEST logged 15.48 million incidents of new malware in October 2021, as opposed to 8.97 million in the same month of the previous year, which is about a 72.6% increase year-over-year.
Why are there so many unknown threats?
The number of unknown threats is rapidly increasing because threat actors constantly adjust their tactics, techniques, and procedures (TTP). Hackers study existing cybersecurity systems and then modify their attack tools and methods accordingly. For example, a threat detection system can easily spot a nefarious domain and IP address, preventing an attacker from launching an attack from either. But a hacker can simply get a new domain and a matching new IP address to bypass detection systems.
As a result, cybersecurity teams had to develop new strategies as well. In many cases, they’ve chosen to move beyond signature-based detection systems, focusing on threat behavior instead. This adjustment enables them to catch more threats, whether or not they were previously known.
The power of the collective: collaborative threat exchange as an early warning system
Threat intelligence exchange involves a central system that collects threat data from a variety of contributors across a network. It can consist of several companies reporting network activity. As a threat interacts with one company’s network, the system creates a profile of the threat’s behavior. This information can then be automatically fed to the rest of the network. If the threat tries to attack again, data regarding its behavior can be used to flag and stop it.
For example, suppose a hacker uses a Trojan-style attack, hiding a threat in an otherwise helpful, benevolent program, such as a Google Chrome update. This may slip past a typical threat intelligence system because the file name may not trigger an alert—it looks like a regular Chrome update from the outside. But as the malware reaches the system, it starts exfiltrating tons of data.
Data regarding the threat's behavior then gets uploaded to the collaborative intelligence system, providing all partner companies the same information, which puts them in a position to block the threat if it tries to cross any of their digital thresholds.
The IronNet Collective Defense platform empowers organizations with a threat intelligence system based on this kind of collaborative exchange. It works as an early warning system for all of the connected organizations, so they aren’t only protected from existing threats but also the unknown TTP that hackers may use.
For questions about how Collective Defense can help you better safeguard your organization against unknown threats, reach out to the IronNet team today.