Destructive payloads in malware, whether attacks aimed at breaching a network or database security system, are usually rare because attackers prefer to take control of their victims’ computers for financial gain or to steal intellectual property. However, recently there have been several attacks where the only goal was to cause as much damage as possible. Some of these attacks seem to be targeted — others were implemented as worms. McAfee Labs expects this malicious behavior will grow in 2013.
It is impossible to determine whether these attacks are hacktivism taken to a new level or just malicious intent — but the worrying fact is that companies appear to be vulnerable to such attacks. As with distributed denial-of-service (DDoS) attacks, the level of technical expertise required to launch these attacks is rather low. If attackers are able to install destructive malware on a large number of machines, the result can be devastating.
How can organizations prepare for such incidents and, more importantly, how can they mitigate or prevent some of the damage?
- Know your enemy — it may be a company insider. An inside or outside attacker who has elevated privileges on the network could time-bomb many systems on multiple sites.
- Elevate disaster recovery plans. The damage will most likely be worse than what is covered in many disaster recovery plans; therefore, IT staff may need to update their plans to cover this level of attack.
- Prioritize how to keep the business running. This is best achieved by having production networks, supervisory control and data acquisition (SCADA) systems, and so on completely separated from the normal network, preventing them from being attacked in the first place.
- Prepare for user data loss. Users tend to store their data on their local machines, which means there will be a massive loss of data in this type of attack. A significant challenge will be to reinstall thousands of machines while ensuring that the time bomb doesn’t resurface.
- Consider remote management features. Remote management features that are independent of the state of the PC and its OS can help IT in the clean-up following an attack, but these features will need to be implemented and tested before an incident occurs.