Malware development continues to remain healthy. Intel Security Group’s McAfee Labs Threat Report: August 2015 shows malware’s quarterly growth at 12% for the second quarter of 2015. The overall count of known unique malware samples has reached a mesmerizing 433 million.
Oddly, this confirms a very stable trend. For many years malware detection rates have remained relatively consistent, at about a 50% annual increase.
Which makes absolutely no sense!
Cybersecurity is an industry of radical changes, volatile events, and chaotic metrics. The growth of users, devices, data, new technologies, adaptive security controls, and dissimilar types of attacks differ each year. Yet the numbers of malware being developed plods on with a consistent and predictable gain.
What is going on?
I believe we are witnessing a macro trend that incorporates the natural equilibrium occurring between symbiotic adversaries.
Let me jump off topic for a moment. Yes, cyberattackers and defenders have a symbiotic relationship. There, I said it. Without attacks, security would have no justification for existence. Nobody would invest and most, if not all, security we have today would not exist. Conversely, attackers need security to keep their potential victims healthy, online, and valuable as targets. Just as lions need a healthy herd to hunt to avoid extinction, attackers need defenders to insure computing continues to grow and be more relevant. If security was not present to hold everything together, attackers would decimate systems and in short order nobody would use them. The herd would disappear. So a healthy electronic ecosystem has either a proper balance of both predator and prey, or a complete lack of both.
Back to the trend in malware growth. I believe the steady increase in malware samples is a manifestation, at a high level, of the innumerable combined maneuverings of micro strategies and counter tactics. As one group moves for an advantage, the other counters to ensure they are not defeated. This continues on many fronts, all the time. There’s no clear winner, but no complete loser either. The players don’t consciously think this way; instead it is simply the nature of the symbiotic adversarial relationship.
I have a malware theory and only time will tell if this turns into a law or dust. My theory is “malware rates will continue to steadily increase by 50% annually, regardless of the security or threat maneuvering.” This reflects the adversarial equilibrium between attackers and defenders. Only something staggering that would profoundly upset the balance will change that rate. If my theory is correct, we should break the half-billion mark in Q4 2015.
So I believe this trend is here to stay. It also provides important insights to our crazy industry and why we are at this balance point.
Even in the face of new security technologies, innovative controls, and improved configurations, malware writers continue to invest in this method because it remains successful. Malware continues to be the preferred method to control and manipulate systems, and to access information. It just works. Attackers, if nothing else, are practical. Why strive to develop elaborate methods when malware gets the job done? (See my rants on the path of least resistance for more on understanding the threats.)
Defensive strategies are not slowing down malware growth. However, this does not mean defensive tools and practices are worthless. I suspect the innovation in security is keeping attacks somewhat in check, but not slowing them enough to reduce the overall growth rates. Without continued investment, we would likely be overrun. We must remain vigilant in our defense against malware.
The rate of increase is a reflection on the overall efficacy of security. Malware must be generated at a rate of 150% per year, to compensate for security intervention and achieve the desired success. Flooding defenders is only one strategy, as attackers are also demanding higher-quality, feature-rich, smarter, and more timely weapons.
Malware must land somewhere in order to operate and do its dirty deeds. PCs, tablets, phones, servers, cloud and virtual machine hosting systems—soon to be joined by droves of devices from the Internet of Things—are all potential hosts. Thus endpoints will continue to be heavily targeted and defenses will continue to be challenged on this crucial battleground. Ignore anyone who claims host-based defenses are going away. The truth is just the opposite.
At a rate of more than 300,000 new unique samples created per day, I speculate much of the malware is being generated automatically. It is interesting to see on the defensive side that antimalware companies are beginning to apply machine-learning, community reporting, and peer-validation to identify malicious code. These methods show promise. But just wait: Malware writers can use the same type of machine-learning and community reporting to dynamically write code that either subverts detection or takes advantage of time delays in verification. Malware code can quickly reinvent itself before it is verified and neutralized. This struggle should be an interesting arms race. Can my malware theory sustain itself? I suspect this battle, although potentially significant, may be exactly what the malware model anticipates. The malware metronome ticks on.