​Organisations should stop playing malware whack-a-mole: FireEye

Instead of preventing further attacks, FireEye's CTO of emerging technologies Josh Goldfarb says many organisations are just cleaning up infected devices, allowing them to undergo the same compromise again.

When it comes to identifying malware infections, organisations tend to stop the fight there, in what Josh Goldfarb, FireEye CTO of emerging technologies, said is a frustrating practice.

According to Goldfarb, what many organisations are doing is re-imaging a laptop or cleaning up the malware, and putting it back into service without foresight to realise it will happen again.

"It's kind of a chicken or an egg situation where organisations are so busy playing whack-a-mole that they don't have time to come up for air, and try and understand why they're so busy playing whack-a-mole," Goldfarb explained to ZDNet.

The CTO said those affected are often missing the point and are asking why the same issue keeps happening, and why they are experiencing 10 infected laptops each week, rather than starting at the beginning.

"The answer gets us away from that whack-a-mole game and gets us closer to improving our security posture by getting rid of the root cause," Goldfarb said.

"It's difficult when you're in an operational environment and you're putting out fires. It's difficult to leave fires burning to take a step back and look strategically to try and understand why it is there are so many fires burning and what can be done to perhaps reduce the number of fires that burn on a daily basis"

He said it is better to patch or find other ways to control the use of a certain platform that is continuously infected with malware.

Despite 60 percent of intrusions not involving any form of malware, Goldfarb said organisations remain focused on malware as its target in security strategies, as that is what organisations are used to.

"That's also what they're more or less able to respond to," he said. "They're basically detecting and responding to malware because that's where we're at in terms of maturity and capability."

Australia lags behind the rest of the western world in terms of awareness, Goldfarb said, noting that businesses are not actively reporting breaches or handling them appropriately. He added that the culture in the US, Canada, and Western Europe is a little bit more aware of the need for incident response and the need to be prepared.

"Australia kind of has a bit of a reputation for being a little bit behind in terms of awareness and preparedness to deal with that type of thing," he said.

Speaking of the breaches that have been made public over the past few years, Goldfarb said there has been a common theme where organisations are experiencing what he called "alert fatigue". He explained organisations are receiving more false positive alerts than they can keep up with, resulting in a real concern being missed, with alert prioritisation not tackled correctly.

He said this allows for an attacker to fly under the radar.

Previously, Scott Brown, senior tech with CERT Australia, said around 95 percent of malware in the country still arrives via email, with the volume of those emails "skyrocketing" at the beginning of 2016.

Speaking at the Australian Cyber Security Centre Conference in Canberra in April, Brown said ransomware attacks are on the rise, "by an order of magnitude" in the last 12 months.

Also in April, Ben Adamson, APAC technology lead at Mimecast, told ZDNet that cybercriminals are still commonly using email as an entry point to steal confidential data and dupe employees into making fraudulent payments, in a money extraction technique known as a whaling attack.