74% of Q1 malware was undetectable via signature-based tools

Organizations relying on traditional signature-based tools to detect security threats would likely have missed roughly three-quarters of malware samples that hit their networks and systems last quarter, a new analysis shows.

WatchGuard Technologies recently analyzed threat data collected from customer networks during the first quarter of 2021 and found 74% of threats detected were zero-day malware for which no anti-virus signatures were available at time of malware release. As a result, the malware was capable of bypassing signature-based threat detection tools and breaching enterprise systems.

The level of zero-day malware detections in the first quarter was the highest WatchGuard has ever observed in a single quarter and completely eclipsed the volume of traditional threats, the security vendor said in a report this week.

“The main takeaway is enterprises — and organizations of all sizes really — need to get serious about proactive malware detection,” says Corey Nachreiner, chief security officer at WatchGuard. Attackers have consistently gotten better at repackaging old malware in ways that its binary profile doesn’t match previous fingerprints and patterns used to detect it. In the past, such “packing and crypting” required smart criminals. These days, tools are readily available in underground markets that make it easy for attackers to keep digitally altering the same malware so it can bypass signature-based systems, he says.

A few years ago, such zero-day malware represented about 30% of all detected malware samples. More recently, that number has hovered around the 50% range and occasionally hit 60%. Seeing that number reach 74% in the first quarter was a bit surprising, Nachreiner says. “Pattern-based malware detection is no longer sufficient with the volumes of new malware that we see today,” he says. “Traditional antivirus products alone will miss many threats.”

Exacerbating the issue is the continued use of fileless or living-off-the-land (LotL) techniques that are explicitly designed to evade traditional detection tools, which focus on inspecting files and registry entries.

To read the complete article, visit Dark Reading.