Defending Against

Malware Attacks
Starts Here
The Ultimate Guide to Building Your
Malware Defense Strategy
Ransomware is continually one of the top threats worldwide, and cyber criminals
are only becoming more bold even using it to attack government agencies around
the world.1

The threat of malware is rising year-over-year, with Forbes
estimating malware as the most common cause of cyberattacks
as of mid-2022, covering more than one fifth of all cyber
incidents. 2
Meanwhile the Harvard Business Review (HBR) says, where employees violated cybersecurity rules, they did so
“While IT specialists toil away to create better, smarter, and safer
technical systems, there is one risk they can’t program away:
humans. Especially as remote work becomes more prevalent
and thus access to secure systems becomes more distributed,
Today’s IT professionals need to focus on building a more user-
centric security design, and onboarding technology that can act
before an employee or a customer is infected.
After all, the same HBR researchers found that in 85% of cases
because they felt it would help them or their colleagues to best
perform their job. Most employees aren’t acting maliciously,
and yet the vast majority aren’t ignorant either. Instead, most
workers are making real-time decisions to balance security with

one wrong click by an employee can often be enough to threaten productivity, and are weighing up the cost/benefit of risking one

an entire digital ecosystem.”3 for the other.

1. https://www.wired.com/story/costa-rica-ransomware-conti/
2. https://www.forbes.com/sites/chuckbrooks/2022/06/03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/
3. https://hbr.org/2022/01/research-why-employees-violate-cybersecurity-policies
This eBook will look at the growing risk of malware, and the smart route to securing
your business environment, covering:

• What is covered by the • The true cost of malware • 7 Indicators of

term malware and how for today’s businesses, compromise that could
serious is the threat in and the challenges of signal a malware attack
2023? prevention in your environment

• A 5-step playbook against • Perimeter 81’s Malware

malware, aligned to Protection and how to
the NIST Cybersecurity manage the malware risk
Framework
What Does the Threat of Malware
Look Like in 2023?

Malware is a portmanteau of the words malicious software,

and is a broad term which covers any software that attempts to

gain unauthorized access to computer systems for disruption,

damage, or gain. For as long as there has been the internet,

there has been malware, and the earliest computer viruses

have been documented as far back as the 1980s. 4

Over time malware has become increasingly sophisticated.

Today more than 450,000 new instances of malware and

potentially unwanted programs (PUPs) are discovered each

day, with cumulative numbers growing every year, according to

AV-Test5.5

4. https://en.wikipedia.org/wiki/Elk_Cloner
5. https://www.av-test.org/en/statistics/malware/
Breaking Down the Term: What’s There are numerous types of malware
attacks, but let’s cover some of the most
Covered By The Word Malware?
common:

To understand malware, businesses need a strong

Ransomware
understanding of the different kinds of attacks they could

be facing. These malware programs encrypt your data and hold it

to ransom, asking for a sum of money in order to release

Malware is a broad term that covers a wide range of
your information. Ransomware usually occurs through
threats, and many kinds of malware can be used in
an employee clicking on a malicious link from an email
combination with one another to form blended attacks,
or a website, although it can also happen via “drive-
and therefore achieve greater impact against their
by downloading”, where the user doesn’t need to click
victims.
anything, only visit an infected website to trigger the

malicious download.

The Cost of Ransomware

Cybersecurity Ventures predicts that within a decade,

there will be a new ransomware attack every 2 seconds.

This is the fastest growing type of cybercrime, and its

related costs are expected to hit $265 billion each year

by 2031 6

6. https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-
reach-250-billion-usd-by-2031/
 Viruses and Worms
These are two different kinds of malware, both of
which work by rapidly copying themselves across a
network. Once a worm has achieved access to your
network, it can spread without the original host file,
and without human input. Its goal is to consume
system resources, and it can be controlled remotely.
However, a virus will need some form of interaction in
order to execute, for example a user enabling macros
on the malicious file. At this point, the virus will be
activated and it can copy itself, corrupting files or
impacting performance, and spreading to additional
endpoints.
Trojans
A trojan is less a kind of malware, and more a
method of entry. It’s an example of a blended
malware attack, as discussed earlier. For example,
a trojan could be a virus or a worm, but it is
distinguished by its method — the way that it
disguises itself as a legitimate software application.
The user thinks they are downloading a necessary
or known software tool or update, and this makes
it more likely that they will trust its download and
execution. The name “trojan” refers to the way the
attack makes its way into your network. Trojans are
often delivered via a phishing scam where users are
directed to a fake version of a known website and
encouraged to download software directly.
 Spyware Malvertising

Once spyware has established a foothold in your This form of malware spreads either by clicking on

network, it can gather information about your behavior infected adverts or pop-ups on websites, or simply by

and then forward this to third-parties. For example, visiting the compromised website, which will trigger

keylogging software is spyware where bad actors track the malware when the website page loads. This can

your keystrokes to obtain credentials or sensitive data. download PUPs (Potentially Unwanted Programs) or other

Spyware does not usually spread to other devices types of malware, such as viruses or worms. Malvertising

within the network, unlike a virus or a worm, it does not can be very smart, using your browsing history to

replicate. However, using the stolen credentials, attackers determine what kind of advert or fake software would

could access the network directly. be most likely to encourage you to click, or to visit the

infected site in the first place.

Understanding the Cost of Malware for Today’s Businesses

As malware continues to rise in occurrence, sophistication, Add to this the cost of employee hours spent working on

and variance, you might wonder - where are the costs limiting the spread of an attack, or fees for managed service

coming from? providers hired to get business up and running again, as well

as the lost opportunity cost of taking on new clients during the

The most obvious are the direct costs, such as paying the
time it takes to restore business as usual, and you can see how
ransom to get encrypted data back. However, some estimates
malware can take a serious toll.
project that these costs are small fry compared to the price of

downtime, which can be 50 times more than the ransom itself. 7 On top of that, malware can cause devastating reputational

damage to a business or brand, directly impacting share value,

encouraging employees to look elsewhere, and causing a

lasting impression in the minds of the customer.

7. https://www.datto.com/uk/blog/downtime-the-true-cost-of-a-ransomware-attack
The Challenges of Preventing Malware

What makes malware so hard to stop in its tracks? First, we This has been exacerbated by the rise in remote work,

must consider the average organization’s ability to detect an preventing businesses from being able to adequately track

attack in the first place. Dwell time is an industry metric that employee exposure to malicious content. According to IBM, the

measures the moment between when a cyberattack occurs average cost of malware is more than $1M higher when remote

and when it is identified. Far from getting shorter as technology work is a factor in the breach 10. When employees are working

becomes more sophisticated, Sophos identified a 36% increase from home, visibility becomes more difficult, employees

in the median dwell time between 2020 and 2021 from 11 days tend to act with less caution, and as endpoints and users are

to 15. 8 distributed, recovery is far slower.

According to Forbes, dwell time hasn’t dropped for a variety of

reasons. “The environment needs to be set up to favor early

detections, the solution needs to be installed and configured

correctly, and the security operations team needs to have the

correct training and supporting processes to make the most

of their tools… Small organizations often lack the resources to

hire a dedicated information security resource, let alone a fully

equipped team and the security stack they need to adequately

protect the environment.” 9

8. https://news.sophos.com/en-us/2022/06/07/active-adversary-playbook-2022/
9. https://www.forbes.com/sites/forbestechcouncil/2021/05/03/why-the-dwell-time-of-cyberattacks-has-not-changed/?sh=a7928bd457d8
10. https://www.ibm.com/security/data-breach
 Would You Recognize a Malware Attack?

Indicators of compromise

Anomalous Increase in Poor network Configuration changes

network traffic (outbound) database volume performance on files or devices

High number of Unusual activity from Users connectiong from

authentication failures privileged accounts an unexpected region
Your 5-Stage How can today’s businesses get ahead of
the malware challenge?

Malware Attack NIST describes 5 clear functions which

make up its Cybersecurity Framework.11

Playbook
These are, Identify, Protect, Detect,
Respond, and Recover.

8. https://www.nist.gov/cyberframework/online-learning/five-functions
Step
1
Identify
Identification of the cybersecurity challenges that your Ask yourself:
business is facing should be taken from two directions. First,
• What users need which levels of access?
from a wide angle view. Simply — what threats are prevalent
• Where do we store our most sensitive data?
today? The malware listed above is a good starting point for
• What devices are most at risk of malware infection?
the risks businesses need to be aware of. The majority of these

threats occur through human error such as falling for phishing

Perimeter 81's solution manages and monitors all network
scams or browsing to an infected website.
edges, including all users and resources, from a unified

console allowing you to keep track of all relevant assets in a

Once you know what risks you’re up against — what do you single place.

want to protect inside your environment? It’s important to map

your assets clearly and get visibility over your IT infrastructure

including applications, data, users, and capabilities.

Step
2
Protect
With the answers to these essential questions, now is the time Perimeter 81’s converged security platform, which includes
for preventative action. How will you shore up your environment Zero Trust Network Access (ZTNA), Firewall-as-a-Service,
to ensure that the threats you’ve identified in step one are Web Filtering, and Malware Protection supports all of these
blocked ahead of time? capabilities within a single solution. Malware Protection adds

an extra layer of defense, enabling IT teams to defend their

Protection is best achieved by a multilayer security approach:
employees and corporate networks against ransomware,
1. Deploy a Web Filtering tool to inspect all web traffic and
rootkits, zero-day exploits, and more.
alert or block access to known and potentially risky sites.

2. Use a Malware Protection solution to block malicious

threats before they infect company endpoints. Zero trust? With this model, only those users

3. Implement a Zero Trust strategy for controlling access to all

who need to access sensitive data have
that access. This makes it a lot harder for
enterprise resources, which will help avoid lateral movement
attackers to reach ‘crown jewel’ applications
and data breaches, should a corporate asset or user
and information even if they manage to
become compromised.
establish access or harvest credentials.
Step
3
Detect
With the right solution in place, all web traffic will be scanned

for signs of malicious activity. Our Malware Protection solution,

decrypts and checks all web traffic before allowing the user

access. This includes files downloaded by the user, as well as

HTML, JavaScript, CSS, and more. If the traffic doesn’t pass

as safe–for example if malware is found–the browser won’t be

granted access to the requested website, and any files will not

be downloaded.

Detecting malware also generates an alert informing the IT

team of a potential risk. But detection alone isn’t enough; it also

has to be discoverable and requires timely detection.

With Perimeter 81, the alert appears in the security
events viewer, which is part of our single-pane-of-glass
management. This makes it easier for system administrators
to see alerts and take proactive steps against potential
threats as soon as possible.
Top tip
Look for a tool which enables logs to be exported so that
incident response teams can use the information for further
analysis, and information can be kept for compliance trails or
audits where necessary.

Employees, meanwhile, can work as usual, experiencing no

impact on performance, while all web traffic is scanned and

channeled accurately to ensure best-in-class security. If web

traffic is unsafe, they simply get a message on-screen which

tells them the website or file contained malware and has been

blocked.
Step
4
Respond
So far we’ve seen how Malware Protection does the hard work While the list of potential measures is large, there are a few

on your behalf by checking all traffic for signs of malicious basic tactics that should be part of most responses. The first

intent, while smart web filtering rules help avoid potentially step is to limit the damage by isolating infected endpoints from

dangerous websites. But now it’s time to talk about how to the network to avoid further infection. It’s also important to

respond in the event of malware detection. quarantine any infected files.

There are numerous steps that could be required to respond Next, take a wider, network-level approach by ensuring that

to a potential threat and many of them will depend on specific all devices have the most current versions of their respective

circumstances. Malware designed to extract information may security applications.

require all users to replace their passwords, for example. If the

threat was a cryptoworm (ransomware that spreads through Perimeter 81’s single-pane-of-glass management platform
the network as a worm such as WannaCry) then any devices can ensure that all endpoint security tools are running their
accessing offline backups would have to be thoroughly latest versions through the Device Posture Check (DPC)
checked. feature.
Step
5
Recover
While studies show that recovery from a malware attack can But what do you do with the endpoints or servers that are

take months or even years, when you’ve followed steps one damaged? First, if applicable, it’s important to restore backups

through four recovery will be shorter and less painful. With Web via offline disks or cloud-based backups that were unaffected

Filtering and Malware Protection in place you’re reducing the by the attack. Then it’s important to ensure that your network is

potential damage a malware infection can generate. sound with no further signs of infection.

If the worst occurs and a hacker does make it through your It’s also important to create an incident response (IR) that

defenses, or you’re hit by a more complex attack method such reviews how the malware infection happened in the first place,

as fileless malware, your environment is segmented, limiting the and how it can be prevented from happening again. Perhaps

propagation of the malware. a new security tool is required, or even an additional one, or

maybe it’s simply a question of further employee education or

tightening up authentication policies.

With Perimeter 81, critical assets are ring-fenced away

from access, and wider resources are protected by network Finally, it’s on to dealing with the public, be it the wider public
segmentation and user-based rules. or your customer base, and taking steps to limit damage to the
brand itself.
The damage will be limited to a single segment, which in many

cases could be one endpoint or device.

With Perimeter 81, a Business Can:

Identify Protect Detect

Recognize where the risk Segment the network Block any attempted
lies in any environment according to zero trust attacks in real-time

Respond Recover
View continuous activity Contain damage ahead of
tracking and web logs time, ensuring quick TTR
At each stage of the cybersecurity framework, Perimeter 81 shows up for your business.

Malware Protection supports the cybersecurity framework At the same time, creating tight zero-trust policies allows

by scanning all user browsing, and blocking suspicious traffic admins to better protect their data and critical assets. Then

in real-time. Complemented by our Web Filtering, Malware even if the worst occurs, attacks would never make it past their

Protection enables you to achieve a powerful defense against initial foothold, and lateral movement would be greatly limited.

malicious content to secure corporate users and the network.

Finally, malware activity logs give you full visibility into how

Web Filtering is a flexible solution to help control access to attackers are threatening your network, and how end-users are

website categories and apply it to defined users and user utilizing the web. This allows you to understand the greatest

groups. You can decide which websites should be blocked, risks for your business, isolate high-risk employee groups, and

warned against, or allowed. By blocking access and exposure work on shoring up security and compliance overall.

to suspicious websites, you can ensure end users don’t

expose the business to threats such as phishing scams and

malvertising attacks.

Ready to learn more, and see how Perimeter 81 can help you protect your network?
Get in touch to schedule a demo.
About Perimeter 81
Perimeter 81 is a robust, yet easy-to-use, converged Contact Us
networking and network security platform which connects Perimeter 81 Ltd.
all users, in the office or remote, to all resources, located sales@perimeter81.com
on-prem, or clouds. It is a cloud-native service that includes perimeter81.com

advanced capabilities such as Zero Trust remote access,

Request a Free Demo
Internet access control, malware protection and firewall as a

service. It enables any business to build a secure corporate

FOLLOW US
network over a private global backbone, without hardware

and within minutes. The entire service is managed from a

unified console and is backed by an award-winning global

support team that has you covered 24/7.