A recent report released by FireEye Reports suggests that technology companies receive highest volume of malware attacks, up to once every three minutes. FireEye’s ‘2H 2012 Advanced Threat Report’ is based on the data gathered from FireEye customers on 89 million malware events and declares spear phishing the most common method of attack. Here are the key findings of the report:

1. On average, malware events occur at a single organization once every three minutes;
2. Technology is the most targeted vertical;
3. Some industries are attacked cyclically, while some verticals experience erratic attacks;
4. High volatility verticals—banking, business services, and legal;
5. Medium volatility verticals—energy, entertainment/media, government, healthcare, logistics, and manufacturing;
6. Low volatility verticals—technology and telecommunication;
7. Attackers use common business terms in the file names as spear phishing bait;
8. ZIP files remain the preferred file for malware delivery by email;
9. Malware writers have focused significant effort on evasion;
10. Attackers are increasingly using DLL to improve file persistence.

The second half of 2012 experienced maximum malware events, with highest frequency of attacks every three minutes. This included right from a user receiving a malicious email to an employee clicking on a link to an infected website to a compromised machine making a call back to a C&C server. And the worst part is that technology industry, which is believed to be most sophisticated and alert, was hit the hardest.

“What this says about the attackers is they know which companies have the greatest tangible intellectual property right now. Technology companies have the type of IP [intellectual property] that can be taken easily and leveraged quickly in comparison to some other verticals,” Ali Mesdaq, senior security researcher at FireEye told.

Talking again of spear phishing, cybercriminals opt for file names with common business terms to lure unsuspecting users into opening the malware and initiating the attack. Terms related to shipping are among the most common, with “UPS”, “fedex”, “myups”, and “tracking”. Some of the most commonly used terms include details.zip, UPS_document.zip, Scan.zip, Report.zip, etc. You can notice here that ZIP files remain the preferred file for malware delivery by email.

“Attackers know that not many people are going to be clicking .exe extensions as often as a .zip,” Mesdaq said. “Filtering policies now have to be created much more carefully because attackers know that a block on all .zip files is not very likely.”

Given the fact that total IT security spend grew almost tripled in the last ten years, and organizations spending more without making any major changes to their security strategies, this has helped malware writers innovate and create systems designed to better evade detection. A recent example of this is Trojan.APT.BaneChant, which is designed to execute only after it has detected three mouse clicks, which is interpreted as an indicator of human interaction.

“Vendors and analysts need to constantly be following the evasion techniques malware authors are using,” Mesdaq said. “The legacy techniques range from looking for various process names, hardware information, and registry settings. The newer techniques are more related to user interaction or deeper checks on the system looking for specific applications installed.”

As malware and strategies for intrusion evolve, IT departments are hard pressed to defend against them. Learning the Lesson of the Kobayashi Maru means changing the structure of the culture of users so that it’s less likely they can let in malware or intruders -but it also means that how IT departments approach security needs to change and attend to security management rather than just the Red Queen race of security-vs-countersecurity.