Preventing Malware at Nearly Every Endpoint

In most situations, we hear about the cybersecurity failures, though it is equally important to hear about successes, particularly when being human and following intuition is what stops a major attack.

A few years ago, I was involved in helping architect a major operating system and software upgrade for a large global financial institution. This involved a Windows 8 upgrade, as well as upgrades for major versions of the software they used on more than 300k endpoints with multiple global regions across the world. 

As you may be aware, the complexity of this operation was huge, and considerable testing and piloting had occurred during a one-year period to flush out any configuration issues and upgrade challenges with legacy software, and to minimize employee downtime or disruptions. The project was a major investment for the financial institution and involved a huge team of application owners, security team, infrastructure architects, project managers and many more to ensure the upgrades were successful. 

Once the final stages of the operating system upgrade were completed, we had only the final step to go: rolling out the new application software to all employee systems. But something was wrong. Usually, at this stage, you sometimes find a disruption, or a higher number of attacks or incidents, but it was all too good. Everything was going according to the clearly defined project schedule that the entire team was working from.

Instead, it was unusually quiet, and everything was going too well. The security team felt something was not right. They decided to do a last-minute check on the master software catalog that was used to distribute the software update to the employees’ systems, globally. To the shock of the team, they found a piece of malware lurking inside the master software library that the team was going to deploy. 

Yes, cybercriminals were using the software upgrade as a way to deploy the malware across the organization. They had access to the project schedule that the team had been using and knew exactly when to hide and when not to, which meant they could see exactly when the security team was scanning for malicious software and security configurations. They knew exactly when to stay silent and hide underneath the security team’s searches. 

The savior of this was human intervention and the security team’s intuition. Everything was automated, but they decided to do something completely unpredictable that was not scheduled, planned or known by the attackers. Being unpredictable and human is what helped the security team discover unauthorized access to the network and malicious software being prepared to be deployed by the organization’s own software deployment team.

Being unpredictable is what prevented a major disaster and stopped cybercriminals from abusing an automated software deployment.

Contributors: