Malware is a software used by attackers to perform certain actions in a victim’s environment. These actions help hackers carry out their operation: for example, malware can be used to collect and exfiltrate valuable data or to scan the network prior to spreading laterally. While Malware is an essential component of many malicious operations, it is only one part of a much larger set of activities in a hacking campaign. Removal of a malware is often not sufficient to terminate an entire malicious operation.
In some cases, dealing with malware distracts security teams from handling the real attack taking place in their network because hackers often use decoy Malware in order to evade detection when performing persistent attacks. In other cases, hackers do not use malware and base their attack on other mechanisms.
MalOp, malicious operation, is the complete set of events taking place in a hacking operation. A MalOp includes the attack's root cause, the timeline of spread, the involved malware and other adversarial activities, malicious communication and the affected endpoints and users.
The traditional security approach, deployed by most IDS/IPS, SIEMs, Firewalls, Anti-Virus, sandbox and other solutions is comprised of identification of a specific malicious event such as the the presence of a malware, a suspicious malicious communication or an unauthorized escalation of user privileges.
However, detection and remediation of isolated events does not successfully terminate persistent cyber-attacks, as Lior Div recently discussed in his Forbes article.
A better approach is to seek for the entire operation of the adversary, detecting the MalOp. Using big data analytics and machine learnings, that automatically monitor all activities in an organization and build together a profile of abnormal or maliciously looking behaviors, security can connect together various sets of adversarial activities and be able to reveal the whole malicious campaign.