Cyber Security Challenges have increased manifold & there is paradigm shift in Threat Landscape. In spite of substantial spending on legacy security products, advanced attackers are bypassing these defenses easily making the life of Security Professional miserable.
There’s no single technical answer. Attackers will always exist and innovate and find a way into any organization data no matter how secured is the defense mechanism. Breaches are inevitable. The shift in security outlook needs to change from “keep them out” to “early detection and response before damage is done”.
New Threat Landscape
Attacks have changed in form, function, and sophistication. The main difference is the new threats (advanced attacks, APTs etc) are actively driven by humans, as opposed to previous generation attacks which were malware based attacks (viruses, Trojans, worms etc)
These advanced attacks utilise both malware designed to infect many systems as well as sophisticated, zero-day malware to infect targeted systems. They use multiple attack vectors like Web, email, and application-based attacks. And today’s attacks are aimed at getting valuable data assets—sensitive financial information, intellectual property, authentication credentials, insider information—and each attack is often a multi-staged effort to invade networks, spread, and ultimately hack the valuable data.
Limitations of Traditional Single-Vector Defenses
Most of the Security organizations are looking for malware based attacks instead of human attackers who may use malware as part of their advanced attacks. Hence new generation of threats are able to bypass traditional security defense.
Firewalls: Firewalls allow generic http Web traffic. Next-generation firewalls add layers of policy rules based on users and applications & consolidate traditional protections such as IPS and AV but do not add dynamic protection that can detect threat content or behavior.
- IPS: Works on Signatures, packet inspection, DNS analysis. It will not detect anything unusual in a zero-day exploit, especially if the code is heavily disguised or delivered in stages.
- Anti-virus and Web malware filtering: Since the malware and the vulnerability it exploits are unknown (zero-day), and the website has a clean reputation, traditional AV and Web filters will let it pass. The volume of vulnerabilities in browser plug-ins like Adobe and the exponential combinations of these browsers with operating systems make it hard for AV vendors to keep up.
- Email spam filtering: Spoofed phishing sites use dynamic domains and URLs, so blacklisting lags behind criminal activities. It takes more than 26 hours to shut down the average phishing site.
Malicious code can also be carried in laptops, USB devices, or via cloud-based file sharing to infect a machine and spread laterally when it connects into the network. It is common for mobile systems to miss updates to DAT files and patches, so they are
vulnerable to both known and unknown exploits. In general, even up-to-date machines can be infected using zero-day exploits and social engineering techniques, especially when the system is off the corporate network.
Once in place, malware may replicate itself—with subtle changes to make each instance look unique—and disguise itself to avoid scans. Some will turn off AV scanners, reinstall after a cleaning, or lie dormant for days or weeks.
Eventually, the code will pass on login credentials, financial data, and other valuables. Many compromised hosts provide a privileged base so the criminal can explore further or expand his botnet with new targets.
Most companies don’t analyse outbound traffic for these malicious transmissions. Those organizations that do monitor outbound transmissions use tools that look for “known” bad actor addresses and regulated data.
- Web filtering: Most outbound filtering blocks adult content or time-wasting entertainment sites. Many enterprises restrict social networking sites.
“There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t know it.” – Gartner, Inc., 2012 “
The Five Stages of Multi-Vector Attacks
The new generation of attacks are complex, use multiple attack vectors to maximize the chances of breaking through defenses. Multi-vector attacks are typically delivered via the Web or email. They leverage application or operating system vulnerabilities, exploiting the inability of conventional network-protection mechanisms to provide a full-proof defense.
In addition to using multiple vectors, advanced targeted attacks also utilize multiple stages to penetrate a network and then steal valuable information. This makes it far more likely for threats to go undetected. The five stages of the attack life cycle are as follows:
System exploitation : The attack attempts to set up the first stage, and exploits the system using casual browsing. It’s often a blended attack delivered across the Web or email with the email containing malicious URLs.
Malware executable payloads are downloaded and long-term control established: A single exploit translates into dozens of infections on the same system. With exploitation successful, more malware executables—key loggers, Trojan backdoors, password crackers, and file grabbers—are then downloaded. This means that criminals have now built long-term control mechanisms into the system.
Malware calls back : As soon as the malware installs, hackers establish a control point within organizational defenses. Once in place, the malware calls back to criminal servers for further instructions. The malware can also replicate and disguise itself to avoid scans, turn off anti-virus scanners, reinstall missing components after a cleaning, or lie dormant for days or weeks. By using callbacks from within the trusted network, malware communications are allowed through the firewall and will penetrate all the different layers of the network.
Data exfiltration : Data acquired from infected servers is transmitted via encrypted files over a commonly allowed protocol, such as FTP or HTTP, to an external compromised server controlled by the criminal.
Malware spreads laterally : The hacker now works to move beyond the single system and establish long-term control within the network. The advanced malware looks for mapped drives on infected laptops and desktops, and can then spread laterally and deeper into network file shares. it will map out the network infrastructure, determine key assets, and establish a network foothold on target servers.
How the New Generation of Threats Bypass Traditional Security
Cyber criminals combine Web, email, and file-based attack vectors in a staged attack, making it far more likely for their attacks to go undetected. Today’s firewalls, IPS, AV, and Web gateways have little chance to stop attackers using zero-day, one-time-use malware, and APT tactics.
These blended, multi-stage attacks succeed because traditional security technologies rely on fairly static signature-based or pattern matching technology. Many zero-day and targeted threats penetrate systems by hiding newly minted, polymorphic dropper malware on innocent Web pages and in downloadable files like JPEG pictures and PDF documents. Or they use personalized phishing emails sent to carefully selected victims with a plausible-looking message and malicious attachment targeting a zero-day vulnerability. Or they use social media sites embedding tweets that include a shortened URL masking the malicious destination. Each time a victim visits the URL or opens the attachment, a malware payload installs on the victim’s computer. This malware code often includes exploits for multiple unknown vulnerabilities in the OS, plug-ins, browsers, or applications to ensure it gains a foothold on the system.
Next Generation Threat Protection(NGTP)
Today’s Corporations, Financial Institutions, Educational Institutes, Government agencies are experiencing unprecedented cyber-attack activity — both in number and severity. In a never-ending game of cat and mouse, the cat currently has the upper hand. And unless your organization is prepared, you may be its next victim.
By now it is pretty evident that how serious today’s next-generation threats are and why traditional security defenses are helpless to stop them. Now it’s time to unveil a new category of network security defense ie Next-generation threat protection – What is really needed to combat today’s most sophisticated cyber attacks.
Signature-less defenses
Organizations today need to explore a new threat protection model in which their defense-in-depth architecture incorporates a signature-less layer that specifically addresses today’s new breed of cyber attacks.
Although traditional security defenses are critical for blocking known cyber-attacks, experience has shown that it’s the unknown cyber-attacks that are most dangerous, and on the rise. And since these zero-day, polymorphic, and APTs are largely unknown and becoming the new norm for successful breaches, the world needs a signature-less solution to stop them.
Protection — not just detection
In earlier days there were intrusion prevention systems (IPS) & intrusion detection systems (IDS). An IDS, by design, can only detect known threats (or unknown threats targeting known vulnerabilities). As time progressed, organizations demanded that their IDS not only detect but also block cyber attacks. Thus, IPS was born. In that vein, the world needs an advanced threat protection platform that not only detects the threat, but blocks it, too, across all potential entry vectors.
Multi-stage protection architecture
In a perfect world, IT would maintain full control of every computing device on the network. Then only worry about cyber attacks originating from outside the network and attempting to penetrate it through the perimeter. Of course, with mobile computing on the rise and IT being compelled to implement bring your own device (BYOD) policies, sometimes cyber attacks are hand-carried right through the office front door. What the world needs is an advanced threat protection solution that not only monitors cyber attacks from the outside in, but the inside out, as well — across all stages as they attempt to communicate out or spread laterally through the network. If you can’t stop threats from entering through the Web, email, or the office front door, then at least stop them from communicating out and spreading further.
Highly accurate detection engine
As with traditional signature-based defenses, detection accuracy is king. What is required to adequately defend against next-generation threats is an advanced threat protection solution that is highly accurate, with no false positives (good files classified as bad) and no false negatives (bad files classified as good).
False positives and false negatives are products of security platforms with poor detection capabilities. False positives are mainly a “nuisance” as they consume valuable security analyst cycles time after false alarms. False negatives, on the other hand, can be dangerous as advanced malware passes right through the network security device completely undetected.
Backed by global threat intelligence
Every cyber-attack has a “ground zero” — a single host that is the first target on Earth to ever experience a given cyber-attack. What is really needed , is a mechanism for allowing advanced threat protection systems to share intelligence, not only within a single organization, but also among different organizations globally.
We may not live in a perfect world. But there is an ideal solution for combating today’s most sophisticated attacks.
Defining Next-Generation Threat Protection
Next-generation threat protection (NGTP) is a new breed of network security technology specifically designed to identify and defend against today’s new breed of cyber attacks. Intended to augment — not replace — traditional security systems, NGTP represents a new layer in the defense-in-depth architecture to form a threat-protection fabric that defends against those cyber attacks that go unnoticed by common signature-based defenses.
NGTP platforms customarily ship on high-performance, purpose-built rackmount appliances. Preferred NGTP vendors offer an integrated platform that inspects email traffic, Web traffic, and files at rest, and shares threat intelligence across those attack vectors.
NGTP platforms are unlike any network security offering on the market. NGTP appliances inspect traffic and/or files looking for thousands of suspicious characteristics, including obfuscation techniques like XOR encoding and other disguising behavior. Sessions are replayed in a (safe) virtual execution environment (think virtual machines, but using a custom-built virtualization engine specifically designed for security analysis) to determine whether the suspicious traffic actually contains malware