Are you prepared for the next threat cycle?
By Ivan Wen March 12, 2013
- Approximately every five years, attackers launch new types of threats and defenders protect against them
- A confluence of factors makes today’s threats more damaging than anything we have experienced in the past
THE first PC viruses appeared more than 25 years ago. Little did we realize that this was just the beginning of what would become a series of threat waves.
For nearly 10 years, viruses endured as the primary method of attack. However, over time, they were largely matched by defenders’ talents in blocking and protecting against them. Motivated by the notoriety and knowledge gained by discovering and publicizing a new vulnerability, attackers continued to innovate.
What ensued were distinct threat cycles. Approximately every five years, attackers would launch new types of threats – from macro viruses to worms to spyware and rootkits – and defenders would protect against them.
It’s no surprise that we can map these cycles to major technology shifts that presented new attack vectors. Early viruses targeted primarily the operating system and were spread by ‘sneakernet’ (when data was transferred physically using media like floppy disks – ED).
Macro viruses took advantage of users sharing files. Worm-type threats that moved from machine to machine leveraged enterprise networks and the increasing use of the Internet. And spyware and rootkits emerged with new applications, devices and online communities.
This brings us to today, when we find ourselves combatting advanced malware, targeted attacks and advanced persistent threats (APTs). Is this just the latest threat wave, or is this more akin to a tsunami?
A confluence of factors makes these threats more damaging than anything we have experienced in the past. These factors include:
- An explosion of attack vectors: The advent of mobilization, bring your own devices (BYOD), virtualization and the cloud have spurred a breadth of new devices, infrastructure and networks, and a range of operating systems and applications that provide new, efficient mechanisms to transport malware and conduct attacks.
- Market dynamics: The organized exchange of exploits is growing in strength and becoming lucrative with the open market helping to fuel this shift from exploitation to disruption and destruction. And as nefarious types have realized there is value to be gained, the work has become more standardized, mechanized and process driven.
- Stealthier attacks: There are now significant financial incentives for secrecy and many organizations motivated to launch attacks that result in economic or political gain, with little chance of retribution or prosecution.
Compounding the elusiveness, the attacks themselves can change rapidly as they progress through the enterprise seeking a persistent foothold and ‘exfiltrating’ critical data.
So, how do we raise our game to defeat this new class of attackers? It’s no longer enough to focus solely on detection and blocking. When an attack does happen we need to be prepared to marginalize the impact of an attack and stop reinfection.
This requires expanding our vigilance with an approach that enables visibility and control across the enterprise and along the full attack continuum. Below are five steps to consider as you evolve your security strategy:
- Detect and block at the perimeter and inside the network
However, even the best detection and blocking only goes so far. Once advanced malware enters your network, assume it will attempt to infect other systems until reaching the ultimate target.
It’s wise to also look for malware and other attacks on protected network segments housing sensitive technology assets.
- Assess and protect endpoints
- Analyze threats through context
By maintaining visibility of all file activity happening within the organization and tracking egress traffic, you can watch for exfiltration of critical data and communication with malicious sites to identify targeted systems that might have gone unnoticed.
- Eradicate malware and prevent reinfection
- Remediate attacks with retrospective security
And remember, before you breathe a sigh of relief, leverage what you’ve learned along these five steps and be sure to implement integrated rules on the perimeter security gateway, within security appliances protecting internal networks, and on endpoints to detect and block the same attack.
This latest threat cycle is like nothing we’ve ever seen. But just as attackers have continued to innovate so have we as defenders. By using the latest techniques and technologies we can mitigate the damage from these advanced threats and protect ourselves from future attacks.
Ivan Wen is country manager of Sourcefire Malaysia