Approximately every five years, attackers launch new types of threats and defenders protect against them
A confluence of factors makes today’s threats more damaging than anything we have experienced in the past
THE first PC viruses appeared more than 25 years ago. Little did we realize that this was just the beginning of what would become a series of threat waves.
For nearly 10 years, viruses endured as the primary method of attack. However, over time, they were largely matched by defenders’ talents in blocking and protecting against them. Motivated by the notoriety and knowledge gained by discovering and publicizing a new vulnerability, attackers continued to innovate.
What ensued were distinct threat cycles. Approximately every five years, attackers would launch new types of threats – from macro viruses to worms to spyware and rootkits – and defenders would protect against them.
It’s no surprise that we can map these cycles to major technology shifts that presented new attack vectors. Early viruses targeted primarily the operating system and were spread by ‘sneakernet’ (when data was transferred physically using media like floppy disks – ED).
Macro viruses took advantage of users sharing files. Worm-type threats that moved from machine to machine leveraged enterprise networks and the increasing use of the Internet. And spyware and rootkits emerged with new applications, devices and online communities.
This brings us to today, when we find ourselves combatting advanced malware, targeted attacks and advanced persistent threats (APTs). Is this just the latest threat wave, or is this more akin to a tsunami?
A confluence of factors makes these threats more damaging than anything we have experienced in the past. These factors include:
An explosion of attack vectors: The advent of mobilization, bring your own devices (BYOD), virtualization and the cloud have spurred a breadth of new devices, infrastructure and networks, and a range of operating systems and applications that provide new, efficient mechanisms to transport malware and conduct attacks.
And while social media, mobile applications, websites and web-enabled applications have created new ways for a variety of users to connect (employees, partners, customers), they have also exposed individuals and organizations to new inbound and outbound security threats.
Market dynamics: The organized exchange of exploits is growing in strength and becoming lucrative with the open market helping to fuel this shift from exploitation to disruption and destruction. And as nefarious types have realized there is value to be gained, the work has become more standardized, mechanized and process driven.
It’s even common practice now for hacker groups to follow software development processes, like QA (quality assurance) testing or bench testing their products against security technologies before releasing them into the wild.
Stealthier attacks: There are now significant financial incentives for secrecy and many organizations motivated to launch attacks that result in economic or political gain, with little chance of retribution or prosecution.
New methods to circumvent protection like port hopping, tunneling, droppers and botnets have made it easier, faster and cheaper for hackers to get in and increasingly difficult for defenders to see them and keep them out.
Compounding the elusiveness, the attacks themselves can change rapidly as they progress through the enterprise seeking a persistent foothold and ‘exfiltrating’ critical data.
So, how do we raise our game to defeat this new class of attackers? It’s no longer enough to focus solely on detection and blocking. When an attack does happen we need to be prepared to marginalize the impact of an attack and stop reinfection.
This requires expanding our vigilance with an approach that enables visibility and control across the enterprise and along the full attack continuum. Below are five steps to consider as you evolve your security strategy:
Detect and block at the perimeter and inside the network
It’s good practice to handle threats as close to the perimeter as possible to prevent malware from entering the network and potentially infecting endpoint devices. Consider a network-based malware detection appliance that can identify and protect against malware without sacrificing performance.
However, even the best detection and blocking only goes so far. Once advanced malware enters your network, assume it will attempt to infect other systems until reaching the ultimate target.
It’s wise to also look for malware and other attacks on protected network segments housing sensitive technology assets.
Assess and protect endpoints
A layered defense is your best strategy; endpoints aren’t always connected to a corporate network and thus need protection too. Identify endpoint protection solutions that are lightweight and don’t hinder device performance to ensure user experience isn’t impacted.
Analyze threats through context
Not all threats are created equal. Technologies that see and correlate extensive amounts of event data can use this context to pinpoint compromised devices based on behavioral characteristics.
By maintaining visibility of all file activity happening within the organization and tracking egress traffic, you can watch for exfiltration of critical data and communication with malicious sites to identify targeted systems that might have gone unnoticed.
Eradicate malware and prevent reinfection
Upon finding a malware infection, simply quarantining the device and cleaning it isn’t enough. To eliminate the malware and prevent reinfection consider technologies that can track every file on every device so that you can identify ‘Patient Zero’ (the first malware victim), the malware trajectory and all instances throughout the enterprise.
Remediate attacks with retrospective security
Advanced malware protection should also alert about files subsequently identified as malware for retrospective remediation. Blocking or continuing to track and analyze suspicious files against real-time threat intelligence is particularly important in this latest threat wave with attacks that can constantly change once they’ve entered the network.
And remember, before you breathe a sigh of relief, leverage what you’ve learned along these five steps and be sure to implement integrated rules on the perimeter security gateway, within security appliances protecting internal networks, and on endpoints to detect and block the same attack.
This latest threat cycle is like nothing we’ve ever seen. But just as attackers have continued to innovate so have we as defenders. By using the latest techniques and technologies we can mitigate the damage from these advanced threats and protect ourselves from future attacks.
Ivan Wen is country manager of Sourcefire Malaysia
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.