This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Second Generation Security Threats: Targeted, Elusive, Persistent
UBM Tech2
New Generation Security for Advanced Threats
The enterprise security landscape has shifted dramatically in the past decade. It wasn’t so long ago that enterprises were mostly fighting off wide-spread, highly visible malware attacks perpetrated by young hackers seeking notoriety.
The impact of these attacks typically included lost business productivity and tempo-rary reputational damage. Because the threats were so visible and widespread, it was fair-ly easy for security vendors to crank out software updates to address them. And, because many of these attacks exploited Windows vulnerabilities, most organizations woke up to the need for a viable Windows OS patching strategy.
In recent years, enterprises have been plagued with a rapid rise in much more damag-ing advanced threats, which target specific enterprises or government agencies, con-tractors or critical infrastructure. Rather than teenagers out for fun and notoriety, perpe-trators of advanced threats are more likely to be nefarious elements of organized crime, foreign governments, or others motivated by financial reward, terrorism or the sponsor’s enhanced competitive position (see Figure 1, p.3). Now that they have gained an enter-
Second Generation Security Threats: Targeted, Elusive, Persistent
UBM Tech3
New Generation Security for Advanced Threats
Overall
55%Organized crime
State-affiliated
Unknown
Unaffiliated
Former employee
Activist
21%
13%
8%
2%
1%
57%
20%
13%
6%
2%
<1%
49%
222220570
Financial Espionage Other
24%
14%
6%
<1%
1%
Small Large
Figure 1. Variety of external actors.
Source: Verizon Data Breach Investigation Report 2013 Figure 12: Variety of External Actors
As a result of these
never-ending and very
successful attacks, many or ganizations are rethinking their security
strategies—and acknowledging that they have
probably already been attacked.
prise foothold, Macintosh OSX and common applications such as Adobe Acrobat and Mozilla Firefox are attack targets.
Unlike the highly visible attacks of yore, advanced threats aim to be invisible, which makes them much more problematic to detect and ad-dress. These exploits can remain on a network undetected for months or years, only addressed after much of the damage has been done. Sometimes they are never detected.
The relentless stream of highly publicized and damaging targeted ad-vanced threats illustrates the stakes. Through these attacks, criminals and nation states have stolen huge volumes of sensitive customer credit card
information, valuable intellectual property, and even state and defense secrets. Victims have included security-conscious organizations such as RSA, Sony, Microsoft, T.J. Maxx, large financial organizations, defense con-tractors, various branches of the U.S. military, and The New York Times.
As a result of these never-ending and very successful attacks, many organizations are rethinking their security strategies — and acknowl-edging that they have probably already been attacked.
For an eye-opening look at how widespread these attacks are and how many millions of records are involved in the biggest attacks, check out this interactive infographic. n
Advanced threats typically involve these stages:Anatomy of an Attack
1Research
Before launching the attack, perpetrators usually spend
a lot of time learning as much as they can about
an organization and its senior management via social media, company blogs, websites and any
other means.
2Spear phishing
They then harness the information collected to
craft targeted, highly effective spear-phishing
exploits via emails or phone calls that appear to be
coming from the organiza-tion’s senior management.
Because they are so targeted and relevant, such exploits cannot easily be stopped
with current spam solutions. For example, a highly
publicized attack used an email header and Microsoft
Excel attachment called “2011 Recruitment Plan.”
3Zero day malware
Even people with significant training in security best
practices can be fooled into opening a malware-infected
attachment, clicking on a Web link that downloads
malware into their system, or giving their credentials
to someone who appears to be calling from IT or senior
management. This malware typically uses zero-day
exploits that are not detected by traditional,
signature-based antimalware and
intrusion-prevention solutions. Many of these
attacks take advantage of Macintosh OSX and
application vulnerabilities and files, because the
perpetrators know that many IT organizations
lack effective application management and patching
strategies.
4Control channel
Once the malware down-loads or credential theft is
successful, the perpetrators gain access to the
network and set up a secret, remotely accessible
control channel.
5Gradual spread
The attacker then uses the control channel
to gain access gradually to other systems and parts of the network over weeks,
months or even years.
6Data exfiltration
Once the desired information is identified
and located, the perpetrator uploads it to a remote
site, typically via an encrypted channel.
UBM Tech5
New Generation Security for Advanced Threats
Why have advanced threats succeeded so dramatically when most organizations have architected sophisticated defense-in-depth strategies? Because most of the tools and strategies organizations possess were built for the last generation of security threats. Here are
some reasons why first-generation security solutions fail and a new crop of next generations succeed.
1. VisibilityThe first requirement of a viable security strategy should be clear, comprehen-sive visibility into all the operating systems, applications, files and other resources running on the network. How else could IT detect suspicious applications, files, registry changes, and other behavior typical of first- and second-generation se-curity threats? Remarkably, however, few first-generation security solutions focus on endpoint and network visibility. Instead, their main focus is on specific, known vulnerabilities and attack signatures.
WaysSecond Generation Solutions Succeed Where the First Generation Fails5
UBM Tech6
New Generation Security for Advanced Threats
Many of today’s second-generation security solutions focus on visi-bility as an essential feature of their approach to security, tracking the actions of every operating system, application, system and file in order to discover suspicious behavior that may indicate an attack. If an attack is discovered, many provide comprehensive forensic information to help IT address all aspects of the attack and trace it back to its source.
2. SignaturesMost of the traditional security tools enterprises have deployed across servers and endpoints — such as antimalware and intrusion-prevention solutions — use threat signatures as the primary technique for detect-ing and addressing security threats.
Signatures worked pretty well when attacks were highly visible a nd widespread. However, the goal of today’s more sophisticated perpetrators is stealth, and the tactics mainly involve zero-day and polymorphic threats. By definition, zero-day attacks have no existing signatures. And, because they are hidden as well, signature-based solutions struggle to address them. Even if they are detected, the blinding pace and volume of new threats makes it nearly impossible to keep up with all the signatures involved.
According to the AV-Test Institute, approximately six million new pieces of malware were detected in June 2013 alone. The research and effort required to create signatures to address this malware flood is resource intensive. And, as anyone who uses a traditional antimalware solution knows, the real impact is the ever-increasing requirement for processing power and storage to support them. Security updates and
scans consume more and more resources on the average endpoint PCs, notebooks and mobile devices over time, limiting user productivity and increasing frustration.
Second-generation solutions focus on malware-like behavior instead of on signatures. These advanced solutions harness global and local intelligence to baseline normal, trusted behavior, then use that informa-tion to detect anomalies, changes and untrusted behavior that indicates an attack in progress. When they detect new suspicious files, many of these solutions use advanced techniques to activate and test them for malware-like behavior in a sandboxed, protected environment.
3. Bulky Malware ScansAside from updates, first-generation security solutions rely largely on periodic system scans to detect and address any threats that make it through their other defenses. The scans are comprehensive, but with the increasing size of system storage and pace of new signatures, they suck up system resources even more dramatically than signature up-dates, frustrating users and squashing productivity even further. Server scans are so bulky that they’re almost unusable in systems running mis-sion-critical applications.
System scans are intermittent, which means they can miss malware changes and activity that occur between scans. If a threat is discovered by some other means, system scans are a poor means of gathering forensic information, as they often take hours or days to run — valuable time that could have been used to analyze the new threat and limit its
According to the AV-Test
Institute, approximately
six million new pieces of
malware were detected in June, 2013
alone.
UBM Tech7
New Generation Security for Advanced Threats
impact before it does more harm. Instead of system scans, many second-generation solu-
tions monitor systems on a continuous basis, detecting and logging all changes and additions to the environment, including registry and memory changes, and new applica-tions and files. Although this approach might seem more intrusive than a periodic system scan, these solutions ac-tually tend to be lightweight and less obtrusive than their first-generation cousins because they don’t have to scan the entire storage media and constantly update and take into account thousands of new signatures per day.
When a successful breach is discovered, the compre-hensive forensic information second-generation security solutions have collected is immediately available, so IT doesn’t have to wait until a bulky, lengthy scan is com-plete. The forensic information they provide is also much more comprehensive than the information provided by an occasional scan.
4. Untrusted ApplicationsAside from antimalware solutions, enterprise security strategies have focused on centralized management and distribution of operating system security patches, which can be effective for addressing zero-day attacks that target operating system vulnerabilities. Unfortunately today’s malware increasingly takes advantage of vulnerabilities in a variety of commonly used ap-
plications, such as Adobe Acrobat Reader and Flash Player and Mozil-la Firefox, including the JPEG, PDF and other files they produce (see Figure 2). With more users bringing their Macintosh notebooks from
Top Security ThreatsWhich of the following possible sourcrs of breaches or espionage pose the greatest threat to your organization in 2012?
Authorized users/employees
Cybercriminals
Application vulnerabilities
Public interest groups/hacktivists
Contracted service providers/consultants/auditors
External users
Competitors
Foreign governments
Customers
Other
Unknown
52%
52%
44%
24%
21%
18%
15%
13%
12%
1%
4%Source: InformationWeek 2012 Strategic Security Survey of 946 business technology and security professionals at organizations with 100 or more employees, March 2012
Figure 2. Top security threats.
Instead of system scans, many second
generation solu tions
monitor systems on a continuous basis, detecting and logging all
changes and additions to the
environment.
UBM Tech8
New Generation Security for Advanced Threats
home, malware increasingly targets OS/X as well. Enterprises and application and security vendors are playing catch-
up when it comes to devising strategies and solutions that target and patch all application and Macintosh vulnerabilities. Organizations have attempted to deploy a variety of management tools to control the downloading of applications on user endpoints. However, with the explosion of bring your own device (BYOD) programs, the flood of new devices and software has been very difficult to stem.
New-generation security solutions harness sophisticated, contin-uously updated global intelligence to discover and track potentially malicious applications and files. Some also offer sandbox testing that isolates and activates newly discovered files and applications in order to analyze them for malware behavior. These solutions can then assign a trust rating to each apps and file, allowing organizations to set policy for allowing or blocking them.
5. Siloed Security StrategiesPerhaps the most successful strategy used in advanced threats takes ad-vantage of the silos typical of IT organizations by deploying a variety of techniques that cross network and endpoint boundaries. Many security solutions are designed to monitor a single or discrete number of attack paths and vectors. A single security solution may detect and eradicate a single exploit, providing the illusion that an attack has been prevented or stopped successfully, when in fact it has only addressed the tip of the iceberg. The siloed nature of tools makes it almost impossible for IT to achieve a holistic view of an advanced attack in progress or provide
adequate forensics to trace all the steps and paths of the attack, assess all the damage and address it comprehensively.
New-generation security tools employ an integrated approach that spans the network and its thousands of server, desktop and mobile device endpoints to track and analyze the entire scope of the attack and its impact. Instead of a deluge of disjointed, disconnected information from multiple displays, logs and consoles, IT gets a single view of the advanced threat and its entire impact, allowing it to coordinate a strate-gy to address all of its parts early in the game — before the devastating damage is done. n
New generation security
solutions harness sophisticated, continuously
updated global intelligence to discover and
track potentially malicious
applications and files.
UBM Tech9
New Generation Security for Advanced Threats
Bit9 employs all the strategies of new-generation security solutions, yielding a comprehensive, effective tool for detect-ing, analyzing, tracking and eradicating today’s most intrac-table advanced threats. Bit9 extends its security capabilities
by integrating with next-generation network security solutions such as FireEye and Palo Alto Networks. With this integration, IT gets com-prehensive visibility into the full scope of advanced threat activity, and the means to coordinate an effective forensics and remediation strategy to block or eradicate advanced threats effectively.
Real-Time Visibility and MonitoringThe Bit9 Security Platform installs a lightweight, real-time sensor and recorder on all enterprise endpoints, servers and fixed-function devices, providing continuous visibility across all devices and their installed files. It then tracks all changes to files, system registries and processes over time. All that endpoint monitoring information is uploaded to a centralized Bit9 server for comprehensive foren-
Next-Generation Endpoint and Network Security Tools Integrate to Remove Endpoint Blind Spots
UBM Tech10
New Generation Security for Advanced Threats
sic analysis at any time (see Figure 3, p. 11). With Bit9, IT achieves not only holistic, real-time visibility into its endpoint and server security posture, but also instant, comprehensive forensics in the event of advanced threat discovery. No burdensome, lengthy scans and bulky updates are needed.
Behavior and Reputation CountBit9’s new-generation threat detection goes beyond signatures to analyze behavior: trusted behaviors are whitelisted, and untrusted, typi-cal advanced threat behavior generates alerts. Untrusted behaviors may include suspicious file and registry changes and memory and process violations. This approach is extremely effective for detecting the ze-ro-day threats that traditional signatures miss.
The Bit9 Security platform also integrates information from Bit9’s Glob-al Software Reputation and Threat Indicator cloud services, which crawl the global Internet continuously to provide comprehensive, up-to-date intelligence on current and past software threats and threat behaviors. Based on this continuous information flow, Bit9 assigns trust ratings to all the software it discovers on endpoints. Bit9 then enables IT to set up what it considers acceptable trust ratings, as well as granular policies and rules for handling untrusted software and behavior.
Just a few dozen policies are sufficient to detect and stop most attacks, often before they start. For example, when an unacceptable registry change is attempted or an untrusted executable tries to activate, Bit9 can block the action based on preconfigured rules, rather than reacting to it after the fact.
Next-Generation Network Security Solutions Bit9 extends its endpoint and server capabilities via integration with next-generation network security solutions such as FireEye and Palo Alto Networks. When either of these second-generation solutions de-tects malware-like behavior, Bit9 combines the information across plat-forms to analyze the location, scope and severity of the threat across the network and all endpoints and servers. The same is true in reverse when new actions and files are discovered on endpoints — they can automat-ically or manually be sent to network security devices for analysis. All information is displayed on a single Bit9 console, allowing IT security to filter out nonactionable events and prioritize high-impact alerts for fast
UBM Tech11
New Generation Security for Advanced Threats
incident response and remediation. IT can then use automated granular security policy updates to prevent future attacks.
This integration also allows IT to set up granular rules to take advantage of network security solutions for sandboxing, detonating and analyzing newly dis-
covered files for malware-like behavior. IT can set up granular policies for determining which files to send to the network security solutions.
The resulting solution provides comprehensive visibility, analysis, policy and remediation of ad-vanced threats across the network and endpoints.
Bit9 for FireEye
The Bit9 for FireEye delivers a first-of-its-kind integration between network security and endpoint and server security. Click arrow to launch video
Bit9 for Palo Alto Networks
The Bit9 for Palo Alto Networks delivers a first-of-its-kind integration between network security and endpoint and server security.Click arrow to launch video
Figure 3. Bit9 security platform diagram.
UBM Tech12
New Generation Security for Advanced Threats
The End of Blind SpotsFirst-generation security solutions are far too siloed, signature based and resource intensive to protect today’s enterprises from second-generation advanced threats. Second-generation threats require lightweight, intelligent, next-generation security solutions that span network and endpoint silos to coordinate detection, protection, forensics and eradication of today’s multipronged, stealthy targeted advanced threats. Bit9’s Connector for FireEye and Palo Alto offers all the best as-pects of next-generation security solutions, providing the most-effective advanced threat defense in the enterprise security arsenal. n
Resources:Webcast on demand: Overcoming Security Blind Spots in Network, Endpoint and Server Securityhttps://www.bit9.com/resources/webinars/overcoming-security- blind-spots-in-network-endpoint-and-server-security/
Bit9 eBook: Detecting and Stopping Advanced Attackshttps://www.bit9.com/resources/ebooks/bit9-ebook-detecting-and-stop ping-advanced-attacks/
Figure 4. How network security enhances endpoint security.