igor - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Advanced persistent threat detection: Can it find custom malware?

Signature-based antimalware tools can't always detect custom malware and advanced persistent threats. Expert Nick Lewis explains how to combat these menaces.

A recent test showed that some well-known threat detection products were unable to detect custom-written malware samples thrown at them. Should enterprises still include these systems in their defense initiatives if they are ineffective? What other types of technologies and methods should be used for advanced persistent threat detection and prevention?

The current consensus on old signature-based antimalware tools is that they are ineffective against targeted attacks or any attack where malware is used that doesn't have a signature yet. The antimalware industry realized long ago that signatures alone are not sufficient to protect their customers; in response, they started adding heuristics, anomaly detection and other functionality (such as a host-based intrusion protection system). Many vendors say their new functionality can protect against an advanced persistent threat (APT) or targeted attacks.

The industry is now in the process of improving the new functionality to protect against ever-evolving attacks. The November 2014 Technical Report of MRG Effitas Ltd. and CrySyS Lab (along with other reports like it) are critical to make improvements and help enterprises understand the limitations of current systems. Independent tests such as these provide an enterprise a place to start when determining how a tool might fit into its environment and improve process efficiency.

Enterprises need to evaluate how any security tool operates in their environment; for an APT tool, this may take longer than the standard vendor 30-day evaluation, but an enterprise must be confident that the tool it chooses will provide the stated functionality and value.

The MRG Effitas and CrySyS Lab report reminds readers that anti-APT tools do not all function the same and may not be interchangeable in an enterprise's environment. Security teams should evaluate how an anti-APT tool would fit into their existing information security program and identify how it will integrate with their internal systems. They could even use actual attack data from their enterprise network to evaluate if and how the proposed tool would have protected it from an attack.

If an enterprise chooses a network-based anti-APT tool, it should still evaluate other protections, such as endpoint antimalware, whitelisting and host intrusion detection protection tools, to see if they will be effective in complementing the anti-APT tool. Also note that internal monitoring tools, log analysis, host-based intrusion detection and other technologies will also need to be updated to detect and prevent current threat vectors.

Ask the Expert:
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now. (All questions are anonymous.)

Next Steps

Learn more about custom malware attacks and why traditional malware defenses don't cut it.

This was last published in April 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal