Sergey Nivens - Fotolia
Published: 01 Feb 2016
Arden Peterkin has little faith that antivirus software can be effective against today's cyberthreats.
In the past, the security architect deployed antivirus software on 80,000 endpoints in a large Georgia school district's network to prevent a security attack. While the software reported "all clear," a quick look at the device logs for the network confirmed infected systems were still communicating with known command-and-control sites.
"The actual management console was showing that everything was great, but when we looked at the logs, they showed that the network was totally infected," says Peterkin, a security contractor with Reamer & Associates.
Today, Peterkin still uses antivirus technology as a first measure to weed out obvious cyberthreats but focuses on other technologies to stop increasingly sophisticated threats targeting his users. Protecting roughly 25,000 teachers and more than 175,000 students requires proactive management of vulnerabilities, constant monitoring of network events and a focus on guarding any critical data. Peterkin and the other members of the security team use three different agents on most endpoints, manage the network's defenses with a security information and event monitoring (SIEM) system, and liberally encrypt important data.
Yet he is always looking for better ways to catch increasingly advanced security attacks, and he is not alone. As the security community enters 2016, the arms race between attackers and defenders continues. While few companies plan on doing away with endpoint protection in 2016, security professionals stress that other approaches are necessary.
Better hiding places
That's because adversaries are becoming more skilled at not only avoiding detection by antivirus scanners, but hiding from the automated analysis techniques that security firms rely on to detect malicious programs. The Dyre family of malware, for example, detects the number of processing cores on which its target's operating system runs to identify whether the malware is being watched by security analysts. (Analysis systems typically run on virtual machines with their operating systems assigned to a single core for performance reasons.)
In a recent version of its software, the DarkHotel group of cyber spies fingerprinted any system on which the program runs to detect an analysis environment and went a step further by encrypting the data in memory.
"Unfortunately, threats will continue to evolve," says Ehud Shamir, chief security officer of endpoint security provider SentinelOne. "Criminals will become much more sophisticated, and nations [intent on espionage] have huge budgets, which will fuel continuous innovation, almost without limit."
Defenders will have difficulty combatting the increasingly sophisticated security attack without the right tools. Security experts and professionals are looking at a handful of other technologies to better secure the network.
"There are many fronts you have to focus on and, unfortunately, we have to excel on every front. But the attacker only has to be successful -- or lucky -- on a single front," Peterkin says.
While the landscape of attacks, vulnerabilities and motives is changing, security professionals stress that most companies should not worry about the more advanced attacks until they can deal with the basics. NSS Labs, which monitors security attacks against test networks, estimates that 98% of attacks are criminal or vandalism, and not the advanced espionage that garners the largest headlines.
In its annual Data Breach Investigations Report, Verizon found that seven out of every eight breaches boiled down to one of three basic attacks: Physical theft, errors in hosting or delivering data, or compromised credentials and privilege misuse. In fact, almost half of breaches could be stopped if companies implemented two-factor authentication and vulnerability management, according to Jonathan Nguyen-Duy, chief technical officer for Verizon's security group.
"These are basic things that companies are still failing to do," he says. "We are still not patching vulnerabilities that we have known about for weeks, months or years. Even when we have perfect information, we are still not using it because we are overwhelmed."
More technology is not necessarily the answer. Often a new security system results in a massive influx of data, much of it false alarms. Companies should focus on getting out from underneath all the data produced by information technology and alerts created by ostensibly "helpful" security technologies, says Phil Burdette, senior security researcher for the Counter Threat Unit at Dell SecureWorks.
"I think organizations need to prioritize what they are trying to defend against," he says. "There are lots of threats out there in the world. It is not reasonable that all organizations can check themselves against everyone."
However, by looking at specific cyberthreat areas, companies will find that newer technologies offer some interesting possibilities.
Getting in the network
Attackers are finding new ways to infect the first system and gain access. Five years ago, attackers would take days to create scans for known vulnerabilities, usually targeting a vulnerable service on an operating system or popular application. Now, however, attackers are taking hours -- or less -- and often targeting less well-known software.
Within a day of the public disclosure of two backdoors in Juniper Networks' firewalls in late December, for example, attackers and security researchers were already scanning for appliances with the vulnerability and found thousands -- possibly as many as 26,000 -- of systems with one of the two backdoors.
Vulnerable software is often not even required if companies frequently make mistakes configuring critical applications. Internet scanning service Shodan found 35,000 open instances of the database MongoDB in October, exposing more than 680 terabytes of data.
Much of the vulnerability scanning is routed through anonymizing proxies or networks. When IBM researchers looked at the traffic coming to clients' Web sites from the TOR anonymizing network, much of the traffic consisted of vulnerabilities scans, says John Kuhn, senior security threat researcher with IBM Managed Security Services. IBM's data shows the top targets of traffic coming out of TOR and directed at business websites are vulnerability scanning and attempts at attacking the databases behind the websites, a technique known as SQL injection.
"A lot of the vulnerability scanning we see coming from the [TOR] network is against Web infrastructure," Kuhn says. "They have always done that in the past, but they are trying to ramp that effort up."
SIEM systems are key for keeping abreast of the vulnerabilities in a network and prioritizing the updates of vulnerable software. Focusing on the most serious vulnerabilities is critical, but having another technology -- such as a next-generation firewall or Web application firewall -- to block other attacks is crucial, says Neal Hartsell, executive vice president for product management at NSS Labs.
"Even if you conduct penetration tests daily, you cannot approach the problem by saying that you are going to do a good job of closing every door and window," Hartsell says. "So the question becomes how do you focus on what really matters?"
Keeping up will be difficult, however. NSS Labs currently tracks some 13 active exploit kits that delivered more than 38,000 unique exploits in 2015.
Even if they could close down every vulnerability, security professionals still have to worry about their users. Phishing will continue to be a popular way to get into a network. While running unauthorized applications may become harder, attackers are getting better at convincing users to install malicious software. The top ways that attackers are currently getting into networks are through exploiting vulnerable databases, conning users via spear phishing into downloading malware, and finding ways to run malware directly, according to IBM's X-Force research team.
"As defenses become better, we will see more social engineering attacks," says Giovanni Vigna, chief technology officer and co-founder of security firm LastLine. "It is very difficult to prevent them technologically."
Infections and taking control
Once an attacker exploits a vulnerability -- whether technological or a user -- their next step is to extend their compromise. Yet that is changing as well: The adversaries are learning from defenses that detect them, looking into the security logs and finding ways to hide their activities.
While the use of malware continues to be the most popular way to jump from system to system, a subset of sophisticated attackers are instead co-opting administrators' identities and then using standard administration tools to further their compromise and escape advanced defenses, such as application-whitelisting technologies. In 2010, attackers most often resorted to keylogging -- about 40% of all information security attacks used keyloggers, according to Verizon's 2015 Data Breach Investigations Report. Now more than half of security attacks focus on gathering credentials, the report found.
Managed security firm Dell SecureWorks, for example, has seen the remote desktop protocol (RDP), Windows Management Instrumentation, PowerShell and automation features, such as scheduled tasks and BITSAdmin, used to extend attackers' control throughout a compromised network.
"The challenge is that they are using the native tools in the environment that they are attacking," Dell SecureWorks' Burdette says. "Often, the attackers end up knowing the network better than their victims."
The simplest way to prevent many of these security attacks is to use a second, or even third, factor for remote access to any important accounts. Doing so can mitigate the risk of a user entering their password into a fake site or installing a malicious application. In addition, tools for tracking privilege users and detecting anomalous user behavior can alert security teams when a user is attempting to access parts of the network or databases that they are not allowed to log into. Such an approach also defends against insider threats.
Security companies are also aiming lower in the operating-system stack, essentially running their software in a position where they can observe all activity on the device. Whether this is done through instrumentation or virtualization, the technique can create better endpoint protection software that does not attempt to recognize a signature but an objective, says SentinelOne's Shamir. Adversaries could use packers or encryption to change the digital pattern of a keylogger but the software still needs to tap into the keyboard driver, he says.
"Because we are that low in the kernel, we don't care if you are encrypting your data or using a metamorphic approach, because at some point you have to execute your payload," Shamir says. "So we don't need to see the sample beforehand, unlike antivirus software."
Stopping the data from getting out
Attackers are also focusing on improving their ability to sneak data out of the target network. Called exfiltration, the act is the way an attacker gets paid for all their effort -- copying intellectual property, diplomatic cables, credit-card numbers or usernames and passwords. Because creating a secure environment is so difficult in a dynamic business environment, companies often need to put a greater focus on responding to breaches and blocking attackers from achieving their aims, says Verizon's Nguyen-Duy.
"The thinking in the industry now is that, if you are a large company, you are already breached," he says. "We have stopped thinking about attacks in terms of preventing them; it is really now about trying to stop the exfiltration of the data itself."
Reamer & Associates' Peterkin agrees, and argues that any information-security program needs to have two prongs: An effort to protect the devices and computers employees use and protection around the data.
"As much as possible focus on the endpoints, but with the understanding that they will always be compromised -- someone will always click on a link or there will be a vulnerability that does not get patched," he says. "At the same time, you need to prevent the breach, so make sure that your data repositories are actively monitored."
Preventing attackers from achieving their aims is perhaps where the greatest changes will come in the next few years.
Companies are finding more efficient and effective ways to identify important data and encrypt it. Some endpoint technologies, such as the distributed data platform from startup Ionic Security, promises the ability to pervasively encrypt nearly all data and set granular access controls so that only the right people have access to the information. In addition, such techniques could allow companies to retroactively prevent access to stolen data, if they know they have been breached.
Pervasive encryption combined with continuous monitoring of data stores could prevent even successful attackers from turning a compromise into an actual breach, says IBM's Kuhn.
"Once you have the database, you have the data," he says. "If you can make that data worthless, then you can defeat the attacker, but we have to pick these things up much earlier in the chain, so they do not become much more serious down the road."
In the end, the fundamental change is not a particular technology but the mindset. Rather than focus on a specific technology that could solve security -- the proverbial "silver bullet" -- companies are looking at security attacks as a business risk that needs to be mitigated, says Verizon's Nguyen-Duy.
"In many ways, we have gone from prevention and detection to risk mitigation," he says. "When you talk to CISOs across the world, what they are being asked is to talk about the risk posture."
Robert Lemos is an award-winning technology journalist who has reported on computer security and cybercrime for 18 years. He currently writes for several publications focused on information security issues.
Use crypto-free zones to defend against advanced attacks
What you need to know about long-duration APT attacks
How to keep pace with endpoint security products