Published: 05 May 2013
Cybercriminals of all persuasions now easily and routinely bypass existing enterprise security defenses by blending into the background noise of an organization’s operations. These advanced attacks now take place over months and years, subverting traditional malware-detection products that only scan for known malware at a given point in time.
For example, a newly discovered Trojan called APT.BaneChant uses multiple detection-evasion techniques, including masquerading as a legitimate process, monitoring mouse clicks to avoid sandbox analysis and performing multibyte XOR encryption to evade network-level binary extraction technology. It also uses fileless malicious code loaded directly into memory and escapes automated domain blacklisting by using redirection via URL shortening and dynamic DNS services.
Such attacks are testing the limitations of existing security analytics tools, and the recent Mandiant Corp. APT1 report shows just how long-running and sophisticated cyberespionage campaigns have become. According to the 2013 Cyber Threat Readiness survey conducted by LogRhythm, an alarming 75% of respondents lack confidence in their ability to recognize key indicators of a breach.
Many reported breaches have originally gone undetected with most discovered not by the in-house security team, but by a third party.
Enterprises can no longer rely solely on endpoints to stop this type of malware infection. Additional dynamic before-the-fact defenses must be implemented to effectively combat advanced attacks at all layers and identify behaviors not seen before. Thankfully many security vendors are starting to upgrade their intelligence-driven security products to counter the problem of today’s advanced threats.
Big data analytics
One common approach is the incorporation of security big data analytics to aid the discovery of malicious activity hidden deep in the masses of an organization’s network traffic. Big data is defined any type of data, structured and unstructured, that can provide incite in to network activity. Enterprises create colossal amounts of data: emails, documents, social media data, audio, click streams, network traffic, and log files (both historical and real-time of files being accessed), registry changes made, and processes starting and stopping. Other system information, such as processor or memory utilization, can highlight unexpected changes in the status of a system while external threat intelligence feeds can further clarify what’s normal or acceptable by not limiting analysis to just the data created by one organization. While this data has for years been stored in siloed repositories or disparately throughout an enterprise, the dire realities of today's attack landscape have fostered new demand for technology that can aggregate this data, analyze it quickly and develop clues pointing to advanced attacks that would otherwise go undetected.
Although security information and event management (SIEM) products offer a central point of collection and monitoring for enterprise activity data, they have been mainly deployed in order to meet compliance reporting requirements, particularly with the merchant-focused Payment Card Industry Data Security Standard (PCI DSS). Few organizations actually use the technology’s event-correlation capabilities and most products don’t provide enough in-depth visibility to facilitate today’s analytic needs. Vendors are seeking to address this with next-generation SIEM products that widen the scope and scale of data collection and real-time analysis so that diverse events can be put into context to find unusual activity. (It should be noted that network behavioral anomaly detection (NBAD) products do provide this capability, but only at the network layer.)
Real-time analysis using adaptive intelligence of this big data—understanding what’s normal in order to recognize what’s abnormal—can greatly improve the chances of recognizing the indicators of an advanced threat or breach from numerous attack vectors such as advanced persistent threats, fraud and malicious insiders. This pre-attack focus aims to keep a network ahead of attackers and pinpoint potential attack patterns, even if they are spread out over a period of time.
There are plenty of new innovative products coming onto the market. The LogRhythm SIEM 2.0 platform now integrates with Rapid7’s Nexpose vulnerability management product to deliver data security analytics and unified risk assessment capabilities from within the LogRhythm console. IBM is combining security intelligence with big data using the IBM QRadar Security Intelligence and IBM Big Data Platforms to provide a comprehensive, integrated approach to real-time analytics across massive structured and unstructured data. The RSA Security Analytics product uses threat intelligence from the global security community and RSA FirstWatch to leverage what others have already uncovered and improve detection of malicious activity within an organization’s big data.
Scalability, powerful analytical tools, and support for heterogeneous event sources are the most important capabilities when assessing next-generation SIEM products, particularly when it comes to time-sensitive processes such as fraud detection, to ensure that they can process the vast amounts of diverse data. Certainly check that any shortlisted solution creates actionable intelligence based on business context so threats which pose the greatest risk are prioritized. Tools for visualizing and exploring big data are another key feature as they can quickly highlight infected devices and other hot spots.
Sandboxing and whitelisting
SIEM and big data are not the only options when it comes to mitigating today’s threats. Sandboxing and whitelisting are other technologies worth considering. Bit9’s whitelist security software is a trust-based solution using endpoint agents that allows administrators to specify software that can execute on desktops and laptops. A new feature is the ability to leverage the on-demand cloud-based Bit9 Software Reputation Service for highly accurate detection of suspicious malware and associated files.
Sandboxing keeps applications separate so malicious code cannot transfer from one process to another. Any application or content that is unknown can be treated as untrusted and isolated in its own sandbox. McAfee like other security vendors has been acquiring relevant technologies to add to its product range. It plans to offer sandboxing technology in its ePolicy Orchestrator suite in the second half of 2013. By running suspected malware in a sandbox, it can learn what effect it will have on an endpoint and automatically block future occurrences and remediate any already infected endpoints. Fortinet's FortiCloud cloud-based sandboxing service provides an online sandboxing portal to execute suspicious code in a virtual environment.
Of course, security teams need to extend threat detection and protection to the mobile devices connecting to their networks, particularly as mobile device users are at least three times more likely to become victims of phishing attacks than desktop users. The Mobile Threat Network from Lookout Mobile Security delivers over-the-air protection to mobile users. Lookout is another product that uses a big data analysis approach to spotting malware and predicting where it will crop up next. Enterprises running their own app stores can also use the Lookout API to ensure that the apps offered are safe. The RSA FraudAction Anti Rogue App Service also detects any malicious or unauthorized mobile apps that infiltrate online app stores.
Whichever advanced threat detection technology an organization deploys, its effectiveness will depend on those configuring and monitoring it. People are always going to a big part of any threat management program. Administrators must learn how to use emerging technology effectively so that it actually provides additional protection. Training such as Symantec’s Cyber Threat Detection and Incident Response Training as well as the many in-depth training courses provided by SANS and others will help staff understand how to identify threats and respond and recover from malicious events.
As with any new IT technology, it’s important not to get caught up in vendors' marketing hype. Concentrating more on detection and response doesn’t mean that point defense technologies like firewalls and antivirus are no longer relevant. Securing any network will still require documented policies and procedures as a foundation for success. Classification of assets and data is essential and remember that although threat management begins with threat identification, remediation is also an essential part of a successful threat management process.
About the author:
Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He is a noted security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance.