Article contributed by Leon Ward, Field Product Manager, Sourcefire
The first PC viruses appeared more than 25 years ago. Little did we realise that this was just the beginning of what would become a series of threat waves.
For nearly 10 years viruses endured as the primary method of attack, but over time were largely matched by defenders’ talents to block and protect against them. Motivated by the notoriety and knowledge gained by discovering and publicising a new vulnerability, attackers continued to innovate. What ensued were distinct threat cycles. Approximately every five years attackers would launch new types of threats and defenders would protect against them – from macro viruses to worms to spyware and rootkits.
It’s no surprise that we can map these cycles to major technology shifts that presented new attack vectors. Early viruses targeted primarily the operating system and were spread by the ‘sneaker net.’ Macro viruses took advantage of users sharing files. Worm-type threats that moved from machine to machine leveraged enterprise networks and the increasing use of the internet. And spyware and rootkits emerged with new applications, devices and online communities.
This brings us to today, when we find ourselves combatting advanced malware, targeted attacks and advanced persistent threats (APTs). Is this just the latest threat wave, or is this more akin to a tsunami? A confluence of factors makes these threats more damaging than anything we have experienced in the past. These factors include:
- An explosion of attack vectors. The advent of mobilisation, bring your own devices (BYOD), virtualisation and the cloud have spurred a breadth of new devices, infrastructure and networks, and a range of operating systems and applications that provide new, efficient mechanisms to transport malware and conduct attacks. And while social media, mobile applications, web sites and web-enabled applications have created new ways for a variety of users to connect (employees, partners, customers), they have also exposed individuals and organisations to new inbound and outbound security threats.
- Market dynamics. The organised exchange of exploits is growing in strength and has become lucrative with the open market helping to fuel this shift from exploitation to disruption and destruction. And as nefarious types have realised there is value to be gained, the work has become more standardised, mechanised and process driven. It’s even common practice now for hacker groups to follow software development processes, like QA testing or bench testing their products against security technologies before releasing them into the wild.
- Stealthier attacks. There are now significant financial incentives for secrecy and many organisations motivated to launch attacks that result in economic or political gain, with little chance of retribution or prosecution. New methods to circumvent protection like port hopping, tunneling, droppers and botnets have made it easier, faster and cheaper for hackers to get in and increasingly difficult for defenders to see them and keep them out. Compounding the elusiveness, the attacks themselves can change rapidly as they progress through the enterprise seeking a persistent foothold and exfiltrating critical data.
So, how do we raise our game to defeat this new class of attackers? It’s no longer enough to focus solely on detection and blocking. When an attack does happen we need to be prepared to marginalise the impact of an attack and stop reinfection. This requires expanding our vigilance with an approach that enables visibility and control across the enterprise and along the full attack continuum. Below are five steps to consider as you evolve your security strategy:
- Detect and Block at the Perimeter and Inside the Network. It’s good practice to handle threats as close to the perimeter as possible to prevent malware from entering the network and potentially infecting endpoint devices. Consider a network-based malware detection appliance that can identify and protect against malware without sacrificing performance. However, even the best detection and blocking only goes so far. Once advanced malware enters your network, assume it will attempt to infect other systems until reaching the ultimate target. It’s wise to also look for malware and other attacks on protected network segments housing sensitive technology assets.
- Assess and Protect Endpoints. A layered defence is your best strategy; endpoints aren’t always connected to a corporate network and thus need protection too. Identify endpoint protection solutions that are lightweight and don’t hinder device performance to ensure user experience isn’t impacted.
- Analyse Threats through Context. Not all threats are created equal. Technologies that see and correlate extensive amounts of event data can use this context to pinpoint compromised devices based on behavioural characteristics. By maintaining visibility of all file activity happening within the organisation and tracking egress traffic, you can watch for exfiltration of critical data and communication with malicious sites to identify targeted systems that might have gone unnoticed.
- Eradicate Malware and Prevent Reinfection. Upon finding a malware infection, simply quarantining the device and cleaning it isn’t enough. To eliminate the malware and prevent reinfection consider technologies that can track every file on every device so that you can identify ‘Patient Zero’ (the first malware victim), the malware trajectory and all instances throughout the enterprise.
- Remediate Attacks with Retrospective Security. Advanced malware protection should also alert about files subsequently identified as malware for retrospective remediation. Blocking or continuing to track and analyse suspicious files against real-time threat intelligence is particularly important in this latest threat wave with attacks that can constantly change once they’ve entered the network.
And remember, before you breathe a sigh of relief leverage what you’ve learned along these five steps and be sure to implement integrated rules on the perimeter security gateway, within security appliances protecting internal networks and on endpoints to detect and block the same attack.
This latest threat cycle is like nothing we’ve ever seen. But just as attackers have continued to innovate so have we as defenders. By using the latest techniques and technologies we can mitigate the damage from these advanced threats and protect ourselves from future attacks.
Sourcefire Ltd is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk