Stop Playing Whack-A-Mole with Advanced Threats
As more and more details about the Target breach have emerged, security experts, bloggers and media have focused on on why Target failed to react to alerts from zero day malware point products that allegedly provided indication there was malware in the network.
According to a Bloomberg BusinessWeek article, a team of security specialists in Bangalore, India, spotted the alerts and relayed the information to counterparts at Target's headquarters in Minneapolis, who apparently failed to follow up. In fact, according to this Network World article, major companies often do not react to these alerts because there receive so many false positives it takes too many resources to act on them.
Whether or not someone should have acted on the information is beside the point. The takeaway from this breach is that the strategy of tackling modern, advanced attacks via point products is flawed. The modern attack cycle, and the cyber criminals behind it are using a sophisticated system to attack enterprises. (Just think about the definition of APTs – advanced, persistent threats). Trying to defend them with one-off point solutions is like playing a whack-a-mole game, always one step behind the attacker and trying to play catch up with the alerts as they’re received. A tactical, negative enforcement approach using point solutions means that organizations are constantly trying to keep up with bad things in the network without proper context.
Jon Oltsik of Enterprise Strategy Group in his report entitled “Advanced Malware Trends, Opinions and Strategies” outlined this very eloquently:
“Following a historical pattern, many organizations want to address new types of malware with new kinds of threat prevention technologies. After all, this strategy worked reasonably well against e-mail threats, web threats, and endpoint threats in the past. Why not just buy another appliance to block new types of malware?
Unfortunately, this strategy will simply add another one-off solution to an already chaotic security infrastructure. ESG believes that this type of enterprise security infrastructure based upon independent point tools and manual processes will ultimately fail because it is no match for the scale, sophistication, and complexity of modern IT and cyber threats.”
Addressing Cyberattacks via a Positive Enforcement Model
A better philosophy to addressing modern attacks is via a positive enforcement model. Positive enforcement implies that you selectively allow what is required for day-to-day business operations as opposed to a negative enforcement approach where you would selectively block everything that is not allowed.
When adopting a positive enforcement model, you would:
• Only enable applications, their application functions and content for certain groups and users. For example, “John” from “group Finance” can access the PCI zone using “Oracle application. All other traffic is explicitly denied. (Oh, and by the way, if you’re still using security appliances that classify traffic based on ports and protocols, you’re out of luck!).
• Next, for the application traffic that you’ve allowed in your network, you would inspect the applications for known threats, ensuring that common vulnerabilities are not being exploited by attackers.
• Sandboxing technology is then used to inspect unknown files for zero day malware that may have been downloaded by a gullible user in the network, or used to infect servers in the datacenter. Note that the sandboxing technology to inspect for unknown threats becomes the last line of defense, not a reactionary first line of defense.
• Information about zero day malware found via this sandboxing technology should then be used to create threat signatures to ensure no further infection or malware propagation in the network. In addition, information about indicators of compromise, command and control domains, DNS information should be fed into other threat prevention functions (like URL blocking for the new command and control domains), rapidly turning these unknown threats into known threats.
Benefits of a Positive Enforcement Model Approach
There are several benefits to this approach:
• Context - Effective security for organizations is about building good context and managing risks. This positive enforcement model can be applied to various segments of the network, providing context and understanding of what is traversing the network. If the proper context is known about a particular segment being protected, any alerts can be acted on with the appropriate urgency.
• Reduce attack surface - This positive enforcement approach also reduces the attack surface. By only allowing certain applications and application functions for user groups, any unknown traffic becomes more significant, and can signify hacker or malware activity or an unknown application.
• Systems approach to attack lifecycle – the most important aspect of the approach above is transforming information about unknown zero day malware to known information that can be part of the arsenal of protection. Just as cybercriminals are using information found in the network to learn, adapt and refine their malware techniques to get to their target data, a proper systems-based threat prevention solution will continually learn and adapt to new threats.
If you’ve reacted to the latest zero day malware with a point product du jour, it’s time to take a step back and rethink your strategy. Sandboxing should only be one of many components in an integrated positive enforcement model approach to dealing with malware.
Related Reading: Target's Data Breach - The Commercialization of APT