Deep Inside Your Network: The Reality of Advanced Threats and the Technology Needed to Fight Them
So far this year, the Washington Post, Wall Street Journal, New York Times and Bloomberg News joined the ranks of U.S. defense contractors, leading Internet and energy companies penetrated by hackers using advanced threats and targeted attacks.
For years we’ve built strong perimeters and complex firewall rules to keep the enemy out—deploying more and more security point-products along the way in an effort to stay ahead of the threat. Now, attackers simply slice through these ‘robust fortresses’ with a well-aimed phishing attack or advanced Web browser exploit. And, once they are in our network, they stay in.
Advanced Persistent Threats (APTs) are advanced because they get in – 72% of them compromise their target in seconds or minutes. And APTs are persistent because they stick around for a long time – 72% of them take weeks, months or years to discover. In this series of articles, I will focus on advanced threats and targeted attacks and the emerging security tools needed to find and defeat them.
Solving the problem of today’s advanced threat landscape requires knowing our attackers and what we must protect. However, our networks are rapidly evolving. So are the devices and users that are on them. Not all are welcome. In enterprises and organizations all over the world, we have multiple hostile parties on our networks. Let’s take a look at the most prominent among them:
1. ‘Opportunistic infections’ of botnets and malware, without specific targeting by hackers
Opportunistic malware is the kind of untargeted malware that infects users every day when surfing the Internet. It’s often comprised of classic botnets used for sending spam email or clickjacking. The objective of opportunistic malware is often to expand the number of bots – as opposed to harvesting the value of the infected endpoints. The DNSChanger botnet, for example, enabled clickjacking and infected over four million devices until it was deactivated in 2012. Just weeks ago, Microsoft Corp and Symantec Corp – along with the U.S. Marshall Service – helped disrupt the Bamital botnet, a global cybercrime operation that hijacked nearly a million PCs for use in ‘click fraud’ schemes. Today, these opportunistic infections are being replaced by more advanced threats.
2. Targeted malware placed by cybercriminals focused on stealing information and money
Like other hostile parties, cybercriminals continue to evolve in sophistication. Today, criminal organizations are modifying Nation State malware for their own use. With the spread of sophisticated malware such as Stuxnet and Red October, they have ultimately fallen into criminal hands. Unfortunately, cybercriminals have been heavily focused on reverse engineering and emulating these advanced threats. Those involved in corporate espionage have already learned to harness the document-stealing abilities of the Zeus banking Trojan to carry out their goals surreptitiously and effectively. As of today, Zeus has stolen hundreds of millions of dollars from bank customers globally. And, bank Trojan kits are now easily converted into corporate theft malware.
3) Hacktivists looking for secrets that can be leveraged to publicly damage an organization or enterprise
Two years ago the world was rocked by the onslaught of Anonymous and LulzSec, and by the discovery of remote access tools (RATs) on secure networks. The compromise of RSA’s SecurID that enabled the fruition of APTs throughout the federal military complex meant one thing for sure: things were changing, and they were changing fast. And, with the evisceration of HBGary Federal by Anonymous, the world was able to get a sense of the advanced skill-set acquired by certain hacktivist groups. In recent months, the hacktivist group behind Operation Ababil has used sophisticated DDoS attacks to effectively knock all the U.S. major banks offline. And, last week’s Federal Reserve breach by Anonymous – likely the result of an SQL injection – once again proved that hackivists are powerful enemies to those they target.
4) Unauthorized and unmanaged BYODs (bring your own device), which can provide encrypted backdoors into the network
From within one’s own firewall, large BYOD initiatives have brought thousands of consumer-level devices onto our networks. Many devices are compliant with policy, while others are acting in excess of authority. Protected information is leaving our networks this very second – often through covert encrypted tunnels.
5) Targeted malware placed by nation states focused on stealing information or intellectual property.
As 2013 has already revealed, we are seeing a huge rise in nation states who are involved in corporate espionage. In recent months, the discovery of Red October, Stuxnet, Flame and Duqu have highlighted the involvement of well-financed adversaries penetrating global networks with ease. On February 1, 2013, the Washington Post admitted it had been hacked. It was the fourth announcement by a major news organization that very same week – with all stating that Chinese hackers had deeply penetrated their networks searching for confidential information. Throughout 2013 and beyond, more complex malware created by Nation States will certainly be found on U.S. corporate networks.
A new imperative for a ‘post-prevention’ world
These adversaries, together with the increasing attack surface area of today’s enterprise networks, require a rethinking of our defensive strategies. In today’s post-prevention world, we can no longer live in denial: successful breaches on highly fortified networks are inevitable, and the scope of targeted enterprises and organizations widens day by day.
What used to protect us has stopped working (and perhaps it did a long time ago). Prevention of security breaches and data loss from enemies without and within is no longer realistic. Nor should it be our focus, because it forces us to myopically focus on the perimeter. Once attackers are past our perimeter – via an advanced targeted attack – they own our network. A modern, multi-layered defense is now required, and we must find and expose these network penetrations before they extract a heavy toll on our businesses by stealing our most valuable data. It is likely that cyberattackers are already on our networks, so we must focus on attaining the context and visibility needed to find and eradicate them.
But progress is occurring, albeit slowly. As organizations adjust to today’s ‘post-prevention’ world, the inevitability of targeted attacks and security breaches is now accepted by even the most fortified enterprises and organizations. As such, there is a shift toward ‘preparedness’. With this shift comes a need for network visibility, security analytics and threat intelligence to cope with an increasingly dangerous threat. The evolution of advanced malware and zero-day attacks requires a new approach: one that includes Big Data security intelligence and analytics and advanced threat protection technology that can effectively find threats and attacks while providing packet-, flow- and file-level visibility of data exfiltration and malware infiltration on the network. This new approach not only brings visibility to threats and attacks that were heretofore undetected, but also provides a strong post-breach security system to mitigate risk.
Historically, the IT security strategy of enterprises has been to add new layers of prevention. The average enterprise has built a sizable fortress, with over a dozen security technologies deployed on the network alone. Yet, as hackers succeed in bypassing nearly every layer, the difference between an A+ security fortress and an F- security fortress in its ability to prevent targeted attacks is irrelevant with an attackers resources and motivation. This is why many enterprises and agencies are realizing the antiquated approach is not sufficient.
How to win: effective security and CRIME
The requirement for effective detective controls has been made clear in recent months, with the disclosure of more and more successful security breaches. Currently, the focus of unfriendly Nation States and cyberhackers continues to be on information theft. These recent attacks have focused on very high-value and well-defended targets covering a host of industry verticals—defense contractors, aviation, oil and gas, governments, finance, big pharma and big banks among them.
Companies will be breached, and we should focus on identifying infections faster and sooner, rather than allowing them to persist for weeks, months or years. Real visibility of network traffic – taking content, context and metadata into account – is the key to ensuring low false positives. With APT-type attacks, hackers leave multiple backdoors. So, in order to ensure eradication of advanced threats and attacks, all of these must be found and neutralized. In order to succeed, we have created the CRIME methodology. The CRIME methodology for dealing with threats on the network includes: Context, Root Cause, Impact, Mitigation and Eradication. If you can have visibility and context of network events, anomalies and attacks, only then can you identify root cause, determine impact and begin effective mitigation and eradication measures.
In the past, our focus has been on compliance, where our peers set the bar to a reasonable height and focused on meeting it. The game has unfortunately changed and our enemies are clearing our bar with ease. We must raise the bar. Our focus should be on effective security, which includes finding and eradicating that which has flown under the radar of our current defenses. To achieve effective security in today’s advanced threat landscape, we need security intelligence, visibility and context to improve effectiveness and reduce the window of opportunity for threats and attacks. What’s more, we need to better understand our attackers so as to build a modern strategy to defeat them – which is the basis for my upcoming SecurityWeek columns.