Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Threat Detection Beyond Two Applications

Threat Detection

Threat Detection

Imagine this: you wake up tomorrow and realize your security devices are missing nearly 10% of all threats targeting your organization because of a simple assumption. Not only this, but what if this assumption was so pervasive throughout the security industry that if affected nearly every single one of your peers? Accepting the “status quo” is never enough, as it lulls you into a false sense of security, one that adversaries are keenly aware of, and masters at taking advantage of.

Now, let’s set the stage. The assumption is simple: malware and advanced threats stick to two basic attack vectors: Corporate email (SMTP), and Web-browsing (HTTP). When you examine which applications tend to be most active on corporate networks, you will likely find these two at the top of the list. The same holds true for the delivery of threats, as attackers have learned to hide inside these common applications, since they often offer the path of least resistance.

The vast majority of detection technologies have followed a similar path: scan for threats only on Web and SMTP. As an industry, we have invested tremendous resources into these two vectors, building walls and advanced detection techniques, often stacked on top of each other. While protecting Web and Email is incredibly important, a very old phrase springs to mind, “You’re missing the forest for the trees.” This approach inherently relies on threats only traveling these two applications, but there is so much more to the story today:

• Traditional security solutions only have the ability to detect threats on two of the hundreds of applications organizations use during the course daily course of business, which include popular applications across file-sharing, remote desktop, file-transfer, social media, and many other categories.

• Threats can use any application as an entry point into the network, and are not constrained to just Web and corporate email.

• Advanced threats typically establish a foothold on the endpoint using more traditional means such as Web and corporate email, but often use different applications, across non-standard ports, to delivery secondary payloads.

• Once inside the network, threats will pivot laterally using many different applications, and rely on command-and-control communication to direct their efforts.

I recently had the opportunity to review intelligence on unknown threats delivered to a group of more than 4,200 global enterprise organizations. Keep in mind, these are threats that have never been seen before, and many would have passed through traditional anti-malware technologies, so they represent the most dangerous category of malware. The findings speak for themselves:

Advertisement. Scroll to continue reading.

• 82.5% of threats come in over SMTP/Port 25

• 9% arrive via Web-browsing/Port 80

• 9.5% are detected over 44 different applications, using a variety of ports Within that 9.5%, some common sources emerge: POP3, IMAP, FTP, the Google Play and Apple App stores, among many others.

Now we can come back to the original question, “What would you do if your current security solutions were missing nearly 10% of threats?” I would argue that as we rapidly move toward 2015, security organizations should consider a few critical steps to better protection their networks in the New Year:

• Assess your risk posture by evaluating the number and type of applications being used on your network.

• Establish a baseline for which applications should be used by specific groups of users to conduct business, enabling these, and blocking all others.

• Building into your security policy the fundamental premise that any application can be used to deliver threats, whether they are known or unknown.

• Choose security technologies that have the ability to detect and prevent threats on applications beyond just Web and corporate email, including those using non-standard ports.

• Consider segmenting your network and scanning for threats at these key points of segmentation to prevent lateral movement.

We should never lower our ability to detect threats on the most prevalent applications on corporate networks, but this is not enough. As more organizations build applications other than Web and corporate email into the course of their business, adversaries are taking note and adjusting their tactics. It is no more difficult to deploy malware over FTP than through an email, and your security solutions should have the visibility to prevent these threats just as easily.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...