Connect with us

Hi, what are you looking for?


Malware & Threats

Addressing Cyberattacks via Positive Enforcement Model

Whack-a-Mole with Network Threats

Stop Playing Whack-A-Mole with Advanced Threats

Whack-a-Mole with Network Threats

Stop Playing Whack-A-Mole with Advanced Threats

As more and more details about the Target breach have emerged, security experts, bloggers and media have focused on on why Target failed to react to alerts from zero day malware point products that allegedly provided indication there was malware in the network.

According to a Bloomberg BusinessWeek article, a team of security specialists in Bangalore, India, spotted the alerts and relayed the information to counterparts at Target’s headquarters in Minneapolis, who apparently failed to follow up. In fact, according to this Network World article, major companies often do not react to these alerts because there receive so many false positives it takes too many resources to act on them.

Whether or not someone should have acted on the information is beside the point. The takeaway from this breach is that the strategy of tackling modern, advanced attacks via point products is flawed. The modern attack cycle, and the cyber criminals behind it are using a sophisticated system to attack enterprises. (Just think about the definition of APTs – advanced, persistent threats). Trying to defend them with one-off point solutions is like playing a whack-a-mole game, always one step behind the attacker and trying to play catch up with the alerts as they’re received. A tactical, negative enforcement approach using point solutions means that organizations are constantly trying to keep up with bad things in the network without proper context.

Jon Oltsik of Enterprise Strategy Group in his report entitled “Advanced Malware Trends, Opinions and Strategies” outlined this very eloquently:

“Following a historical pattern, many organizations want to address new types of malware with new kinds of threat prevention technologies. After all, this strategy worked reasonably well against e-mail threats, web threats, and endpoint threats in the past. Why not just buy another appliance to block new types of malware?

Unfortunately, this strategy will simply add another one-off solution to an already chaotic security infrastructure. ESG believes that this type of enterprise security infrastructure based upon independent point tools and manual processes will ultimately fail because it is no match for the scale, sophistication, and complexity of modern IT and cyber threats.”

Addressing Cyberattacks via a Positive Enforcement Model

Advertisement. Scroll to continue reading.

A better philosophy to addressing modern attacks is via a positive enforcement model. Positive enforcement implies that you selectively allow what is required for day-to-day business operations as opposed to a negative enforcement approach where you would selectively block everything that is not allowed.

When adopting a positive enforcement model, you would:

• Only enable applications, their application functions and content for certain groups and users. For example, “John” from “group Finance” can access the PCI zone using “Oracle application. All other traffic is explicitly denied. (Oh, and by the way, if you’re still using security appliances that classify traffic based on ports and protocols, you’re out of luck!).

• Next, for the application traffic that you’ve allowed in your network, you would inspect the applications for known threats, ensuring that common vulnerabilities are not being exploited by attackers.

• Sandboxing technology is then used to inspect unknown files for zero day malware that may have been downloaded by a gullible user in the network, or used to infect servers in the datacenter. Note that the sandboxing technology to inspect for unknown threats becomes the last line of defense, not a reactionary first line of defense.

• Information about zero day malware found via this sandboxing technology should then be used to create threat signatures to ensure no further infection or malware propagation in the network. In addition, information about indicators of compromise, command and control domains, DNS information should be fed into other threat prevention functions (like URL blocking for the new command and control domains), rapidly turning these unknown threats into known threats.

Benefits of a Positive Enforcement Model Approach

There are several benefits to this approach:

Context – Effective security for organizations is about building good context and managing risks. This positive enforcement model can be applied to various segments of the network, providing context and understanding of what is traversing the network. If the proper context is known about a particular segment being protected, any alerts can be acted on with the appropriate urgency.

Network With LockReduce attack surface – This positive enforcement approach also reduces the attack surface. By only allowing certain applications and application functions for user groups, any unknown traffic becomes more significant, and can signify hacker or malware activity or an unknown application.

Systems approach to attack lifecycle – the most important aspect of the approach above is transforming information about unknown zero day malware to known information that can be part of the arsenal of protection. Just as cybercriminals are using information found in the network to learn, adapt and refine their malware techniques to get to their target data, a proper systems-based threat prevention solution will continually learn and adapt to new threats.

If you’ve reacted to the latest zero day malware with a point product du jour, it’s time to take a step back and rethink your strategy. Sandboxing should only be one of many components in an integrated positive enforcement model approach to dealing with malware.

Related Reading: Target’s Data Breach – The Commercialization of APT

Written By

Danelle is CMO at Ordr. She has more than 20 years of experience in bring new cybersecurity technologies to market. Prior to Ordr, she was CMO at Blue Hexagon (acquired by Qualys), a company using deep-learning to detect malware, and CMO at SafeBreach where she helped build the marketing organization and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like Zero Trust, virtualization and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of a Cisco IP communications book and holds 2 US patents. She holds an MSEE from UC Berkeley.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.