Connect with us

Hi, what are you looking for?


Malware & Threats

Addressing Cyberattacks via Positive Enforcement Model

Whack-a-Mole with Network Threats

Stop Playing Whack-A-Mole with Advanced Threats

Whack-a-Mole with Network Threats

Stop Playing Whack-A-Mole with Advanced Threats

As more and more details about the Target breach have emerged, security experts, bloggers and media have focused on on why Target failed to react to alerts from zero day malware point products that allegedly provided indication there was malware in the network.

According to a Bloomberg BusinessWeek article, a team of security specialists in Bangalore, India, spotted the alerts and relayed the information to counterparts at Target’s headquarters in Minneapolis, who apparently failed to follow up. In fact, according to this Network World article, major companies often do not react to these alerts because there receive so many false positives it takes too many resources to act on them.

Whether or not someone should have acted on the information is beside the point. The takeaway from this breach is that the strategy of tackling modern, advanced attacks via point products is flawed. The modern attack cycle, and the cyber criminals behind it are using a sophisticated system to attack enterprises. (Just think about the definition of APTs – advanced, persistent threats). Trying to defend them with one-off point solutions is like playing a whack-a-mole game, always one step behind the attacker and trying to play catch up with the alerts as they’re received. A tactical, negative enforcement approach using point solutions means that organizations are constantly trying to keep up with bad things in the network without proper context.

Jon Oltsik of Enterprise Strategy Group in his report entitled “Advanced Malware Trends, Opinions and Strategies” outlined this very eloquently:

“Following a historical pattern, many organizations want to address new types of malware with new kinds of threat prevention technologies. After all, this strategy worked reasonably well against e-mail threats, web threats, and endpoint threats in the past. Why not just buy another appliance to block new types of malware?

Unfortunately, this strategy will simply add another one-off solution to an already chaotic security infrastructure. ESG believes that this type of enterprise security infrastructure based upon independent point tools and manual processes will ultimately fail because it is no match for the scale, sophistication, and complexity of modern IT and cyber threats.”

Advertisement. Scroll to continue reading.

Addressing Cyberattacks via a Positive Enforcement Model

A better philosophy to addressing modern attacks is via a positive enforcement model. Positive enforcement implies that you selectively allow what is required for day-to-day business operations as opposed to a negative enforcement approach where you would selectively block everything that is not allowed.

When adopting a positive enforcement model, you would:

• Only enable applications, their application functions and content for certain groups and users. For example, “John” from “group Finance” can access the PCI zone using “Oracle application. All other traffic is explicitly denied. (Oh, and by the way, if you’re still using security appliances that classify traffic based on ports and protocols, you’re out of luck!).

• Next, for the application traffic that you’ve allowed in your network, you would inspect the applications for known threats, ensuring that common vulnerabilities are not being exploited by attackers.

• Sandboxing technology is then used to inspect unknown files for zero day malware that may have been downloaded by a gullible user in the network, or used to infect servers in the datacenter. Note that the sandboxing technology to inspect for unknown threats becomes the last line of defense, not a reactionary first line of defense.

• Information about zero day malware found via this sandboxing technology should then be used to create threat signatures to ensure no further infection or malware propagation in the network. In addition, information about indicators of compromise, command and control domains, DNS information should be fed into other threat prevention functions (like URL blocking for the new command and control domains), rapidly turning these unknown threats into known threats.

Benefits of a Positive Enforcement Model Approach

There are several benefits to this approach:

Context – Effective security for organizations is about building good context and managing risks. This positive enforcement model can be applied to various segments of the network, providing context and understanding of what is traversing the network. If the proper context is known about a particular segment being protected, any alerts can be acted on with the appropriate urgency.

Network With LockReduce attack surface – This positive enforcement approach also reduces the attack surface. By only allowing certain applications and application functions for user groups, any unknown traffic becomes more significant, and can signify hacker or malware activity or an unknown application.

Systems approach to attack lifecycle – the most important aspect of the approach above is transforming information about unknown zero day malware to known information that can be part of the arsenal of protection. Just as cybercriminals are using information found in the network to learn, adapt and refine their malware techniques to get to their target data, a proper systems-based threat prevention solution will continually learn and adapt to new threats.

If you’ve reacted to the latest zero day malware with a point product du jour, it’s time to take a step back and rethink your strategy. Sandboxing should only be one of many components in an integrated positive enforcement model approach to dealing with malware.

Related Reading: Target’s Data Breach – The Commercialization of APT

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.