Years back, when viruses threatened our infrastructure, the industry responded and changed the battlefield. As the threat landscape continues to evolve so must our defense strategies.
A decade ago traditional IT security threats and their targets were largely unsophisticated. For example, the 2001 Code Red worm infected hundreds of thousands of servers exploiting a known vulnerability for which a patch was already available but generally ignored by users. Similar viruses, like Slammer and Blaster, soon followed and targeted millions of servers and endpoints. No doubt, these viruses were inconvenient and damaging but they were also opportunistic, taking advantage of known weaknesses in some of the most popular software and systems of the time.
This rash of viruses spurred an industry of vulnerability researchers, thousands of individuals looking for flaws and creating exploit-based signatures to quickly defend against these widespread attacks. The effectiveness of these researchers dramatically changed the nature of these threats. Those creating the threats had to become more sophisticated and devise attacks that were increasingly rare and hard to identify.
In today’s world, we still have to deal with mundane vulnerabilities that are discovered every day and keep our systems up to date to protect against them. But in specific instances we also have to worry about a far more sinister problem—Advanced Persistent Threats (APTs). An adversary with an interest in obtaining and maintaining a foothold in a target organization for an extended length of time, an APT has at its disposal sufficient resources—money, equipment and skill—to evolve attacks in direct response to detection capabilities of the target. These groups are typically state-sponsored and interested in data to support political, military and economic objectives.
An increase in the number and sophistication of APTs has compounded the need for swift and effective security measures at all potentially vulnerable points.
A range of new technologies and methodologies have emerged to help combat APTs. For example, cloud-based endpoint security technologies are one way to discover these damaging attacks. They allow organizations to forensically discover APTs with a data-driven approach. Using the community concept inherent in a cloud-based approach, researchers can isolate both common and uncommon processes and applications within their environment. These technologies track the frequency by which applications are seen, comparing them to the broader organization or to the world at large. By zeroing-in on applications that are not common, these solutions can more quickly identify targeted attacks and begin investigation.
Next-Generation Intrusion Prevention Systems that use vulnerability-based rules and contextual awareness can also assist in combating APTs. Vulnerability-based rules can cover hundreds of known and unknown exploits for protection ahead of emerging threats. Contextual awareness provides visibility into the precise composition and expected behavior of the network being protected, the individual users and groups found on the network, and the actual applications and systems that are running on the network.
To further protect specific data or specific users (typically the focus of APTs) these systems must enable the security team to create custom rules that define the behavior allowed on the organization’s specific network and, in effect, lay traps. Leveraging contextual awareness to understand how your network works can make it easier to lay traps for attackers. In a simple example, if your U.S.-based company doesn’t do business in certain countries there is no reason for your users to contact websites in those countries. By deploying simple rules for Domain Name System (DNS) queries for those country-specific domains, or a simple blacklist of IP addresses located in those countries, you can quickly catch network traffic headed in that direction. While this is an overly simple example it shows that customization doesn’t need to be complex. You simply need to be creative in your approach to laying traps.
Other technologies such as targeted analyzers—tools to analyze specific file types (like PDFs) in extreme detail—security information and event management (SIEM) solutions and network forensics systems can also help to provide the necessary data to uncover an attack focused specifically on your organization and identify the potential damage.
A decade ago when viruses threatened our infrastructure, the industry responded and changed the battlefield. As the threat landscape continues to evolve so must our defense strategies.
In contrast to viruses, APTs are selective. Each organization must calculate their risk profile and invest in IT security resources based on that perceived risk. However it is critical to understand that APTs have at their disposal an extensive arsenal when it comes to devising an attack. Organizations must take a similar approach when it comes to protection.
No single weapon can protect an organization from an APT. What’s needed is a defense in depth strategy, with tools that can be modified as the threat landscape changes, technologies that tap into the collective intelligence of a large user community, and experienced staff that can look at the data and accurately interpret it. By combining the right tools, technologies and talent, organizations can enhance their protection in the face of today’s evolving threats.