Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Threat Detection Beyond Two Applications

Threat Detection

Threat Detection

Imagine this: you wake up tomorrow and realize your security devices are missing nearly 10% of all threats targeting your organization because of a simple assumption. Not only this, but what if this assumption was so pervasive throughout the security industry that if affected nearly every single one of your peers? Accepting the “status quo” is never enough, as it lulls you into a false sense of security, one that adversaries are keenly aware of, and masters at taking advantage of.

Now, let’s set the stage. The assumption is simple: malware and advanced threats stick to two basic attack vectors: Corporate email (SMTP), and Web-browsing (HTTP). When you examine which applications tend to be most active on corporate networks, you will likely find these two at the top of the list. The same holds true for the delivery of threats, as attackers have learned to hide inside these common applications, since they often offer the path of least resistance.

The vast majority of detection technologies have followed a similar path: scan for threats only on Web and SMTP. As an industry, we have invested tremendous resources into these two vectors, building walls and advanced detection techniques, often stacked on top of each other. While protecting Web and Email is incredibly important, a very old phrase springs to mind, “You’re missing the forest for the trees.” This approach inherently relies on threats only traveling these two applications, but there is so much more to the story today:

• Traditional security solutions only have the ability to detect threats on two of the hundreds of applications organizations use during the course daily course of business, which include popular applications across file-sharing, remote desktop, file-transfer, social media, and many other categories.

• Threats can use any application as an entry point into the network, and are not constrained to just Web and corporate email.

• Advanced threats typically establish a foothold on the endpoint using more traditional means such as Web and corporate email, but often use different applications, across non-standard ports, to delivery secondary payloads.

• Once inside the network, threats will pivot laterally using many different applications, and rely on command-and-control communication to direct their efforts.

I recently had the opportunity to review intelligence on unknown threats delivered to a group of more than 4,200 global enterprise organizations. Keep in mind, these are threats that have never been seen before, and many would have passed through traditional anti-malware technologies, so they represent the most dangerous category of malware. The findings speak for themselves:

Advertisement. Scroll to continue reading.

• 82.5% of threats come in over SMTP/Port 25

• 9% arrive via Web-browsing/Port 80

• 9.5% are detected over 44 different applications, using a variety of ports Within that 9.5%, some common sources emerge: POP3, IMAP, FTP, the Google Play and Apple App stores, among many others.

Now we can come back to the original question, “What would you do if your current security solutions were missing nearly 10% of threats?” I would argue that as we rapidly move toward 2015, security organizations should consider a few critical steps to better protection their networks in the New Year:

• Assess your risk posture by evaluating the number and type of applications being used on your network.

• Establish a baseline for which applications should be used by specific groups of users to conduct business, enabling these, and blocking all others.

• Building into your security policy the fundamental premise that any application can be used to deliver threats, whether they are known or unknown.

• Choose security technologies that have the ability to detect and prevent threats on applications beyond just Web and corporate email, including those using non-standard ports.

• Consider segmenting your network and scanning for threats at these key points of segmentation to prevent lateral movement.

We should never lower our ability to detect threats on the most prevalent applications on corporate networks, but this is not enough. As more organizations build applications other than Web and corporate email into the course of their business, adversaries are taking note and adjusting their tactics. It is no more difficult to deploy malware over FTP than through an email, and your security solutions should have the visibility to prevent these threats just as easily.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.