Spring has arrived, so a baseball metaphor like “cover your bases” might be in order, but cybercriminals aren’t playing games. They’re attacking organizations with everything they’ve got. With that in mind, when recommending ways to detect and block zero-day attacks, the language of cyber-warfare seems more appropriate.
The enemy may use extremely devious methods of attack, or they might hide in plain sight. But what their advanced threats have in common today is that they’re new, or modified enough to look new and slip past more traditional defenses.
The reality is that you can’t just rely on a single defense or a silver bullet. While individual products and technologies are important weapons, they operate in a silo and lose sight of the bigger picture. What’s really needed is a fast and fully integrated platform comprising multiple sophisticated technologies—a platform that can assess threat levels, and leverage contextual information shared from other products to take decisive, proportionate action in response to each attack. To make that integrated platform a reality, consider using a layered, three-pronged plan of attack.
1. Guard the perimeter as if your life depended on it
Defend the network edge by making the most of firewalls, intrusion prevention systems (IPS), web gateways, and other conventional network security solutions—and, by all means, keep them up to date. Not so long ago, this was enough to keep your organization secure. In particular, you could depend on the effectiveness of signature-based technologies alone. But that was before a smarter breed of hackers learned to penetrate those systems by creating new variants and use stealthy techniques to avoid detection in most of today’s security infrastructure. To detect and block zero-day attacks, today’s security technologies must be capable of efficiently detecting these avoidance tricks, as well as determining the safety of an unknown executable even if its signature has never been seen before. This requires an arsenal of signatureless detection capabilities that work together to analyze code behavior, traffic behavior, and reputation. The solution must intelligently extract faint threat signals from the normal noise of network activity to minimize false positives and trigger suitable defense responses.
2. “Know the enemy and know yourself…”
The quote is from Sun Tzu and The Art of War. Live by his words and you “need not fear the result of a hundred battles.” His advice still rings true even after 2,500 years. However, the problem today is rather than a hundred battles, we’re talking thousands—every day.
Knowing today’s enemy requires deep analysis of anything resembling a serious threat, and given the mind-numbing increase in advanced malware, one of the most effective methods deployed these days is sandbox technology. These products provide an in-depth analysis of unknown files and code by evaluating them in a secure environment. Unfortunately, malicious actors have figured out how to avoid detection in most of today’s sandboxing products. Therefore, beyond observing behavior, sandboxes must be able to broaden detection capabilities for highly camouflaged, evasive threats. Additionally, sandboxes must be able to feed critical threat data to solutions that can take immediate action. In essence, ensuring sandboxes are part of the fully integrated platform mentioned above is critical to maximize detection and reduce security related incidents.
3. Build a security apparatus based on pre-emptive self-defense
Modern security systems must have the integrated intelligence to detect and contain dangerous threats before breaches occur. What’s more, they must be able to differentiate serious threats from those that can be easily dispatched or ignored. There has to be a way for all security control elements to quickly leverage the strengths and experiences of the others around them. In that regard, I’m talking about sharing intelligence not just between hardware and software but among humans as well. In this battle, every possible advantage must be brought to bear. Global, local, and third-party threat intelligence and organizational knowledge must come together to detect and deter our common enemy.
Keeping pace with the evolving threat environment is never going to be easy. The only way to stay current and effective is to evolve ourselves—constantly integrating, coordinating, and improving our technologies and our collective efforts. We need to do everything in our power to stay one step ahead of those who want to cash in or cause us harm. In other words, every day, we need to be more dedicated and smarter than they are.