"There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t know it."
Gartner published that quote in 2012, Best Practices for Mitigating Advanced Persistent Threats. Back then, people thought it was alarmist claim, but three years later, it is clear that it’s anything but. We are now living in the age of advanced, insidious attacks. Need evidence? Take a look back at the numerous data breaches we have seen in the last couple of years: Target, Home Depot, Sony Pictures, White House, German Parliament, JPMorgan, Anthem... just to name a few.
The need to improve protection and detection is felt by all, and some companies have taken the right steps in creating new approaches to tackle these threats, like Breach Detection Systems (BDS) and Next Generation Firewalls (NGF). Both attacks focus on Indicators of Compromise (IoC) to detect current attacks that are already happening within the network. These solutions are extremely valuable, and help CISOs in their fight to keep their organizations as safe as possible.
However, there are some obvious weaknesses in this approach. There is nothing wrong in analyzing the network traffic to find out anomalies, but the key is protecting the endpoint.
With the sophistication of these new attacks, comes more targeted goals from the attackers. They focus on attacking the endpoint, not the network. No longer is it enough to protect the endpoints from an outside view. The old approach neglects to inform CISO’s what is actually happening. When attackers infiltrate using USB devices, it only gets worse, as those solutions do not see any of that. It can be said that those threats are not a real danger, but this couldn’t be further from the truth - look at Stuxnet, the USB worm used to destroy 1,000+ uranium centrifuges in Iran.
On top of that, those anomaly detections rely mostly in the use of IoC as a detection mechanism. These IoC can be anything from URLs, IP addresses, C&C servers, etc. In other words: they are using signatures. Advanced security providers have no excuse to charge thousands and thousands of dollars for their solutions when their solutions rely on outdated detection methods."
These companies are well-aware of the limitations and weaknesses, and they try to mitigate them using other layers, such as sandboxing or some kind of virtualization, to learn what the files entering the endpoints are going to do. Those who have been fighting against malware, know that cybercriminals learned years ago how get around any sort of virtualization thrown at them. It’s one of the first things in their check list when they are planning such an attack.
What Can Be Done?
Traditional antivirus solutions are not enough - BDS and NGF only tell you you’ve been attacked. At best, they give you a chance to reduce the elapsed time that you have been compromised, but doesn’t do much in the way of stopping the attack and limiting the damage. They can only prevent an attack if it is already known, using the same approach as a traditional antivirus: signatures. What else can a CISO do to really protect his or her organization? What kind of tools or services should be used?
The most capable defense solutions must not only be centralized, but also be able to automatically block, identify, forensically profile and purge malware, even when it is veiled by legitimate programs and processes. The software needs to be smarter than the malware itself.
Additionally, a CISO must have knowledge and control of every process running throughout all of the computers in the organization. Most APTs rely on exploits that take advantage of vulnerabilities present in all kinds of reliable applications. Real time monitoring is a must, with a holistic approach that takes into account the execution context of every program. Forensic capabilities also have to be in place in order to have all actionable information, in the event that a compromise takes place.
One of the major issues when a breach has been detected is the lack of information. When did it start? Where did it come from? Has it accessed confidential data? Has there been any information exfiltration? With continuous monitoring and advanced forensic technologies, all available data can be made available from the very first moment, closing the gap and limiting the damage.
2015 saw the most sophisticated cyberattacks in history. Traditional antiviruses are no longer capable enough to handle the malware it’s faced with. It’s time for the sophistication and strength of our solutions to catch up, or we’ll never be one step ahead of cybercrime.
Luis Corrons, Technical Director of PandaLabs at Panda Security, has been working in the security industry for more than 16 years, specifically in the antivirus field. Luis is a WildList reporter, member of the Board of Directors at AMTSO (Anti-Malware Testing Standards Organization) and member of the Board of Directors at MUTE (Malicious URLs Tracking and Exchange). He is also a top rated industry speaker at events like Virus Bulletin, HackInTheBox, APWG, Security BSides, etc. Luis also serves as liaison between Panda Security and law enforcement agencies, and has helped in a number of cyber-criminal investigations.