A decade ago, we used to rely on perimeters like intrusion prevention system (IPS) and host-based antivirus (AV) software to defend our organization against data breaches. But, today the attacking parameters have been evolved from worms, Trojan, viruses, botnet, phishing attacks to advanced threats that easily evade traditional security defenses.
Let’s proceed with exploring some of these basic threat tactics that have been a nuisance to IT for many years, but are easily detectable by IPS and AVs today.
Traditional Threat Tactics:
Worms, Trojan, Viruses:
A worm is a malware program that replicates itself, typically through vulnerabilities in operating systems. Worms typically harm networks by consuming bandwidth and also provide an attack vector for later exploitation purpose. The ability to propagate within the network, it gets detected by AV and other detection systems.
A Trojan (or Trojan horse) typically replicates itself as a helpful software application, with the ultimate purpose of tricking a user into granting access to a computer. Trojan doesn’t propagate itself and remain undetected until host-based antivirus detects it.
A virus is malicious code ranging in severity from slightly harmful to completely devastating. By attaching itself to a program or file, it spreads from one computer to another, leaving infections as it travels. A virus got detected when propagating from one host to another. Moreover, it needs human interaction to propagate.
Spyware typically gathers user information through internet connection without the user’s knowledge, usually for sending malicious traffic or stealing confidential information. Upon successful deployment to the victim’s machine, it monitors and transmits the data and information to the attacker. Spyware is easily detectable through many ordinary detection tools and anti-viruses.
Phishing attack (Social Engineering attack) is commonly used by many newbie attackers and sometimes also used by serious cyber criminals to trick ordinary employees. Phishing is an attempt to acquire information (and, indirectly, money) such as usernames, passwords, and credit card information, by masquerading as a trustworthy entity in email communication. After clicking on a (seemingly innocent) hyperlink, the user is directed to enter personal details on a fake website that looks and feels almost identical to the legitimate one.
Basic threat tactics are easily detected by antivirus and other security tools and solutions. While, advanced threat tactics are difficult to detect by using traditional signature-based defenses. They are often highly customized and designed to compromise specific targets. Moreover, advanced tactics are crafted to exploit vulnerabilities that are unknown to the general public.
Let’s take a look to some of the advanced threat tactics that are a nightmare for most of the security professionals.
Advanced Threat Tactics:
It is the simplest way to evade traditional security defenses. By creating a customized malware for each attack is the most effective practice that an attacker uses to evade security defenses easily. By changing a single parameter using an off-the-shelf exploit kit, attackers can customize malware to exploit a known vulnerability in such a way that makes it undetectable by signatures based security tools.
Watering hole attacks:
A watering hole attack is performed when an attacker compromises a website that is frequently visited by users of an organization that he or she is targeting. Once infected, the user’s host will typically connect to a CnC server to obtain further instructions by the attacker. These types of attacks are impossible to detect by traditional security defenses, and effects much when system holds critical information.
Spear phishing attacks:
A spear phishing is just like a phishing attack except it is carefully constructed to target an individual person or group of people. Attackers frequently use social media sites, such as LinkedIn and Facebook, to construct carefully crafted emails that appear to be sent from trusted friends or colleagues. The victim got compromised when malicious link or file is clicked or downloaded.
These types of attacks can be detected by the security solutions when customization of the virus is not done smartly by the attacker. Spear phishing is one of the most common tactics attackers use to initiate an advanced targeted attack.
A zero-day attack occurs when an attacker exploits an operating system or application vulnerability that is not generally known previously. Zero-day attacks are extremely effective because they can go undetected for long periods (usually several months, but sometimes a couple of years), and when they are finally identified “in the wild,” patching the vulnerability can still take days or even weeks.
An advanced threat actor, such as a nation-state or a well-resourced cybercriminal or group of cyber criminals, carefully constructs an advanced threat campaign with a specific organization and objective in mind. The purpose is to enter the organization’s network to steal or take over the critical information for different means.
What can be done to protect from advanced threats?
As traditional security defenses that are signature based, are unable to provide security from advanced threats, there should be some other solutions that can defend us from such threats. So what the world really needs? How to defend against this rising advanced threats risk?
Signature-less malware detection:
The first and, perhaps, most obvious attribute of any advanced threat protection solution is its ability to detect unknown malware without relying solely on pattern-matching signatures. Signature matching is the major difference between advanced threat protection solutions and traditional security defenses which solely depends on the signature base.
Multi-stage protection architecture:
The world needs an advanced threat protection solution that monitors attacks not only from the outside in but from the inside out as well. The advanced threat protection solutions should be able to monitor and block the outbound traffic looking for connections to blacklisted IP addresses and URLs.
We can’t leave or demolish the existing solutions, it’s important to appreciate that the best security solutions integrate with other security solutions to share intelligence and to respond to threats. The advanced threat protection solutions will afford their user’s response capabilities tied to both endpoint security and network forensics solutions.
Ethical Hacking Training – Resources (InfoSec)
Dynamic global threat intelligence:
Some so-called advanced threat protection vendors do not give their customers the opportunity to share threat intelligence with each other. The advanced threat protection vendors should consider sharing their intelligence to create a dynamic global threat intelligence that can effectively prevent an advanced threat to harm clients.
What are the common mistakes to avoid while purchasing advanced threat protection solution?
Take note of these warnings. Otherwise, you may end up acquiring a solution that provides only part of the advanced threat protection functionality you need.
Avoid partial solution:
Some vendors offer perimeter-based advanced threat protection, some offers detection of advanced threats on endpoints, and others offer network forensics appliances. So, the organization must review the offered feature before purchasing the solutions.
Avoid all-in-one malware analysis appliances:
To best detect today’s new breed of cyber-attacks (Advanced threats), acquire separate, purpose-built malware analysis appliances for email, the web, and file-share protection. Also, consider the integration to share intelligence.
Avoid solutions without shared intelligence:
Most advanced threat protection vendors fail to take advantage of customer-shared threat intelligence. The solutions without shared intelligence will not benefit from the previously seen malware, and instead of instantly blocking, it will evaluate each time when encounter.
These are the common mistakes that will be devastating if neglected while selecting and purchasing an advanced threat solution for an organization. These mistakes must be avoided to choose the best solution and defend against such type of attacks and threats.
These days, malware associated with advanced threat campaigns sails past these traditional security defenses like they aren’t even there. So, considering advanced threat solutions is the only way to protect the network and information from being compromised from the outsider and insider as well.