The nature of cyber crime is changing. No longer the concern solely of major corporations, organisations and governments; every business is now a potential target. Today's cyber criminals are armed with a growing toolbox of cheap, off-the-shelf weaponry, and businesses of all sizes are being targeted for a variety of reasons, including the obvious one of financial gain, but also to gain competitive advantage, and even for pure spite.
Highly targeted attacks are now commonplace and have resulted in a fundamental change in the way the war against cyber crime is being waged. Advanced persistent threats (APT) that rely on subtle and very intelligent methods of attack have brought about a change in the mindset of companies looking to not only defend themselves, but to identify when their networks have been compromised.
Such is the subtlety and effectiveness of APTs that many companies will already have been compromised without their knowledge. Today, reliance on signature-based technology is no longer enough when cyber criminals are using extreme stealth and cunning to bypass security, and when their malicious payloads are able to avoid traditional detection.
The 'payload' of modern malicious software needs only one point of entry onto the target system and can be delivered by a range of simple tactics. Many successful attacks gain entry via a well-crafted e-mail to a single employee that contains a malicious link. In this way, staff members are deceived into innocently making mistakes that allow exploits to be deployed, which can lay dormant or operate with extreme subtlety to avoid detection.
Get ready for battle
So, how can a company defend itself from such a subtle guerrilla warfare approach, and what are the tell-tale signs that a network has been compromised?
Many companies will already have been compromised without their knowledge.
A strategy of 'client reputation and scoring' can help to defend against attacks and identify when subversive activity has succeeded. Client reputation and scoring is a dynamic technique of aggregating and correlating security information gathered from a network and comparing it with an existing baseline. An analogy would be in the world of insurance and finance, where risk calculations are applied against the activities of people applying for loans or looking for cover. This is a 'reputation matters' approach.
The following are the major types of behaviour and activity that impact on reputation and scoring:
Connection attempts
Bad connection attempts can be a signal that malware is trying to connect to a host that does not exist, because the malware home has changed to avoid detection. Of course, there can be legitimate reasons why a host is not available, but repeated failed attempts to connect to non-existent hosts will generate a negative score.
Application profiles
A host that installs a P2P file-sharing application can be considered to be more risky than a host that installs a game. While both actions can be considered problematic, the company can add weights to each action and score each accordingly.
Geographic location
Visits to hosts in certain countries can be considered risky, especially if there is a significant amount of traffic involved. For example, staff in the UK may have little need to send or receive large files from Iran or North Korea. When calculating scores, reference to a white-list can be used to exclude well-known foreign sites.
IP session information
A typical host initiates a session, but is less likely to terminate. So if a host starts to listen on a port to receive connection from outside, it could be viewed as a suspicious or risky activity.
Destination category
Visiting certain types of Web sites, such as adult sites, should be considered a risky activity and scored accordingly.
By applying a scoring system based on activity of both a network and people using the network, actions that are abnormal or which carry high risk can be identified, investigated or avoided.
Client reputation and scoring can also be used as a basis for setting thresholds and alerts for administrators to better defend and control their networks.
Fortinet has added advanced client reputation and scoring features into its latest security operating system, FortiOS 5. With the ability to analyse vast amounts of information from a variety of sources looking for patterns in packets, applications, and Web sites that the end-user visits, administrators now have the power to control their networks through advanced analytics and granular controls.
Share