What does it really mean to live in the shadow of the advanced persistent threat (APT)? Certainly, APTs are a lot more subtle, intelligent and dangerous than their random and generally less sophisticated predecessors. The Internet threat environment is a lot more malicious today, and signature-based defences against it can not be relied on. The industry needs to fight intelligence with intelligence.
Cyber crime today has a lot in common with the golden era of old-school spying.
Yet, while cyber crime has evolved and advanced, it has also become retrospective in its approach. Cyber crime today has a lot in common with the golden era of old-school spying - infiltrate, hide, and extract valuable and sensitive information without being detected. This approach is highly effective in a world where digital information is getting increasingly valuable.
With the stealthy online infiltration to steal valuable proprietary information being the ultimate aim of the modern cyber criminal, it is clear that companies need to be especially vigilant and prepared in detecting these new types of rampant and unrelenting threats. The successful embedding and execution of malicious code on a network can cause havoc to a company, with the biggest risk now lying in the theft of Intellectual Property. Competitive advantage, insider information, valuable and saleable IP are all highly valuable to both the professional cyber criminal and the emerging (and as yet unproven) state-sponsored attacker.
Priceless gift
New ways of working, such as BYOD, where endpoints are also used for non-business use such as social media, are aiding APTs. Something as simple as a link on Facebook to an infected Webpage can prove the entry point into a company's network. Cyber criminals are becoming highly skilled in targeting people and tricking them into innocently gifting access to their devices, and consequently, the corporate network.
Fortunately, there are still ways to spot the 'spies' trying to infiltrate the network, and even those who have gained access and bedded themselves in. They will invariably leave telltale signs. It's simply a case of looking for the signs, and in the case of a suspected 'spy', fooling them into making mistakes that will allow them to be identified and dealt with.
Sandboxing is not a new idea, but it is proving increasingly useful in countering APTs. Malware has always tried to disguise itself and today's developers are making their software 'aware' of its surroundings.
Under investigation
The sandbox - which can be local or cloud-based - provides a tightly controlled virtual environment in which only the basic resources are provided to allow suspicious or unknown software to run, and where network access and other critical functions are restricted. The malware is thereby tricked into believing it has reached its destination, so it can be closely observed for revealing behaviour. But, how does one choose which piece of software needs to be ushered into a sandbox virtual environment for closer scrutiny?
There are five initial exploit and exfiltration behaviours that, either in isolation or in tandem, can point to malware activity.
Looking at these in more detail:
Some APT payloads randomly generate strings of IP addresses intended to aid propagation, or they may attempt to make connection with a command and control server in order to exfiltrate data or call on further attack resources via a botnet. If details of the malicious server are known, it's the equivalent of a suspected spy under surveillance revealing himself when he calls his spymaster.
Also, documented APT cases have involved numerous techniques for obscuring the real meaning and intent behind malicious JavaScript code, and of course the malware will likely mimic the behaviour of its host device or application to avoid detection. Consequently, the trend towards encrypted malware within APT payloads renders all encrypted traffic to elevated risk.
For more effective protection and greater control, sandboxing should ideally operate as part of a layered strategy. The first line of defence will be the anti-virus engine supported by an inline real-time onboard sandbox. If the threat proves sufficient, the suspicious files can be submitted to a cloud-based sandbox for further analysis. This layered and unified approach delivers more control and speed for countering a potential attack. And it is necessary. As cyber crime becomes more advanced and multi-layered, so must the security stance of the organisation.
Unfortunately, there persists a belief among many enterprises and organisations that none of this really applies to them. The high media profile of 'cyber war' raging between nation states supports this mistaken belief. However, in cyber space there are no national boundaries, and every organisation, no matter how large or small, is a potential target. It is very easy for skilled cyber criminals to use social routes to gain access to devices and networks, so what's to stop them targeting any organisation, especially if they can assume the organisation is unprepared and vulnerable? And with cyber crime tools becoming cheaper and more readily available, what's to stop competitors doing the same?
In the shadow of the APT, traditional IT security defences are outdated and no longer adequate. There is an increasing urgency for organisations to recognise and accept the very real risks posed by APTs and to adopt a more modern and intelligent, layered approach to threat detection and remediation. Sandboxing is a key tool in that approach.
Share