With the topic of targeted attacks and advanced threats capturing so much attention as of late, you could be forgiven for some initial scepticism on yet another article on the subject. However, despite the justifiable attention to the topic, the truth is that targeted attacks are a major yet relatively unmanaged threat to your data and intellectual property. Before you develop a list of options to the problem, it is crucial to consider the nature of the problem from the eyes of your adversary… that being the attacker.
Walk a Mile in an Attacker’s Shoes
“It is said that if you know your enemies and know yourself, you will not be imperilled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperilled in every single battle.”
- Sun Tzu
As is the case when resolving any major problem, context is always king. With respect to targeted attacks and advanced threats, prior to purchasing what some might claim to be the most popular mouse trap du jour, a few considerations of what life is like should you suddenly adopt the persona of your rival and be donning the footwear of an attacker:
- You always seek the path of least resistance to breach a network
- Your modus operandi is to evade detection
- Tools, techniques and expertise to help you succeed are but a mouse click away
- You conduct advance reconnaissance to identify the security footprint, computing environments, and general lay of the land of your target
- You take advantage of the reams of information and insight on the organization and key employees of your target for the purpose of creating a socially and professionally relevant delivery mechanism for your advanced malware
- You then custom design, build and test advanced malware to breach the existing defences of your target
- Your attack methods are both flexible and unpredictable. You exploit the fact that a targeted attack takes little skill to execute yet far greater skill and expertise to detect
The takeaway to all this being, any suggestion that targeted attack patterns follow predefined methods of communication or routes into your network is quite simply both myopic, and, ignores the realities of the mind-set of an attacker.
Just The Facts
A recent blog post used an analogy of a cookie monster to illustrate the motivations behind attackers. This use of a common experience most of us went through as a child illustrates why a comprehensive ability to detect targeted attacks and advanced threats means more than just keeping an eye on a few protocols. Further, ignoring communication over the majority of your network ports and only monitoring north-south communication on your network will do nothing but create a false sense of security, and, is oblivious to how attackers think and act. And now for some supporting evidence courtesy of research completed by the folks at Trend Micro Labs.
Figure 1 Poison Ivy Malware – Use of Multiple Ports (click image to enlarge)
With reference to Figure 1, it is clear that attackers design malware to utilize a variety of network ports. The takeaway being, if your defense against targeted attacks does not have visibility into all network ports, attackers will exploit these oversights to their advantage.
Figure 2 Evil Grab Malware – Use of Multiple Protocols (click on image to enlarge)
With reference to Figure 2, attackers utilize a variety of communication protocols. Again, if your defense against targeted attacks does not have visibility into anything more than a handful of applications and protocols, attackers will quickly learn what is monitored and what is not and will adapt their customized malware accordingly.
Figure 3 IXESHE Malware – Attack Evolution (click on image to enlarge)
With reference to Figure 3, the sample of IXESHE malware demonstrates how attackers vary the structure and methods of an attack as well. Each configuration represents how the attack was structured. While you may recognize a suspect server or IP address at one point in time, this does not mean attackers will use the same infrastructure, attack methods or structure you may have detected. Fact is you need the flexibility to identify inbound, outbound and lateral communication across your network.
Why All This Matters
Trend Micro predicted at the end of last year that 2014 would see one major breach incident a month, but already we’ve seen that figure has underestimated the scale of the problem. Big name US brands including Michael’s, Neiman Marcus, Sally Beauty and eBay have all confessed to breaches so far this year.
The costs to these firms from investigation and remediation; financial penalties; loss of revenue and brand equity; and possible litigation can run into the millions very quickly. As an example from a prior attack, EMC claimed the RSA Security breach may have run to as much as $66m, while Wall Street analysts are saying that retailer Target could eventually be down by as much as $1 billion. These potentially severe business impacts should be focusing the minds of board room members all over the world.
How to Detect and Respond to Targeted Attacks and Advanced Threats
Ensuring your data, intellectual property and communication are kept beyond the reach of attackers is not a one-size-fits-all solution. Quite simply, you are unable to respond to any attack or attack method that you cannot detect. Enabling effective detection of targeted attacks and advanced threats is directly related to both the breadth of the field of view and the effectiveness within which attack and attacker behaviour can be detected.
Three attributes speak to why Trend Micro should be on your short list for solutions to detect and respond to targeted attacks:
- Nowhere for attackers to hide: best in class detection over eighty protocols and applications, and, across every network port
- Rapid Detection: Advanced algorithms and threat engines identify advanced malware, zero day exploits, known threat attributes, command and control, attacker behaviour, lateral movement and other threat activity.
- Mirroir Image: Easy to manage custom sandbox environments that match your gold standard images to improve malware detection rates and foil attacker evasion
- Easy to Deploy: A single, purpose-built appliance…not one per protocol
- Easy to Use: Single appliance with flexible form factors and network bandwidth options
- No extra charges: Correlated threat intelligence without any recurring fees
Security that Fits
- Intelligence sharing with SIEMs, gateways and other security infrastructure
- No Heavy Lifting: Seamlessly fits into your network to monitor inbound, outbound and internal traffic
Learn more here about how Trend Micro can help your organization detect and respond to targeted attacks.