As I get ready to attend this year’s IBM Pulse conference (February 23-26 in Las Vegas), where I’ll be delivering a keynote session on how organizations can better use actionable intelligence in their efforts to deal with targeted attacks, I ask myself why traditional security is not as effective as it should be in dealing with this attack vector. True targeted attacks are ones where the attacker has investigated the target group or organization to determine whether or not they have something of value to the attacker. Reconnaissance is done today using Open Source Intelligence (OSInt) tools to help them identify who to attack, how to attack, and what is of value to them. It is very likely that the attacker will develop custom threats to use in infiltrating the victim’s system or network. In most cases, if the attacker is planning to use malware, the malicious code will be tested using criminal underground services to identify if the code is detected by security vendor’s file-based scanners. As such, they will only utilize the malware that is undetectable and more likely to bypass the victim’s traditional security defenses. Once inside the victim’s system or network, the attacker will likely laterally move to other systems in an effort to identify those systems that have access to the data they want to steal. This stage of the attack may not utilize traditional malware as some may think; more likely, the attacker will use hacking tools available to him/her as well as stolen credentials. Once the attacker has identified the data they wish to steal, they will package it up and exfiltrate it to themselves in order to monetize their theft. Exfiltration can take many different forms, from email, ftp, http, or any number of other protocols to upload the typically encrypted data to their drop zones.
The challenge today that most traditional security solutions face is that they cannot provide enough information, and more importantly, context, about a security event identified within the compromised target. Each stage of an attack is usually done on a different area of a network and a different system or device, and at different times. For example, the infiltration is typically a spear phishing email using either a weaponized attachment or an embedded malicious link to an employee PC. From there, the attacker laterally moves to a server hosting the data they want to steal. The Command & Control infrastructure which the attacker has to use will be hosted on any number of machines within the victim network. The stolen data can be stored and then exfiltrated from systems that give them access to external communications. While any of these actions may be detected by traditional security solutions, unless the victim’s IT or security personnel can identify that the security incident is part of a broader attack, it may likely be overlooked.
In my keynote, I will be discussing how Trend Micro’s Custom Defense solution has the capability of offering more information with the right kind of context to deliver the actionable intelligence needed to identify a possible breach by giving security teams information such as types of attacks, concentration of attacks, timeline of attacks, and origin of attacks. The solution also combines their local threat intelligence with our global threat intelligence derived from the Trend Micro™ Smart Protection Network™ by correlating each attack component with any associated other threat vectors. When a security admin can see an internal IP that is communicating to a region of the world where their organization doesn’t have any history of communication, they have the opportunity to do more investigation. Or when an email attachment is sandboxed and found to communicate to a known C&C server that has been used in other attacks on their industry, they can sound an alert that they may be under attack. Automating the threat intelligence from Trend Micro into a SIEM solution like IBM’s QRadar can also allow the organization to correlate information from other security vendor solutions in which they are using giving even further context of what may be occurring inside their network.
When a single security event has context associated with it, and can be correlated with other events that may be occurring in other areas of their infrastructure, the organization can take appropriate action to develop a plan to investigate, identify, mitigate, and cleanup attacks that will likely occur in the future. As threat defense experts, Trend Micro has been analyzing the threat landscape for 25 years and adapting to the changing tactics used by criminals over the years.