Next cyber-security threat cycle is here - are you ready?
The first PC viruses appeared more than 25 years ago. Little did we realise that this was just the beginning of what would become a series of threat waves.
For nearly 10 years, viruses endured as the primary method of attack, but over time were largely matched by defenders' talents to block and protect against them. Motivated by the notoriety and knowledge gained by discovering and publicising a new vulnerability, attackers continued to innovate. What ensued were distinct threat cycles. Approximately every five years, attackers would launch new types of threats and defenders would protect against them - from macro viruses to worms to spyware and rootkits.
This brings us to today, when we find ourselves combating advanced malware, targeted attacks and advanced persistent threats (APTs). A confluence of factors makes these threats more damaging than anything we have experienced in the past. These factors include:
An explosion of attack vectors: The advent of mobilisation, bring your own devices (BYOD), virtualisation and the cloud have spurred a breadth of new devices, infrastructure and networks, and a range of operating systems and applications that provide new, efficient mechanisms to transport malware and conduct attacks. Also, social media, mobile applications, websites and Web-enabled applications have exposed individuals and organisations to new security threats.
Market dynamics: The organised exchange of exploits is growing in strength and becoming lucrative with the open market helping to fuel this shift from exploitation to disruption and destruction. It is even common practice now for hacker groups to follow software development processes, like QA testing or bench testing their products against security technologies before releasing them into the wild.
Stealthier attacks: There are now significant financial incentives for secrecy and many organisations are motivated to launch attacks that result in economic or political gain, with little chance of retribution or prosecution. New methods to circumvent protection like port-hopping, tunnelling, droppers and botnets have made it easier, faster and cheaper for hackers to get.
So, how do we raise our game to defeat this new class of attackers? It's no longer enough to focus solely on detection and blocking. Below are five steps to consider as you evolve your security strategy:
Detect and Block at the Perimeter and Inside the Network. It's good practice to handle threats as close to the perimeter as possible to prevent malware from entering the network and potentially infecting endpoint devices. Consider a network-based malware detection appliance that can identify and protect against malware without sacrificing performance
_ Assess and Protect Endpoints
Identify endpoint protection solutions that are lightweight to ensure user experience isn't impacted.
_ Analyae threats through xontext
Technologies that see and correlate extensive amounts of event data can use this context to pinpoint compromised devices based on behavioral characteristics. By maintaining visibility of all file activity and tracking egress traffic, you can watch for exfiltration of critical data and communication with malicious sites to identify targeted systems that might have gone unnoticed.
_ EradicatemMalware and prevent reinfection
Upon finding a malware infection, simply quarantining the device and cleaning it isn't enough. To eliminate the malware and prevent reinfection consider technologies that can track every file on every device so that you can identify 'Patient Zero' (the first malware victim), the malware trajectory and all instances throughout the enterprise.
_ Remediate attacks with retrospective security
Advanced malware protection should also alert about files subsequently identified as malware for retrospective remediation. Blocking or continuing to track and analyse suspicious files against real-time threat intelligence is particularly important.
And remember, be sure to implement integrated rules on the perimeter security gateway, within security appliances protecting internal networks and on endpoints to detect and block the same attack.
By using the latest techniques and technologies we can mitigate the damage from these advanced threats and protect ourselves from future attacks.
Sutee Assawasoontarangkoon is country manager, Thailand and Indochina, Sourcefire (Thailand).