EXPLORING ADVANCED THREATS

Transcription

1 Whitepaper Blue Coat Advanced Threat Protection Series Security Empowers Business EXPLORING ADVANCED THREATS Advanced Threat Protection (ATP) Essentials, Part 1

2 SECURITY ISN T ONLY ABOUT PREPARING FOR THE WORST Introduction Virtually every article, blog, or white paper about cyber security begins the same way: by trying to scare the living daylights out of you. Horrifying statistics, alarming news reports we re sure you ve seen them. Here s the thing: when you really take a hard look at today s security threats and vulnerabilities, even the new breed of advanced threats, you start to see that security isn t only about preparing for the worst. Security is also about empowerment. When you know enough to implement the right security the right way, security instills confidence, creates opportunities, and opens doors to new possibilities. We ve written this series of papers to help you see advanced threats in a whole new light. Because the more you understand about advanced threat protection, the more you ll understand how it can empower your business. In this paper, we present the basics about advanced threats: what they are, how they differ from traditional threats, where they originate, and how they can impact your business. Then in the next two papers, we take a closer look at how best to mitigate the threats and how to get started putting an effective business empowerment solution in place. 2

3 Contrasting Basic and Advanced Threats The following are key characteristics of basic and advanced cyber threats: Basic or mass-market threats are the ones everyone should be blocking. They re the known threats against known operating system (OS) or application-level vulnerabilities. They are commonly detected by traditional signature-based network- and endpoint-security defenses, including intrusion prevention systems (IPSs), secure web and gateways, and antivirus platforms. Advanced threats are unknown threats against unknown OS or application-level vulnerabilities. They can t be detected by traditional signature-based defenses. Advanced threats are far more difficult to detect. Traditional security defenses that rely on pattern-matching signatures are useless. Now it s important to point out traditional defenses such as firewalls, IPSs, and secure web and gateways are your front line in a defense-in-depth (layered defense) strategy. But you can t rely on these exclusively for detecting today s advanced threats. Basic Threats: Oldies but Baddies The mass-market cyberattacks described in this section are largely mitigated by traditional network and endpoint security solutions. Yet we keep seeing them over and over again because users still fail to take them seriously and protect against them. So reacquaint yourself, because left unchecked any of these could be your downfall. Worms, Trojans, and viruses A computer worm is malware that exploits the vulnerabilities of a computer s OS (such as Microsoft Windows) to self-propagate. Worms can consume large amounts of bandwidth, causing degradations in network performance. Unlike a virus, a worm doesn t attach itself to computer programs or files. A Trojan (or Trojan horse) is malware disguised as a legitimate application to trick a user into installing it on a computer. Unlike worms, Trojans can t propagate to other computers on their own. Instead, they join networks of other infected computers (called botnets), wait to receive instructions from the attacker, and then transfer stolen information. Trojans are commonly delivered through social media and spam s; they may also be disguised as installers for games or applications. A computer virus is malicious code that attaches itself to a program or file so that it can spread from one computer to another, leaving infections as it propagates. Unlike a worm, a virus can t travel without a human helper in this case, a user who sends (usually unknowingly) an infected program or file to another user. Spyware and botnets Spyware is a form of malware that aggregates user information without the user s knowledge and forwards it to the perpetrator via the Internet. Sometimes, spyware is employed for the purpose of advertising (in which case it s called adware and displays pop-up ads). Other times, it s used to collect confidential information such as usernames, passwords, and credit-card numbers. A botnet is a group of internet-connected computers on which malware is running (bots). Bots are often used to commit denial-ofservice attacks (attacks that overload a server s processing power), relay spam, steal data, and/ or download additional malware to the infected host computer. Evolving landscape of modern threats 3

4 Phishing Phishing is an attempt to steal confidential information usernames, passwords, credit-card numbers, Social Security numbers, and so on via by masquerading as a legitimate organization. After clicking a seemingly innocent hyperlink in the , the victim is directed to enter personal information on an imposter website that looks almost identical to the one it s emulating. And it doesn t matter what type of device is being used phishing is device agnostic. In fact, mobile users are sometimes more vulnerable because the smaller screen size may reduce context clues. Baiting Baiting is when a criminal casually drops a USB flash drive or CD-ROM in a public area (perhaps a parking lot or cybercafé) within close proximity of the targeted organization. The media device is labeled with enticing words such as Product Roadmap or Proprietary & Confidential to spark the finder s interest. When the victim inserts the device into her computer, it installs malware. Buffer overflows and SQL injections These two common techniques exploit vulnerabilities in web applications: In a buffer overflow attack a hacker knowingly writes more data into a memory buffer than the buffer is designed to hold. Data spills into adjacent memory, causing the application to execute unauthorized code that may grant the hacker administrative privileges or even crash the system. In a SQL injection attack, the attacker enters SQL statements into a web form in an attempt to pass an unauthorized SQL command to the database. If successful, the attack can give its perpetrator full access to database content such as credit-card numbers, Social Security numbers, and passwords. Malnets A malnet (malware network) employs a distributed network infrastructure in the internet that is purpose built and maintained by cybercriminals to launch a variety of attacks over extended periods of time. Blue Coat estimates that nearly two-thirds of cyberattacks originate from malnets. 4

5 Advanced Threats: Emerging Dangers Now that you re up to speed on basic threats, let s explore the advanced threats that are emerging. Advanced persistent threats Advanced persistent threats (APTs) also known as advanced targeted attacks (ATAs) are multi-vectored (perpetrated through multiple channels) cyberattacks in which an attacker gains unauthorized network access and stays undetected for a long period. The goal is usually data theft. Let s break down the components of the acronym: Advanced: Attackers use a full spectrum of intrusion technologies and techniques, often exploiting unreported vulnerabilities in operating systems and applications. Persistent: After a network is breached, the perpetrator operates low and slow to remain undetected until the ultimate target has been identified. Threat: The attacker initiates each APT with a specific objective in mind and won t stop until that objective is achieved. Zero-day threats A zero-day threat is a cyberattack on an OS or application vulnerability that s unknown to the general public. It s called a zero-day threat because the attack was launched before public awareness of the vulnerability (on day zero). Polymorphic threats A polymorphic threat is a cyberattack that continuously changes, making it impossible for traditional signature-based security defenses to detect. Blended threats A blended threat employs multiple attack vectors (paths and targets) and multiple types of malware to disguise the attack, confuse security analysts, and increase the likelihood of a successful data breach. Classic examples of blended threats include Conficker, Code Red, and Nimda. Time and the Window of Opportunity Weeks 2% Months 1% Days 13% Hours 60% Seconds 11% Weeks 2% Months 1% Days 13% Hours 60% Seconds 11% Minutes 13% Initial Compromise to Discovery Initial Attack to Compromise Years 4% Months 62% Minutes 1% Hours 84% 9% 78% Minutes 13% Years 4% Months 62% Minutes 1% 84% 78% Days 11% Weeks 12% Hours 9% Days 11% Weeks 12% 5

6 DATA BREACHES BY THE NUMBERS In 2013, Verizon analyzed 621 data-breach incidents that occurred in 2012, resulting in 44 million compromised records, and came up with the following interesting statistics: 40 percent incorporated malware 52 percent involved some form of hacking 78 percent took weeks, months or years to discover 84 percent compromised their targets in seconds, minutes, or hours 69 percent were discovered by a third party 92 percent were perpetrated by outsiders 95 percent of state-affiliated attacks employed phishing You can download the full report at Insider threats Not all threats originate outside the network. Some originate within, introduced by two types of users: Malicious users: These users may consist of ill-intentioned contractors, disgruntled employees, or even criminals who use social engineering techniques to gain physical access to the network after being admitted to the building by a negligent receptionist. Unknowing employees: Even well-intentioned employees may bring malwareinfected laptops and mobile devices into the office after surfing the web at home over the weekend. Know Thy Enemy It s not enough just to know what kind of cyberthreats you face. You also need to know the sources and goals of those threats. Here s some insight into potential attackers and potential attacks. Types of attackers Today s cyber-attackers fall into three broad categories: cybercriminals, statesponsored hackers, and hacktivists. Cybercriminals As the name suggests, cybercriminals hack for profit. They penetrate a company s network security defenses in an attempt to steal something valuable (such as credit-card numbers) and sell them on the black market. Today, cybercrime is a multibillion-dollar industry. State-sponsored hackers Cyber-attacks committed by nations against foreign corporations and governments are perpetrated by state-sponsored hackers people who hack for a paycheck with the objective of compromising data, sabotaging systems, or even committing cyber warfare. Hacktivists Hacktivists are computer hackers driven by political ideology. Typical attacks include website defacements, redirects, information theft and exposure, and denial-of-service attacks. 6

7 Hidden Costs of a Breach The true costs of a breach are difficult to quantify and are often underreported as they re spread across many areas, including both hard-dollar and soft-dollar costs such as: How to Fight Back against Advanced Targeted Attacks Security defenses have traditionally been built with standalone products that protect against known threats. But with today s increasingly sophisticated hackers and advanced threats, that s no longer enough. Investigation and forensics costs Customer and partner communication costs Public relations costs Lost revenue due to damaged reputation Regulatory fines and civil claims Opportunity costs and missed sales due to outages 3 Incident Resolution Investigate & Remediate Breach Threat Profiling & Eradication Retrospective Escalation Fortify & Operationalize GLOBAL INTELLIGENCE NETWORK 2 Incident Containment Analyze & Mitigate Novel Threat Interpretation 1 Ongoing Operations Detect & Protect Block All Known Threats Unknown Event Escalation What s needed is a way to get the siloes of security solutions working together, sharing intelligence and analysis so that they can adapt, scale, and extend protection to unknown threats as well. What s needed is a lifecycle approach to implementing a complete, multi-layered defense. And it would look something like the diagram below (we ll discuss specific products that implement the lifecycle defense in Part 2 of this white paper series, Buying Criteria for Advanced Threat Protection. ). The three core capabilities of the lifecycle defense include: Ongoing operations: The lifecycle starts with detection and blocking of all known threats as part of routine, day-to-day operations. Unknown threat events are escalated to the containment phase. Incident containment: Unknown (novel) threats are analyzed and mitigated via closed-loop feedback, through which threat intelligence is automatically shared with other security systems to inoculate the organization from future attacks. Threat information is also shared in real time among millions of users in thousands of organizations via a global intelligence network, so the defense system can learn, adapt, and evolve to stay a step ahead of advanced threats. Incident resolution: Breaches that do occur are investigated, analyzed, and quickly remediated, and the resulting intelligence is shared via the global intelligence network, which in turn helps convert unknown threats into known threats. This lifecycle approach can help organizations prepare for advanced and unknown attacks that occur so that companies can mitigate the damage, resolve the issue quickly, learn from incidents, and apply new intelligence so that future attacks do not succeed. Simply put, the lifecycle defense is part of a holistic security approach that integrates prevention of known threats with preparedness and response so new threats can be identified and swiftly remediated. Figure 1: A three-stage, lifecycle approach to advanced threat protection. 7

8 Security Empowers Business 2013 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter, CacheEOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, Mach5, Packetwise, Policycenter, ProxyAV, ProxyClient, SGOS, WebPulse, Solera Networks, the Solera Networks logos, DeepSee, See Everything. Know Everything., Security Empowers Business, and BlueTouch are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. Blue Coat makes no warranties, express, implied, or statutory, as to the information in this document. Blue Coat products, technical services, and any other technical data referenced in this document are subject to U.S. export control and sanctions laws, regulations and requirements, and may be subject to export or import regulations in other countries. You agree to comply strictly with these laws, regulations and requirements, and acknowledge that you have the responsibility to obtain any licenses, permits or other approvals that may be required in order to export, re-export, transfer in country or import after delivery to you. v.wp-advanced-threat-protection-en-v1f-1113 Blue Coat Systems Inc. Corporate Headquarters Sunnyvale, CA EMEA Headquarters Hampshire, UK APAC Headquarters Singapore