ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave of fear, hype, and activity. Many organizations increased their spending on information security and believed they were making progress, but ESG research indicates that nearly half of enterprise organizations are still regularly compromised by modern malware. While there is no single solution to this problem, CISOs can improve the efficacy of their threat defenses and security operations by integrating security intelligence into their security technologies and infrastructures. Webroot, a security intelligence leader, is partnering with a number of security device vendors to offer a strong combination of modern malware defenses and integrated security intelligence. Overview On January 12, 2010, Google announced that it had been the victim of a sophisticated cyber attack that resulted in a compromise of Gmail account privacy. This announcement was a significant milestone in the annals of cybersecurity as it introduced the world to the concept of advanced persistent threats (APTs). The (U.S.) National Institute of Standards and Technology (NIST) uses the following description to define the term APT: An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating (i.e., transporting it from internal networks to external drop servers) information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders' efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives. As if the Google incident weren t enough, it was soon discovered that other well-known organizations such as Adobe Systems, Morgan Stanley, Northrop Grumman, and Yahoo were also APT targets. This pattern of attacks sent a chill through the cybersecurity community. Alarmed by new adversaries and tactics, enterprise organizations reacted with a range of activities: CEOs got more involved with cybersecurity discussions, CISOs actively assessed the capabilities of their security defenses, and IT operations teams modified processes to better address vulnerabilities. APTs also had a direct impact on IT investment. According to ESG research, 77% of large organizations intended to increase their security spending on security hardware, software, services, and training in order to provide better overall protection against APT attacks (see Figure 1). 1 1 Source: ESG Research Report, U.S. Advanced Persistent Threat Analysis, November 2011.
ESG Brief: Addressing APTs and Modern Malware with Security Intelligence 2 Figure 1. Change in IT Security Spending as a Result of APTs To what extent if any do you believe APTs will change your organization s annual spending on security hardware, software, services, and training? (Percent of respondents, N=244) spending by 1% to 5%, 35% Don't know/too soon to tell, 7% No increase, 16% spending by more than 10%, 11% spending by 6% to 10%, 32% Enterprise Organizations Remain Vulnerable to APTs In 2011, ESG published a research report titled, U.S. Advanced Persistent Threat Analysis. The data presented in this report was consistent with the description above: Enterprises understood the risks associated with APTs and were taking actions to mitigate this risk. Yes, large organizations had the best of intentions, but many enterprises remain vulnerable to APTs, as well as more pedestrian malware attacks. In fact, recent ESG research indicates that 49% of large organizations have experienced a successful malware attack over the past two years. In this case, successful means that the malware compromised an IT asset which had some type of impact on the organization (i.e., remediation activity, data theft, damage to the company brand, etc.). The research also revealed that 22% of the affected organizations suffered more than 25 security breaches as a result of malware. There seems to be some type of disconnect here. If large organizations took proactive measures to address APTs over the past few years, why are they still experiencing so many malware attacks and related security breaches? There are several reasons: Signature-based defenses cannot keep up with malware volume and sophistication. Malware defenses are often based upon signature-based endpoint security software, antivirus gateways, and IDS/IPS devices installed on the network. These defenses are still useful, but the development cycle for anti-malware signature development (i.e., discover, analyze, develop, test) can no longer keep up with malware volume and sophisticated malware techniques like encryption, packing, and polymorphic malware. Many security researchers point to an alarming correlation: As malware becomes more sophisticated, many signaturebased security defenses become less effective. Modern malware is built to exploit gaps in security defenses. As opposed to early mass-mailer virus and Internet worms that disrupted networks and business processes, modern malware is designed to blend into the IT background as it compromises multiple systems, performs network reconnaissance, steals user credentials, and exfiltrates sensitive data. These activities tend to look like normal network and system behavior to a wide variety of security prevention and detection tools. Patient adversaries are willing to let APTs play out over months or years in order to reach their ultimate goals.
ESG Brief: Addressing APTs and Modern Malware with Security Intelligence 3 Many security professionals don t really understand modern malware techniques. An enterprise security team is a busy group that is called upon to secure the network and put out security fires constantly. In many cases, day-to-day responsibilities get in the way of additional training. As a result, many security professionals don t really understand today s cybersecurity adversaries, the cybercrime market, or modern malware techniques. Recent ESG research illustrates this issue. In spite of widespread APT publicity since the Google Aurora attack in 2010, only 11% of enterprise security professionals are very familiar with the APT lifecycle. Alarmingly, 44% are either not very familiar or not at all familiar with the APT lifecycle (see Figure 2). 2 In spite of security professionals intentions, it is simply impossible to defend against malware tactics that they don t really understand. Figure 2. Familiarity with Lifecycle for APTs and Targeted Attacks Security researchers have identified a lifecycle for APTs and targeted attacks that includes the following phases: Initial compromise, establish foothold, escalate privileges, internal reconnaissance, lateral movement, and data exfiltration. How familiar are you with this APT/targeted attack lifecycle? (Percent of respondents, N=315) Not at all familiar, 5% Very familiar, 11% Not very familiar, 39% Familiar, 44% What s Needed? Unfortunately, no magic bullet can eliminate modern malware threats, so CISOs must assess and address weaknesses across security personnel, processes, and technology. Furthermore, even organizations with strong security skills and resources should be open to enhancing internal capabilities with third-party help. Along these lines, ESG has found that many leading security organizations are supplementing homegrown security efforts with external security intelligence for analysis and proactive remediation. According to ESG research, 29% of security professionals believe that commercial threat intelligence is highly effective in helping their organizations address risk, while another 66% claim that commercial threat intelligence is somewhat effective in helping their organizations address risk (see Figure 3). 3 2 Source: ESG Research Report, Advanced Malware Detection and Prevention Trends, September 2013. 3 Source: ESG Research Report, The Emerging Intersection Between Big Data and Security Analytics, November 2012.
ESG Brief: Addressing APTs and Modern Malware with Security Intelligence 4 Figure 3. Effectiveness of Commercial Threat Intelligence to Help Organizations Address Risk How effective is commercial threat intelligence in terms of helping your organization address risk? (Percent of respondents, N=143) Not very effective, 6% Highly effective, 29% Somewhat effective, 66% When used in a proactive manner, security intelligence can act as a countermeasure for APTs and sophisticated malware. This can be done by: Blocking phishing sites used for malware proliferation and credential harvesting. Cybercriminals often rely on phishing sites for malware distribution and for obtaining access credentials for other resources within an organization. Leading security intelligence technology uses advanced machine learning and extensive analysis to identify phishing sites, manipulated URLs, and malicious behaviors. This intelligence can be integrated into endpoint security software and gateway devices to block known phishing sites and counteract initial malware proliferation. Detecting and blocking known malicious IP addresses. Some hackers go out of their way to disguise their locations and may even vary attack types emanating from various servers, but it is not unusual for black hats to use the same systems as core infrastructure for a variety of malicious activities. Strong IP reputation intelligence can correlate these activities, identify bad actors, and create dynamic black lists. This intelligence can be added to endpoint security and perimeter security appliances in order to prevent any communications with these malicious servers. Using web reputation for blocking command-and-control (C&C) communications and data exfiltration. Cybercriminals often use compromised websites for malware distribution, C&C, or as staging areas for data exfiltration. While it is no easy task to keep track of hundreds of millions of websites and billions of URLs, leading security intelligence constantly reevaluates websites to identify new web threats. When integrated with endpoint and gateway defenses, this intelligence can help protect users from accessing compromised domains and malicious URLs. CISOs should start with strong malware technology controls that act as a layered defense across endpoints, servers, and networks. Security intelligence should be integrated into these controls to create dynamic defenses that automatically adjust to a changing threat landscape. Security professionals must remain vigilant as stealthy malware will still circumvent strong security controls and integrated security intelligence from time to time. Nevertheless, integrated security intelligence can certainly help CISOs decrease risk and automate remediation actions.
ESG Brief: Addressing APTs and Modern Malware with Security Intelligence 5 Webroot Security Intelligence Partnering Program How can security intelligence be integrated into an enterprise security infrastructure? CISOs can cobble a solution together, but it would certainly be easier to purchase security technologies that already interoperate with leading security intelligence feeds. Webroot, a threat intelligence leader, is pursuing this latter option by partnering with leading security device manufacturers like Cisco, F5 Networks, and Palo Alto Networks. Webroot s IP reputation, web reputation, and real-time anti-phishing services provide vendors valuable intelligence for identifying and preventing APT attacks. With more enterprises using security intelligence for risk mitigation, ESG believes that other endpoint and network security technology vendors would be wise to knock on Webroot s door. The Bigger Truth It s time for enterprise CISOs to face facts. Cybercriminals are highly skilled, extremely organized, and well-funded. In too many cases, cybercrime does pay. No one can hide from today s cyber attacks; they are ubiquitous and increasingly damaging. Enterprises can no longer rely on manual processes, point tools, and over-worked security professionals for proper protection. They need help and they need it now. Smart CISOs should consider: Modern malware defenses that use heuristics, advanced machine learning, and algorithms (as well as signatures) for malware detection. A defense-in-depth security architecture that helps protect the network at each phase of the APT lifecycle. Integrated security intelligence for dynamic risk management. Large organizations will still need leading-edge security analytics and a number of highly skilled security analysts, but this combination of defenses should certainly help lower risk and streamline security operations. All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.