Traditional Defences Can’t Stop APT, Zero-Day Threats

Security vendor warns that antivirus and intrusion prevention are not enough to stop cyber-attackers

So long as organisations continue to invest in security products that are defensive, cyber-attackers will continue to successfully breach networks and steal information, warned a security expert.

Organisations have invested in traditional defences that are “fundamentally reactive” as they rely on known methods of attack, Ashar Aziz, CEO, CTO and founder of FireEye, told eWEEK. The fact that defence contractors Lockheed Martin, L-3 Communications and Northrop Grumman or companies like Dow Chemical and Google are hit by cyber-attacks is not because they “forgot to do something”, but because the vulnerability is systemic and pervasive across all organisations, according to Aziz.

Zero Day Changes Everything

Firewalls, antivirus, email filters, Web gateway, intrusion prevention systems and other security products are “obsoleted” by the current threat, because they tend to use unexpected attack vectors or exploit zero-day vulnerabilities. These existing products all require the threat to be analysed, understood, and a signature, patch or policy created to detect and block future incidents. The “biggest security handicap” is that organisations invested in technology that depends on defensive mechanisms, Aziz said.

“The underlying story is that virtually every organisation – whether it’s a financial services company, a large company like Google, or a technology company like Juniper Networks – is equally vulnerable to attack,” Aziz said.

To illustrate his point, Aziz mentioned two FireEye customers, both defence contractors, who recently deployed FireEye’s Malware Protection System (MPS) “downstream” from their existing security products. Within 24 hours, the MPS had detected a number of threats that had slipped past the other systems, Aziz said.

“Every organisation allows Web pages to come in. They don’t know which pages are going to attack and which ones are safe,” Aziz said.

FireEye MPS creates a virtual execution environment to processes all content that enters the network. As soon as the virtual environment notices suspicious activity, whether it is a new process running, a processing being arbitrarily shut off (such as the antivirus), or some other unexpected change to the environment, the system blocks the malware from continuing to execute. Once detected, MPS logs the events in real-time to track what the malware is doing, such as installing a keylogger. The MPS can work with email to examine all incoming messages and attached files, as well as process Web pages while the user is surfing the web.

Aziz compared letting the Web site or email attachment execute in the virtual environment to sending a canary down into the coal mine. “If the canary dies, there’s malware,” Aziz said.

Existing security products tend to be reactive to the threat and are incapable of protecting yesterday’s threats, not the latest attack. However, attackers are continuously evolving their methods and testing malware against the same security products to ensure they can be bypassed. What organisations need to do is to deploy “second-generation” security tools to “augment” existing security products, Aziz said.

There are more nation-sponsored, advanced persistent threats, but they are not the only kind of attacks. Cyber-criminal motivated attacks are equally successful in infiltrating and compromising organisations, precisely because they use stealth tactics. Security products fail at “counter-stealth”, according to Aziz

Invincea’s Protective Bubble

Invincea is another company that believes a virtual environment was necessary to trap threats from executing on the network. Unlike FireEye, Invincea just puts the entire user into a “protective bubble” when surfing the Web or opening up a PDF file, said Anup Ghosh, founder and chief scientist of Invincea. The Web browser and PDF reader open in a virtual environment so malicious scripts and programs cannot damage the user’s computer or spill into the rest of the network, according to Ghosh.

The user has become the primary target for our adversaries, regardless of whether the attacks are launched by cyber-criminals or nation-states, Ghosh said. “Regardless of all the patches applied to technology, one cannot apply a patch to Layer 8- the human brain,” said Ghosh. Curious users make mistakes that result in the network getting “pwned” and intellectual property “exfiltrated, “ he said.

“So far, the bad guys keep showing they’re getting better and smarter and rather than being proactive about potential threats and attacks, the security industry is still reactive,” said Ghosh.