The world is becoming ever more digital. In developed countries, it's common for people to use multiple digital devices and live a near-permanently internet-connected life — at home, at work and in transit. Developing nations are getting online fast too, and will naturally seek to reap the same benefits of digital connectivity. At the same time, the environment we all inhabit is becoming increasingly digital, with sensors attached to all manner of objects forming the Internet of Things. All this is generally seen as A Good Thing.
But it's not only benefits that flow from high levels of connectivity. Cybercrime, cyberwar and 'hacktivism' are all nefarious digital activities — respectively designed to steal assets, confound an enemy state or make a political point — that form the inevitable 'dark side' to the digital life. If we're to continue to reap the benefits of internet connectivity, then security vendors and professionals must keep up to speed in the arms race with the bad guys.
In the past, enterprise security was all about circling the wagons and making sure you only had friendly folks on the inside: firewalls, intrusion prevention systems (IPS) and secure email/web gateways looked after the perimeter, with antivirus software and other endpoint protection solutions providing additional security. Then the digital world changed with the widespread use of mobile devices (many brought into work as part of BYOD programmes), social networks and public cloud services. Now the (increasingly sophisticated) cybercriminals had myriad new ways of gaining access to organisations' more extended digital assets: mobile platforms (iOS, Android) that are less well protected than Windows (the traditional target for malware); information on social networks that can be used to help break into online accounts or hone 'spear phishing' expeditions; public cloud services with variable levels of security, for example.
Advanced Persistent Threats
Today, organisations increasingly need to protect against multi-faceted 'advanced persistent threats' (APTs — also known as 'advanced targeted attacks', or ATAs), whose key attributes are: the use of social engineering (such as spear phishing) to gain initial entry to a target organisation's network and execute a zero-day attack; the acquisition of privileges to further penetrate the target network; the establishment of communication links with external 'command and control' (C&C) servers; the theft or compromise of assets; and the covering of tracks after completing the mission.
APTs use multiple tools and techniques to achieve their ends, and are by definition aimed at remaining undetected beneath the target organisation's security radar for considerable periods of time. This means that novel countermeasures are required to combat these next-generation threats. However, as former Symantec CEO and current FireEye board member Enrique Salem points out, this may not be as widely appreciated as it should be: "Security professionals probably do have an understanding [of the next-generation threat landscape]; the rest of the organisation probably doesn't yet. People have dealt with viruses for a long time: with APTs, the whole idea is, it's supposed to be stealth — that's where the education has to come in."
Rather than identifying and neutralising specific known threats, as traditional anti-malware solutions do, what's needed is an immune-system-like response from an organisation's digital defences where continuous monitoring allows previously unknown malware to be detected, quarantined, analysed and exterminated before it can damage the host network or plunder its resources.
In this overview, we assess the current frequency and cost of cyberattacks (on businesses mainly), explain why traditional tools are no longer sufficient to maintain security in the modern threat landscape, and look at some of the new breed of 'in-network malware analysis' tools that are designed to thwart APTs and ATAs.