Traditional network and endpoint defence tools are necessary but no longer sufficient to defeat today's increasingly sophisticated cyberattacks. We outline the scale of the problem, and examine some next-generation solutions.
The world is becoming ever more digital. In developed countries, it's common for people to use multiple digital devices and live a near-permanently internet-connected life — at home, at work and in transit. Developing nations are getting online fast too, and will naturally seek to reap the same benefits of digital connectivity. At the same time, the environment we all inhabit is becoming increasingly digital, with sensors attached to all manner of objects forming the Internet of Things. All this is generally seen as A Good Thing.
But it's not only benefits that flow from high levels of connectivity. Cybercrime, cyberwar and 'hacktivism' are all nefarious digital activities — respectively designed to steal assets, confound an enemy state or make a political point — that form the inevitable 'dark side' to the digital life. If we're to continue to reap the benefits of internet connectivity, then security vendors and professionals must keep up to speed in the arms race with the bad guys.
In the past, enterprise security was all about circling the wagons and making sure you only had friendly folks on the inside: firewalls, intrusion prevention systems (IPS) and secure email/web gateways looked after the perimeter, with antivirus software and other endpoint protection solutions providing additional security. Then the digital world changed with the widespread use of mobile devices (many brought into work as part of BYOD programmes), social networks and public cloud services. Now the (increasingly sophisticated) cybercriminals had myriad new ways of gaining access to organisations' more extended digital assets: mobile platforms (iOS, Android) that are less well protected than Windows (the traditional target for malware); information on social networks that can be used to help break into online accounts or hone 'spear phishing' expeditions; public cloud services with variable levels of security, for example.
Advanced Persistent Threats
Today, organisations increasingly need to protect against multi-faceted 'advanced persistent threats' (APTs — also known as 'advanced targeted attacks', or ATAs), whose key attributes are: the use of social engineering (such as spear phishing) to gain initial entry to a target organisation's network and execute a zero-day attack; the acquisition of privileges to further penetrate the target network; the establishment of communication links with external 'command and control' (C&C) servers; the theft or compromise of assets; and the covering of tracks after completing the mission.
APTs use multiple tools and techniques to achieve their ends, and are by definition aimed at remaining undetected beneath the target organisation's security radar for considerable periods of time. This means that novel countermeasures are required to combat these next-generation threats. However, as former Symantec CEO and current FireEye board member Enrique Salem points out, this may not be as widely appreciated as it should be: "Security professionals probably do have an understanding [of the next-generation threat landscape]; the rest of the organisation probably doesn't yet. People have dealt with viruses for a long time: with APTs, the whole idea is, it's supposed to be stealth — that's where the education has to come in."
Rather than identifying and neutralising specific known threats, as traditional anti-malware solutions do, what's needed is an immune-system-like response from an organisation's digital defences where continuous monitoring allows previously unknown malware to be detected, quarantined, analysed and exterminated before it can damage the host network or plunder its resources.
In this overview, we assess the current frequency and cost of cyberattacks (on businesses mainly), explain why traditional tools are no longer sufficient to maintain security in the modern threat landscape, and look at some of the new breed of 'in-network malware analysis' tools that are designed to thwart APTs and ATAs.
The frequency and cost of cyberattacks
What is the scale, nature and cost of cybercrime for businesses today? To address this question, security research firm The Ponemon Institute has conducted a series of 'Cost of Cyber Crime' surveys over the past four years, with the most recent 2013 study covering 234 organisations in six countries.
The Ponemon Institute's 2013 survey finds that the average annualised cost of cybercrime per organisation is $7.2 million (range $0.375m-$58m), which represents a 30 percent increase over the comparable 2012 figure. Data was generated from a 4-week period in which surveyed organisations saw an average of 1.4 successful cyberattacks per week — a 20 percent increase on the previous year's survey. There is considerable variation in cybercrime cost among the six countries represented, with the US taking the brunt of the financial hits:
What kinds of cyber attacks are involved in generating these costs? The Ponemon survey finds that denial of services (DoS) attacks account for the highest percentage of costs in both smaller (16%) and larger (22%) organisations. The biggest attack-type discrepancies based on organisation size are for viruses, worms and trojans, and phishing and social engineering (both 1.7x more prevalent in smaller organisations), malware (2.5x) and botnets (2.7x). Larger organisations' coffers, meanwhile, are hit hardest by DoS, malicious insiders and web-based attacks:
A wide range of industry sectors are represented in the 2013 Ponemon survey, which indicates that organisations in three areas — defence, financial services and utilities & energy — experience significantly above-average costs due to cybercrime. At the other end of the scale, the least affected sectors are retail, media and consumer products:
When you consider the value or significance of the assets 'on offer', so to speak, this pattern — which is consistent across the four years of Ponemon's cybercrime surveys — is not unexpected.
One of the most significant statistics in the Ponemon survey is the average number of days required to resolve different types of cyberattack, which ranges from 2.6 days for viruses, worms and trojans up to 53 days for malicious insider attacks:
As a result, although malicious insider attacks are the least frequent (suffered by 38% of organisations compared to 99% for malware), they are the most costly per attack ($154,453 compared to $491 for malware).
When it comes to the direct, indirect and opportunity costs of cybercrime, the number-one external cost is business disruption (downtime and unplanned outages that interfere with data processing), followed closely by information loss (loss or theft of sensitive and confidential information):
Turning to internal costs, the list is headed by detection (activities that allow the detection and possible deterrence of cyberattacks) and recovery (activities associated with restoring systems and core business process after a cyberattack):
The Ponemon Institute's report is just one of many cybercrime surveys released in 2013. Here are brief summaries of the main findings of some notable ones:
Internet Security Threat Report 2013 According to Symantec's annual Internet Security Threat Report, half of all targeted cyberattacks in 2012 were directed at businesses with less than 2,500 employees, the largest growth area being small businesses with less than 250 employees (31 percent of attacks). Smaller businesses make easier targets because they often have less effective defences than large enterprises — something that's also exploited in so-called watering hole attacks: here, a large enterprise is breached by infecting the website of a carefully-chosen smaller business and waiting for a visit from the ultimate target.
Other key trends noted were: the harvesting of personal information on selected individuals to create targeted attacks; a 58 percent increase in mobile malware over the previous year (mostly targeted at the Android platform); an increase in the number of exploitable zero-day vulnerabilities; and the suggestion that some apparent hacktivism attacks are actually fronts for nation states.
Looking forward, Symantec expects to see more state-sponsored cyberattacks; sophisticated cyberwar/espionage techniques trickling down to 'regular' cybercrime; social media becoming a major security battleground; more attacks on cloud service providers; increasingly vicious malware, such as ransomware; more mobile malware; and ever-more persistent and sophisticated phishing attacks.
2013 Trustwave Global Security Report Trustwave's analysis of its 2012 data reveals that retail businesses bore the brunt of cyberattacks, accounting for 45 percent of its investigations. Web applications were the most popular attack vector (48%), while mobile malware saw a fourfold increase over 2011 (as did the amount of Android-targeted malware). Outsourced IT support — a potential source of security vulnerability — was present in 63 percent of Trustwave's investigations, while the average time from initial security breach to detection was 210 days. Patching rates for zero-day vulnerabilities were worst on the Linux platform, the average delay being nearly three years. Trustwave also found that some 10 percent of spam email (which still comprises around three-quarters of a typical organisation's inbound email) was malicious, and that half of the three million user passwords analysed were of bare-minimum strength.
2013 Information Security Breaches Survey This survey, conducted by PwC on behalf of the UK's Department of Business, Innovation and Skills (BIS), noted a continuing increase in the number of security breaches, particularly in small businesses with less than 50 employees (87%, up from 76% the previous year). The median number of breaches in large businesses with over 250 employees was 113 (up from 71) and 17 for small businesses (up from 11), while the average cost of the year's worst breach was £450,000-£850,000 for large companies and £35,000-£65,000 for small companies. Outsiders caused the most breaches in large businesses (78% attacked, 39% hit by DoS attacks, 20% with network penetration, 14% aware of IP or confidential data theft), but small businesses are increasingly in the firing line too (63% attacked, 23% hit by DoS, 15% with network penetration, 9% suffering aware of IP or data theft). Staff are increasingly involved in security breaches, with 36 percent of the year's worst breaches caused inadvertently and 10 percent deliberately.
The PwC/BIS survey found that UK businesses generally give security a high or very high priority (81%) and that 10 percent of the IT budget is typically spent on security. However, 43 percent of large organisations provide no ongoing security awareness training for their staff and only 53 percent of companies are confident that they'll have sufficient security skills to manage risks over the next year.
Beyond traditional cyberdefences
Traditional anti-malware tools rely on security vendors having first analysed the malware to extract signatures, which are then regularly updated on customers' systems. But what about new and unknown malware, which could be used by cybercriminals to execute a zero-day attack? Or encrypted/polymorphic malware code that hides its nature and changes each time it runs, avoiding detection by constantly mutating? Counteracting such malware requires a method of detecting potential threats in real time, or near-real-time. This is where automatic malware analysis — and, more generally, next-generation threat protection — comes in.
One style of automatic malware analysis creates a quarantined virtual execution environment (also known as a 'sandbox') that replicates the (usually Windows-based) target for suspected malware and observes its behaviour — extracting details about the payload that can be translated into a signature, and looking for attempts to establish contact with command-and-control servers, for example.
Naturally, cybercriminals are aware of such techniques, and develop ways to detect whether their malicious code is being analysed in a virtual environment, biding its time before infecting the ultimate target. Tricks used by VM-aware malware include looking for human interaction (mouse clicks, responses to dialogue boxes), evading malware analysis schedules, or detecting the characteristic signs of a virtual environment.
FireEye's Enrique Salem believes his company's 'multi-vector execution' (MVX) solution is keeping pace with the bad guys in this respect: "The art for us is that we know how to emulate the user. We do detection on the inbound, and on anything that's trying to communicate. We don't need to know what the attack looks like beforehand: we just need to know the behaviours that are malicious."
Key to the success of this and any other cybersecurity solution is the ability to analyse a wide range of file types and behaviours, and steer an optimal path between identifying false positives (which interfere with legitimate business processes) and false negatives (which leave the organisation open to attack). Security vendors will ideally co-ordinate the (anonymised, metadata-based) threat intelligence gathered from their customers and partners in a cloud-based repository, creating a positive feedback loop into the overall threat protection system.
Other solutions target different levels of the IT stack — from monitoring network packets and flows for suspicious behaviour, up to application controls. To be truly effective, a next-generation threat protection system needs to be able to collate multi-faceted intelligence — about spear-phishing emails, suspicious files, contact with external command-and-control servers and anomalous flows of data (often encrypted) out of the network, for example — to build up a complete picture of an advanced persistent attack and defeat it.
These next-generation threat protection solutions (leading vendors of which are covered below) form an additional line of defence on top of traditional firewalls, intrusion prevention systems, secure email/web gateways and endpoint protection solutions. It's important to note that both approaches are required to deliver an acceptable level of security: think of traditional anti-malware tools as uniformed police chasing and apprehending known villains, and the next-generation solutions as plain-clothes detectives seeking shadowy wrongdoers who have yet to acquire a criminal record.
Next-generation threat protection: approaches and vendors
Next-generation threat protection solutions typically come as custom-built rackmount appliances that sit inside an organisation's network and inspect inbound and outbound email, web and file-share traffic, and also files at rest, for suspicious behaviour or characteristics in near-real/real time. Cloud-based services are also available to do a similar job for smaller businesses that don't want to invest in the high-performance hardware required, although they'll need to be aware of potential issues with file-type coverage, scalability and data protection.
Research firm Gartner has recently made a useful classification of approaches to next-generation threat defence, based on a 3-by-2 matrix of where to look (at network traffic, malware payloads or endpoints) and the timescale involved (near-real/real time or post-compromise):
Network Traffic Analysis Analysing network protocol and/or content traffic in real time allows security professionals to establish a baseline for 'normal' activity so that anomalous patterns can be detected. Leading vendors in this area, according to Gartner, include Arbor Networks, Damballa, Fidelis Cybersecurity Solutions, Lancope and Sourcefire (now part of Cisco).
Network Forensics Incident response teams, in particular, need access to network forensics tools that perform full-packet capture and metadata extraction, and provide sophisticated analytics and reporting capability, along with high-capacity storage. Leading vendors in this area, according to Gartner, include Solera (a Blue Coat company) and RSA NetWitness.
Payload Analysis This is where the aforementioned sandboxing solution, which can reside in an on-premise appliance or (with caveats) in the cloud, comes in. Malware behaviour is observed and characterised in near-real-time, capturing threats that are missed by signature-based tools. Leading vendors in this area, according to Gartner, include: AhnLab, Check Point (ThreatCloud Emulation Service), FireEye, Lastline, McAfee, Palo Alto Networks (WildFire), ThreatGRID and Trend Micro (Deep Discovery).
Endpoint Behaviour Analysis Although it can be an operational headache, endpoint behaviour analysis (in the form of application virtualisation and containment, system configuration monitoring, memory monitoring, process monitoring and application whitelisting) can offer protection to mobile devices that are off the enterprise network. There are potential issues in the shape of OS support and device resource usage though. Leading vendors in this area, according to Gartner, include: Blue Ridge Networks, Bromium, Invincea, Sandboxie and Trustware (application containment); Cyvera, ManTech/HBGary (Digital DNA) and RSA Ecat (memory monitoring); and Triumfant (system configuration & process monitoring).
Endpoint Forensics On-device data-collection agents can help incident response teams characterise malware attacks, but this type of solution does not block attacks as they occur, and places another heavy operational burden on the IT team. Leading vendors in this area, according to Gartner, include Bit9, Carbon Black, Guidance Software (EnCase Analytics), Mandiant and ManTech/HBGary (Responder Pro).
As Gartner points out, an optimal next-generation threat protection strategy will usually involve at least two of these 'styles' — for example network traffic analysis plus network forensics, or payload analysis and network forensics.
Cybersecurity is obviously vital in today's hyper-connected world, but there's a balance to be struck between maintaining organisations' digital defences and allowing them to go about their business without undue hindrance. That said, it's clear that new 'next-generation' approaches are required as organisations become more mobile, more social, more reliant on cloud services and less focused on the Windows platform, and threats become more complex and multi-faceted.
Looking beyond the immediate security threats to businesses and their customers, it's also clear that digital innovation will increase the attack surface for cybercriminals, which in turn will demand forward planning and vigilance from security professionals. A recent survey from Ernst & Young (EY) asked respondents about their familiarity with a range of existing, new and emerging technologies, their capability to address associated security issues, and the importance they placed on the different technologies:
Although there's an expected correlation between familiarity, confidence and importance, it's worth noting that the rankings (40-70 percent) for current technologies such as smartphones and tablets, web applications and social media are arguably not as high as they should be, and that emerging technologies such as big data, 'bring your own' cloud, the internet of things, digital money and cyber havens have very low rankings (<40 percent). This will require attention if cybercriminals are not to be presented with new opportunities for mischief.
Unfortunately, as in many areas of IT, there's a shortage of suitably skilled security professionals. In EY's above-mentioned survey, for example, 50 percent of respondents cite a lack of skilled resources as a barrier to value creation, while 31 percent feel that executive-level awareness and support is lacking.
FireEye's Enrique Salem echoes these findings: "I think there's a lack of security professionals, and this is a big issue globally — the threats have become more complex, so you need more focus and expertise." Salem also believes that the role of chief information security officer (CISO) needs a boost: "They [CISOs] absolutely need more visibility: a lot of regulations are coming out to make it mandatory for public companies that if you have a breach, you have to disclose it, so the audit committees of the board are going to want lots of information about what's happening. The role of the CISO will have to be very visible — not just to internal constituents, but externally as well."
Current working practices and the evolving digital landscape make it impossible for organisations to adopt a fortress mentality. Employees routinely use mobile devices to access social networks and 'bring your own' cloud services, increasingly on non-Windows platforms — all of which makes it easier for cybercriminals to penetrate enterprise and other networks. Next-generation cyberdefences, as outlined here, will help, but developments such as the internet of things will vastly expand the global attack surface. The cybersecurity arms race continues, and the stakes are getting higher.