Advanced threats are becoming a constant problem for companies these days, and oftentimes, taking the matter into their own hands is not enough to prevent cyber-attacks and information leaks.
Among the attack vectors leveraged by threat actors are personal devices of employees used irrespective of the BYOD and app policy of the company; however, setting up measures that would limit the entry points into the organization's systems via personal devices is not enough to keep offenders at bay.
The team behind Cyphort security firm created a proactive product capable of detecting the type of cyber incidents in a company and identifying their operators. The result is a software distributed solution that can be deployed “in less than 20 minutes in massively scaled enterprises,” CTO and co-founder Ali Golshan says.
The product relies on machine learning to keep up with the evolution of the threats based on intrusion indicators, which allows adaptation to the new methods used to put the company data at risk.
Anthony James, Vice President of Marketing and Products at Cyphort, offered in an interview some interesting insight on what enterprises can do to guard from unauthorized access to sensitive areas of their network.
He also provides a brief analysis of the characteristics of advanced persistent threats and the latest trend in leveraging them by malicious adversaries.
How dangerous is a lax BYOD policy?
Practically speaking, a lax BYOD policy will increase the organization’s overall risk posture. But the same can be said of any lax security policy.
From what we have seen, the behavior of the user is just as critical as the integrity of the device, and even if a device is properly configured, if it can still get infected by malware that can change its settings.
Attacks these days are sophisticated to the point where an employee using a corporate-owned device can visit an “approved” website, and even if they don’t click on anything, they can unwittingly become infected and bring that infection back into the organization. That’s why it is important to realize that it’s not the device – it’s the content that is exploiting the user/device. And that’s why – that is why continuous monitoring is so important – it enables security teams to focus equally on containment and remediation, in addition to detection.
Most of the times, employees do not respect a strict BYOD policy; what can be done to make sure that the company security standard, as far as use of personal devices goes, is respected? Is restricting personal apps at the work place a good security solution?
Again – it is not so much about the device as much as the content. A strong BYOD policy (at least in my opinion) is better than a lax one, but it will not negate the need for other controls.
The odds are in favor of a motivated and skilled attacker finding their way onto their target’s network. While a lax BYOD policy could possibly result in additional points of entry for an attacker, a user owned device is not inherently easier to exploit then a corporate owned device.
As far as restricting personal apps in the workplace – just like a well thought through BYOD policy can be a huge asset, so can a good app policy. However, interestingly enough, we have yet to see major breaches coming in via mobile – at least not yet. In fact, oftentimes attackers look for weaknesses in older, obscure enterprise software – residing on mainframes and the like.
How can enterprises protect themselves against advanced threats that reach company systems via employee devices?
While users continue to be the weakest link in enterprise security, it is mainly due to their behavior, not their devices. In fact, despite widespread education about phishing, it still remains one of the top ways malware penetrates a corporate network.
Smart CISO’s understand that given the nature of today’s threat landscape, their organization is going to be breached and have focused their efforts on making sure they have the tools and processes in place to identify and contain threats on the network.
One of the most effective ways an organization can shut down attacks that found their way in through an employee-owned device or some other method is to actively look for them, via continuous network monitoring.
Because today’s networks are so complex, network monitoring should be as automated as possible. Otherwise, security managers will spend inordinate amount of time manually correlating threat intelligence against the plethora of events detected by their internal systems. That kind of correlation is an extremely time consuming task – one that quite frankly, is better suited for computers than humans.
And, you need to monitor incoming AND outgoing traffic. We’ve found that due to the nature of their previous security investments (such as firewalls and AV, for example), most companies have more and better controls for monitoring incoming traffic. As a result, they don’t pay close enough attention to what is LEAVING the network. Outbound traffic to known bad sites or to unknown sites with little reputational data are two very obvious signs that there is an APT somewhere on the network.
This is not to say organizations should not bother with endpoint controls – they should. But especially if a company wants to benefit from BYOD, chances are they are not going to harden employees’ personal devices to the extreme, or users will likely disable the security controls. Or, if they don’t, then the BYOD policy is strict enough that the security posture of users devices are those of corporate-owned devices, making them no greater a threat vector than a corporate-owned laptop or desktop.
But again – just as you want to prevent bad guys from getting in, you want to place equal emphasis on network monitoring to prevent sensitive data from getting OUT.
What are the characteristics of an Advanced Persistent Threat? Have the threat vectors and the modus operandi of the attackers changed lately? If so, how?
There are many different definitions of APT, but in layman’s terms, an advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time, usually in order to steal (or “exfiltrate”) information. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing and the financial industry.
In a simple attack, the intruder tries to get in and out as quickly as possible in order to avoid detection.
In an APT attack, however, the goal is not to get in and out but to achieve ongoing access. To maintain access without discovery, the intruder must continuously rewrite code and employ sophisticated evasion techniques. Some APTs are so complex that they require a full time administrator.
An APT attacker often uses spear fishing, a type of social engineering, to gain access to the network through legitimate means. Once access has been achieved, there are a number of ways it can accomplish what it set out to do.
So, to sum up, the three main characteristics of an APT are:
1) They are coded in a way that enables them to get through static security controls such as firewalls, AV systems, and Secure Web Gateways.
2) They are designed to compromise and end user system in a way that is “under the covers” and seek out very specific data – such as user credentials, for the purpose of stealing data from the organization
3) Once they find the information they want to steal, they steal it – the process of transferring that data outside the network is commonly referred to in security circles as exfiltration.
As far as recent changes in the landscape: We have seen a trend away from infecting documents to infecting web content as part of a “drive-by” attack that infects users accessing web content without them having to do anything (such as click on a link or enter information into a web form).
In the recent past, there have been a lot of malware being embedded in PDFs because they are widely used and will be “approved” by AV systems and firewalls for entry into the network.
Lately, we have seen a trend away from PDFs and towards other file forms, such as SilverLight or JAVA – monitoring JAVA for advanced attacks is difficult because JAVA is not a simple file to scan for attacks – it is meant to be interactive, so there is always a lot of activity associated with them, and identifying anomalies takes time.
Would access to a database with threat vectors, their behavior, indicators of compromise, assets coveted by attackers and weaknesses leveraged by threat actors help companies increase protection of their information? How could security companies maintain such a database and what would they benefit from it?
The short answer is: Absolutely!
Threat Intelligence is a booming field, and there are many different ways an organization can purchase and consume threat intelligence. Because it is such a specialized function, most organizations buy threat intelligence from a threat intelligence vendor. Sometimes, these are security companies that provide threat Intel in addition to other services they offer, or sometimes it is the only service they offer. One model is not necessarily better than the other – the bottom line is that the more that is known about attackers motives and methods, the better you can defend your own assets.
Everyone maintains their information differently, but for examples of what that might look like check out the CERT or SANS sites. The key is to make sure the information is presented in a way that organizations can understand and apply on a daily basis.
In fact, one huge advantage the bad guys have over the good guys is that they are way more likely and willing to share intelligence with each other. Security vendors tend to covet threat intelligence because they consider it their IP. That gut response on the part of security vendors to protect their IP results in a lack of information sharing across the industry that makes defense harder. 9/11 is a worst-case scenario of what can result from that sort of culture. We believe very strongly that the more information an organization has, the better decisions they can make. We are willing to share our threat intelligence with our technology partners. In fact, we have automated that capacity into our product.
How fast are security products becoming outdated, and what would be the solution for companies to keep the pace with the new technology and mitigating the occurring risks?
Technology is not necessarily becoming outdated – firewalls are still the biggest spend in security and they are more than 20 years old. The challenge security professionals face is that the threat landscape is evolving so quickly that it is difficult to know what new technologies are required to stay current.
Knowing that there is money to be made, cyber crime has attracted a new class of skilled criminals that are writing new and better attacks. As new technologies and applications are deployed, those become new targets.
It’s a lot to keep up with, and just as attacks innovate along with the tech industry in general, so does prevention. IT security departments must keep up with the state of the art.
For example, Intrusion Detection Systems (IDS) were once considered state of the art for detecting breaches. Then IDS systems evolved to include automated remediation, which became known as Intrusion Prevention Systems (IPS), which then replaced IDS as state of the art. Now APTs are a big deal, and there are specialized sets of solutions that deal specifically with APTs. So a company that might have already invested millions in its security infrastructure will still need to make additional investments in order to keep their defenses up to date.
It doesn’t mean their existing infrastructure is obsolete – just that they need to be augmented.