|
The rate and sophistication of malicious software ("malware") attacks continues to outpace the capacity for large institutions to defend themselves. According to the latest figures from leading anti-virus (AV) software vendors, well over 30 MILLION individual pieces of malicious code were analyzed in 2010.
Today's most dangerous online threats to businesses are designed to steal their sensitive data. They are most often purpose-built, network-specific malware that combine stealth, precision, and social engineering to both penetrate a company's perimeter and compromise systems without detection.
These so-called Advanced Persistent Threats (APT) describe a new class of custom malware designed to carry out stealth missions on specific corporate and classified networks. APT are highly-sophisticated attacks which exploit user trust or system vulnerabilities to penetrate IT defenses and complete a mission undetected from inside the network, ranging from data theft to outright system destruction (e.g. Stuxnet). Confirmed APT breaches have run the gambit of organizations with highly competitive and proprietary information: manufacturing; high tech; oil & gas; financial; pharmaceutical; critical infrastructure and public utilities; and, of course, military & government networks.
What are Advanced Persistent Threats?
APT attacks are designed to complete a specific mission
-
Use custom-made malware ("zero day") which exploits technical vulnerabilities and/or user deception (social engineering) to compromise a machine and penetrate a specific network
-
APT code is not prevalent enough for AV and IPS vendors to deploy a signature
-
APT can be used to steal information or as a weapon
APT can compromise machines via different vectors
-
Infected website; O/S or application vulnerability, infected USB, targeted social engineering (i.e. "spear phishing"), DNS poisoning, etc.
APT are designed to gain privileged administrator credentials
-
Allows an "outsider" to become a privileged insider
-
This creates a stealth "WikiLeaks"-type risk, but with the ability to evolve, obfuscate, and communicate securely with an external "master"
A single APT attack can include multiple payloads, each with their own "objective", to complete a mission:
-
Launch a coordinated stealth operation from inside the network until the mission is accomplished
-
A mission may last a day...or a year
-
APT code is often designed to erase itself and/or only exist in memory to hamper post-incident investigations
APT Requires Defense-in-Depth
The most effective defense against APT attacks requires a unified and layered security approach that creates "air gaps" at different stages of an attack which challenge the malware's adaptability and stealth in ways it was not designed to circumvent. Digital Guardian is a data-centric technology platform for Enterprise Information Protection (EIP) that integrates endpoint and network agents into a coordinated and multi-layered sentry to detect and stop one-off malware designed to steal a particular company's sensitive data.
Digital Guardian uses several policy-based technologies to detect and stop a potential attack, even if the code or methodology has not been previously seen "in the wild". As workstations are often the most vulnerable entry points for APT, Digital Guardian endpoint agents use a powerful combination of technologies which provide early warning and data-level access controls to thwart APT at first contact. These capabilities include advanced memory scanning and forensics to detect and alert users and security managers to suspicious obfuscated activities at the system memory and kernel levels; identity-based file encryption to prevent unauthorized users from accessing sensitive files; and application monitoring, alerting and blocking to identify and block the launch of dangerous executables.
Digital Guardian network agents also provide session-level analysis of incoming and outgoing traffic to detect suspicious activities. As APT attacks often use obfuscation, encrypted messaging, and vulnerabilities to pass by perimeter defenses, Digital Guardian network agents provide deep session inspection at line speed across all ports and protocols that can detect and block events like connections from suspicious IP addresses, encrypted traffic, application port-hopping, and can deconstruct payloads to see embedded content (e.g. JavaScript within a PDF file) which could be used as an attack vector.
Digital Guardian provides a comprehensive and integrated defense-in-depth security model for APT that uses network and endpoint agents that can detect abnormal events by correlating endpoint and network policy alerts and other suspicious activities to provide an enterprise-wide overview of threatening activity that can be monitored and mitigated by a common management interface. When an APT event is confirmed, Digital Guardian agents can then enforce data-level policy autonomously at different stages of an attack inside or outside the network.
|
