Host-based Active Defense: Proactive Security for Today’s Advanced Threats
Melissa Stevens 270005B76W MELISSAS@US.IBM.COM |
0 Comments | 5,493 Visits
This post is written by Nick Harlow, Product Manager - Server Security and Security Content Analysis for IBM Security. Connect with Nick on Twitter.
The information security landscape has changed significantly in recent years. Whereas yesterday’s attacker was likely to be a curious prankster, breaching systems for fun or relatively harmless mischief, today’s malicious attacker is more likely to be allied with organized criminal conspiracies or even nation states engaged in cyber-warfare, specifically targeting certain organizations in order to steal valuable data or disrupt operations through deliberate sabotage.
While yesterday’s attacks were typically easy to detect and block because they used known malware or non-standard ports to compromise a system, today’s attacks are cleverly hidden and multiplexed in legitimate network traffic streams. The most advanced threats even exploit unknown software vulnerabilities with customized malware that is undetectable by today’s anti-malware solutions.
In addition to these technically sophisticated techniques, attackers can leverage the information available in popular social networks, such as LinkedIn and Facebook, to target specific individuals in an organization. Armed with this information, attackers send legitimate-seeming e-mails that actually trick the user into clicking a malicious link or opening an attachment with a malicious payload without their knowledge. Once inside the organization’s network, the attacker’s custom malware can lay in wait, gathering information about the environment in order to determine the points of greatest vulnerability.
Traditional passive host-based countermeasures, which include signature-based anti-malware and packet-filtering firewalls are no longer effective against today’s advanced threats. For example, firewalls can detect unwanted traffic, opening and closing ports as needed. However, as previously described, malicious attackers blend their attack traffic into otherwise legitimate traffic streams. Web application attacks, for example, are often blended with legitimate HTTP traffic over port 80, the standard port for web servers. A firewall will not detect or stop these malicious packets from entering the internal network.
Similarly, many advanced threats take advantage undisclosed software vulnerabilities, otherwise known as zero-day vulnerabilities. Often attackers will write custom exploits for these vulnerabilities. Because the vulnerabilities are unknown, anti-malware vendors will not have seen the exploit code before so malware databases will contain no signature for these exploits, rendering them undetectable.
These traditional passive security mechanisms are still useful for known threats and blocking low-level attacks. However, today’s advanced emerging threats require a more active approach to security. Deep-packet inspection of all network traffic with up-to-date threat intelligence can help to reveal potential threats that firewalls and anti-malware miss. Network traffic inspection helps to provide the one critical element for responding to advanced threats: visibility.
Without comprehensive visibility, it is difficult to mount an active defense against today’s sophisticated attackers. It is important to maintain visibility at all levels of the IT environment, not just at the organization’s network perimeter Many of today’s most effective and devastating attacks target vulnerable web applications or target vulnerabilities in common client-side applications; inspecting network traffic into these systems is critical to stopping these attacks.
Similarly, monitoring critical operating system components can quickly reveal evidence of a security threat. Many zero-day attacks rely on compromising the OS in a way that is not immediately obvious, but detectable if a monitoring solution can compare settings against a known-valid baseline. Security practitioners should extend this type of monitoring to the file system and application layer as well. Visibility of the file system and applications on the system will allow organizations to monitor their critical data for unauthorized changes and to prevent the installation of unapproved, potentially dangerous software.
Instrumenting the environment with mechanisms to provide visibility solves one challenge and creates another. All of this monitoring and inspection will produce a lot of security event data across systems, applications, and domains. This data will be overwhelming and of limited use unless security administrators can extract timely, actionable insights from it. A comprehensive threat management system will include a component that can collect, organize, and automatically analyze the large volume of data, highlighting the key problem areas. Ideally, this component can recommend immediate actions to help mitigate risks and stop active threats in their tracks.
Left unchecked, these threats can cause loss or theft of sensitive, proprietary data, disruption of operations, loss of revenue and customers, and irreparable damage to an organization’s reputation and future prospects. In heavily regulated industries, security breaches can also result in penalties and fines as well. Passive security mechanisms such as firewalls and anti-malware, though still valuable tools, are no longer sufficient to counter these threats. Combining these technologies with active inspection, monitoring, and security intelligence technologies gives organizations the tools, visibility, and insight to combat the most serious IT security threats.