Increasing Targeted Cyber Attacks Making Enterprises Move Towards Signature-Less Approach Date:   Monday , July 01, 2013 FireEye is a global network security company that provides automated threat forensics and dynamic malware protection against advanced cyber threats. Founded in 2004, the company is headquartered in Milpitas, California and has raised $85.5 million in various rounds of funding from Sequoia Capital, Norwest Venture Partners, DAG Ventures, Juniper Networks and several other investors. The global cyber security situation has reached a tipping point, where the volume and frequency of attacks penetrating an organization’s perimeter is causing IT administrators around the world to question the effectiveness of their existing security architecture. This is despite the organizations deploying traditional signature-based defenses such as firewalls, intrusion prevention, and anti-virus systems to mention a few. Security technologies considered state-of-the-art three years ago are quickly becoming inadequate given the changes in the cyber threat landscape. The result is the cyber security industry getting redefined in a big way by new technologies and players. New Breed of Multi-Stage Cyber Attacks The biggest change in the cyber-attack model over the last couple of years is indicated by the phenomenal success of the targeted attack. Just in the first four months of 2013, attacks have compromised the systems and networks at large banks, a popular social network site and a few well-known technology companies, each of which was targeted and not a victim of a randomwide-spread attack. Next-generation threats are complex, cutting across multiple attack vectors to maximize the chances of breaking through network defenses. Multi-vector attacks are typically delivered via the Web or email. They leverage application or operating system vulnerabilities, exploiting the inability of conventional network-protection mechanisms to provide a unified defense. In addition to using multiple vectors, advanced targeted attacks also utilize multiple stages to penetrate a network and then extract the valued information. This makes it far more likely for attacks to go undetected. The five stages of the advanced attack lifecycle are as follows: Stage 1: System exploitation: The attack attempts to set up the first stage, and exploits the system using “drive-by attacks” in casual browsing. It’s often a blended attack delivered across the Web or email threat vectors, with the email containing malicious URLs. Stage 2: Malware executable payloads are downloaded and long-term control established: A single exploit translates into dozens of infections on the same system. With exploitation successful, more malware executables—key loggers, Trojan backdoors, password crackers, and file grabbers—are then downloaded. This means that criminals have now built long-term control mechanisms into the system. Stage 3: Malware calls back: As soon as the malware installs, attackers have cracked the first step to establishing a control point from within organizational defenses. Once in place, the malware calls back to criminal servers for further instructions. The malware can also replicate and disguise itself to avoid scans, turn off anti-virus scanners, reinstall missing components after a cleaning, or lie dormant for days or weeks. By using callbacks from within the trusted network, malware communications are allowed through the firewall and will penetrate all the different layers of the network. Stage 4: Data exfiltration: Data acquired from infected servers is exfiltrated via encrypted files over a commonly allowed protocol, such as FTP or HTTP, to an external compromised server controlled by the criminal. Stage 5: Malware spreads laterally: The criminal works to move beyond the single system and establish long-term control within the network. The advanced malware looks for mapped drives on infected laptops and desktops, and can then spread laterally and deeper into network file shares. The malware will conduct reconnaissance: it will map out the network infrastructure, determine key assets, and establish a network foothold on target servers. Traditional Vs Next Gen Security Technologies The traditional security technologies regardless of whether it is a firewall, anti-virus or intrusion prevention system requires prior knowledge about the attack before they can offer preventive measures. While most legacy security companies claim proactive protection, it is minimal at best. The real effectiveness in legacy solutions comes from “known” attacks, for which some type of a signature is available. They fail to prevent the vast majority of targeted zero-day or “unknown” attacks, and in recent times they have acknowledged their limitation. Given the sophisticated methods of targeted infiltration, it is not possible for any security systems to obtain a signature of the advanced attacks. Such attacks have customized approaches to penetrate a target organization, and by its very nature, samples are not available to create signatures before the attack. This fact is proven out almost weekly in form of the various publicized attacks that is catching even sophisticated IT security professionals off guard. This fundamental change in the threat pattern has redefined the security landscape and allowed new players to set a revised benchmark for protecting enterprises. The next generation of security technologies does not rely on signatures, and are able to utilize virtual execution models across multiple vectors to ascertain malware to a high degree of accuracy even in the case of a previously unknown attack. The more sophisticated next generation security products provide bi-directional protection across multiple stages of an attack by identifying communication and data infiltration out of the enterprise network to a malicious command and control server. Conclusion The threat landscape has gone through a paradigm shift in the last couple of years. Nuisance attacks have been replaced by infiltration for gain. Wide spread attacks on millions of computers have given way to targeted attack. Multi-stage attacks are the new weapon of choice for high value exfiltration. The value proposition of defense only against known attacks clearly falls short of the need of the hour. In the not too distant future, signature-based security technologies will only supplement the more innovative real-time virtual execution model that provides protection against known and unknown threats.