Most cyber threats originate from outside networks and exploit known vulnerabilities.

These attacks have been responded to via conventional security methods, such as with anti-virus, firewall and IPS solutions. However, more recent and sophisticated cyber attacks have targeted organisations by injecting malware or files into web applications or e-mail used by employees.

This final blog post from our three-part series discusses a smarter approach to defending against these threats.

One thing is common to all advanced persistent threat (APT) attack scenarios: although the methods are diverse, all are triggered by malware. The attack initiates with the distribution of malware past conventional security solutions that were unable to identify the unknown or variant codes.

Because of this type of sophisticated attack, many organisations remain vulnerable to APTs. There is no magic bullet to protect against APTs. Protection requires diligence, intelligence and a constant proactive effort.

Understanding that protection

Some APT response solutions emphasise signature-less analysis. This approach is based on the idea that APT attacks use unknown codes that render signature-based solutions useless.

However, most of the files flowing into the enterprise network are either normal files or malicious files that use known codes. Furthermore, up to half of APTs utilise known malware, which means that signature-based malware detection technologies are useful for detecting a large volume of malicious activity, without needing to use more sophisticated analytical techniques. Stopping the remainder requires a sophisticated solution.

There is a logical order making best use of resources to identify and stop threats — both known and unknown. Signature-based analysis should be done first and then be followed up with other technologies, such as behaviour-based analysis. Additional static and dynamic analysis is best performed in the cloud.

Behaviour-based analysis in a virtual machine (VM) environment has some limitations. These limitations include the CPU and memory load required to analyse a large number of files. By identifying known malware with a blacklist and normal files with a whitelist, you only need to use the VM environment to detect unknown or variant malware.

This technique minimises unnecessary analysis processes. This helps maximise appliance performance.

Performing multi-dimensional behaviour analysis  

An APT begins with cyber criminals gaining access through a single endpoint. Even with fully patched machines, attackers are getting in by using zero-day attacks. Layered security is still needed, but now you must look to new forms of malware analysis. Malware analysis involves both static and dynamic techniques.

Static analysis requires malware experts to spend a fair amount of time evaluating files. Dynamic analysis, on the other hand, requires very little time to uncover changes in the operating system, such as network behaviour, registry alteration or file system alteration.

False positives or false negatives can occur with dynamic analysis, but most APT response solutions employ dynamic analysis because it provides quick results. Furthermore, dynamic analysis offers a means of identifying malicious characteristics of unknown or variant codes in a VM environment that is not available with signature-based solutions.

Correlation and reputation

All aspects related to file execution must be considered when analysing behaviour. The results of the behaviour analysis have to be used in combination with signature-based analysis. Additional information about the associated files is reviewed, including malicious characteristics, the risk level of the URLs or IP addresses that the file connects to, reputation information, and comprehensive behaviour patterns.

The reputation-analysis method uses contextual information, such as source and collection time and the number of file users, to analyse both the sample file and associated files.

This analysis technique has an important role in detecting targeted attacks that use new or unknown codes because it allows for a more fundamental response. An effective solution should not automatically flag malicious activity if suspicious behaviour is found in the behaviour-analysis results. Instead, the differentiation feature minimises false positives and false negatives by considering the reputation-analysis results.


Dynamic intelligent content analysis

The most important feature of a targeted attack is that a web browser, plug-in, or application such as a text editor is used to enable the attack. Not long ago, an attacker could damage a victim easily by attaching malware directly to an email or redirecting the victim to a malicious URL.

However, this type of attack is no longer as effective because of built-in security functions in web browsers and client email programs. As a result, attackers have focused their attention on non-executable files such as documents. Enticing a victim to open a .pdf or .doc file that contains a shell code has a higher probability of success.

Looking at the overall picture

The frequency of APT attacks has been increasing sharply over the last few years. The techniques have evolved, and the targets have become wider in scope. Previously, APT attacks mainly aimed to steal confidential information. However, some of the more recent attacks have attempted to inflict serious damage on governmental agencies and critical infrastructures.

Despite these escalating threats, most organisations continue to respond with conventional security solutions, such as anti-virus solutions, intrusion detection/prevention systems, firewalls, next-generation firewalls, and web application firewalls.

These organisations are limited by the time required to perform multidimensional threat analysis, the inability of these devices to perform this analysis, and the lack of an automated response to identified threats.

Tom Hance is vice president of operations at AhnLab