New rules for combating new threats

Opinion by Colin Tankard

Today's security attacks are more insidious than they used to be. They use a combination of techniques and are aimed at achieving a particular result, such as stealing information that can be used for financial gain.

Today's security attacks are more insidious than they used to be. They use a combination of techniques and are aimed at achieving a particular result, such as stealing information that can be used for financial gain.

The term APT (advanced persistent threat) has come into use to describe new types of attacks that are characterised by their use of multiple techniques and the sophisticated way that they attempt to fly under the radar to avoid detection, so that they can be used over the longer term. Many include a communications module that makes contact with a command and control server to exfiltrate data. 

Security threats seen today are increasingly specialised, specifically targeting high-value individuals and systems that access sensitive, confidential or proprietary data.

Traditional defence mechanisms are no longer sufficient against the complex threats that use a blend of threat vectors and deploy zero-day exploits, often combined with social engineering. Most traditional security controls are focused on specific systems in isolation, or focus on a particular set of vulnerabilities. Security controls such as anti-malware and intrusion detection and prevention systems (IDPS) that rely on databases of attack signatures of known threats do little to protect against determined attackers, who have more sophisticated, automated exploits available to them than was ever previously thought possible. 

Organisations need to take a more proactive stance on security to guard against today's complex threats. First, they should map all data in the organisation, looking at what information is available to whom, where and how it is stored and accessed, and what policies apply to its use, processing and storage. This should include the use of encryption for all sensitive data both in transit and at rest, ensuring that all encryption keys are centrally stored and managed in a secure manner.

Access to all data, and especially that considered to be confidential or of high value, should be strongly controlled – linking access controls of users or applications to the encryption key of the stored data is a valuable step in stopping the insider threat. Using stronger authentication methods than just username and password combinations alone, which are inherently insecure, is now a viable solution for large-scale deployments. However, mapping data and ensuring it remains confidential is not a one-off exercise. Rather, organisations should perform regular audits of their networks and the devices connecting to them, both internally and through use of external third-party services. 

They should also look at updating the security controls that they have in place – anti-virus, IDPS, firewalls, and security monitoring and filtering tools – to those that are capable of defending against advanced malware and zero-day threats. The new generation of tools for defending against malware and intrusions combine a number of new techniques such as heuristics and protocol inspection that will look for files exhibiting behaviour associated with malicious exploits or other anomalies. By detecting behaviour that displays characteristics not expected of normal system operation, such tools are able to foil new, previously unseen attacks, affording a much higher level of protection than those based merely on signatures of known threats. 

Many of these new tools, as well as next-generation firewalls, provide automated updates of new rules as they become available that determine how the tools handle specific threats, such as blocking an action determined to be malicious. The value of both of these tools has been increased considerably through the availability of third-party rule sets which are multi-threaded for increased performance and updated three times a day, unlike others which may only be updated weekly – little use in this fast-changing market.

An up-to-date, regularly maintained rule base will not only provide protection against the latest vulnerabilities, but is an important part of the information needed for compliance with regulations and industry standards through the audit trail that is generated, which can prove that the controls are effective. According to technology consultancy Nebulas Security Solutions Group, tuning and updating such rule sets can give organisations as much as 30 per cent improvement in the performance of such controls. 

Technology vendors offering such tools generate new rules through global intelligence networks that combine information made available by their community of users, as well as security researchers who gather, track and report on new exploits as they are seen, including new malware samples and variants, compromised servers and malicious attackers, to provide a dynamic service based on observed behaviour and reputation. For example, if a particular URL is known to be a source of spam or is the command and control centre for a botnet, rules can be generated that enforce a particular action, such as blocking traffic from that source, based on the behaviour identified. 

Another technique used by many of the new generation of security controls is that of whitelisting, whereby applications and files that are known to be trusted and are from a reputable source are allowed to run automatically. Such an approach is becoming more common in anti-malware controls and is considered to be superior to the traditional blacklist approach used in most such applications. 

As well as looking for such capabilities in the new generation of security controls that are available, organisations should ensure that they provide unified protection across the network, for example by combining protection against threats using email or web applications into one system with central management, to provide protection against threats that use multiple attack vectors. They should also ensure that all activity on the network is being monitored, no matter what its source. In particular, mobile computing devices are becoming an increasingly attractive target for hackers and malware writers, and should have the same level of control placed on them as other systems connecting to the network. 

Today's threat landscape is complex and constantly evolving, but so too are the technologies that afford organisations protection against emerging threats. Security controls used to combat those threats need to be just as dynamic, automatically providing protection against threats as they emerge. Next-generation security controls that look at the behaviour and context of traffic flowing over a network, rather than just identifying exploits that have previously been determined to be malicious, should help organisations battle even the most determined criminals.

Colin Tankard is managing director of Digital Pathways


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events