Signature-based security obsolete
The use of signature-based end-point security solutions is obsolete.
So said John McCormack, CEO of Websense, when addressing the ITWeb Security Summit at the Sandton Convention Centre this morning.
According to McCormack, in order to mitigate the risks posed by today's complex threat environment, organisations must adopt an architectural approach to security.
"Every generation of technology that we have moved to has brought with it new cyber security challenges," said McCormack.
He explained that the move towards the Internet of things is presenting more challenges. "If we can't keep a simple credit card safe; what about the data from the Internet of things? All that data from the Internet of things will be useful to cyber criminals."
Citing a recent study, McCormack said 57% of the respondents revealed that they are not protected from advanced cyber attacks; 63% can't stop theft of corporate information; and 74% don't trust their security program.
To better understand how an attacker translates motivations into methods, one must understand the apparatus that they create in order to launch and re-launch their campaigns, he pointed out.
The kill chain
To this end, the "kill chain" - a set of activities executed by cyber criminals to penetrate organisations, expand their footprint within these compromised networks, and steal valuable data - is a useful model, he explained.
McCormack said the kill chain can be segmented into seven stages to help organisations determine the most effective defence strategies. These seven stages are reconnaissance, lure, redirect, exploit kit, dropper file, call home and data theft.
"It's crucial to understand that attackers are using sophisticated techniques to bypass defences at any or all of the seven stages, and that the further an attack progresses along the threat life cycle, the greater the risk of data theft."
During the first stage, cyber criminals research their intended victims using personal, professional and social media Web sites and other public-facing content.
For luring victims, he stated that cyber crooks make use of techniques such as social engineering, watering hole attacks as well as spam. To counter these, McCormack urged organisations to drive user education.
He also noted that in their lures, cyber criminals may use links that point users to safe-looking or hidden Web pages that then "redirect" users to sites containing exploit kits, exploit code, obfuscated scripts or other malicious content.
Cyber criminals use "redirects" not only to obscure their identity, but also to hide the attack apparatus from those who could create defences, McCormack revealed.
He believes that defences with real-time awareness of both Web page reputation and redirect destination are critical for defending against this stage of attacks, because traditional, basic URL filtering defences, based on outdated signatures, are ineffective.
He added that once a user has clicked on a link to a compromised Web site, software known as an exploit kit scans the victim's system to find known and zero-day vulnerabilities.
During this stage, cyber criminals seek weaknesses that can become open doors for delivering malware; they also seek to bypass static defences by adapting their exploits and keeping ahead of the latest security updates, he explained.
"It's therefore critical to understand how variations of those exploit kits are made to create opportunities to programmatically intercept all variations of those kits," he advised.
Describing dropper file, he said it is the object that, once delivered and installed on a system or endpoint, enables the attacker to persist and advance an attack.
Because traditional static defences on their own are inadequate to address security at this stage, and due to the increase in sandbox evasion techniques, the best, most proactive defence strategy is a combination of activities, said McCormack.
These can include real-time defences that enable the identification of current behaviour markers, delivery mechanisms, and content around the object, he stated.
Once the dropper file infects the target system, it "calls home" to a command and control (C&C) server to download additional programs, tools or instructions, McCormack explained.
To combat C&C communications, it's important to scan outbound communications, monitor both SSL/TLS and non-SSL/TLS traffic, and have destination-aware defences - all features lacking in traditional security products, he urged.
"The end-game of most modern cyber attacks is the theft or destruction of data," said McCormack. "Cyber criminals steal intellectual property, personally identifiable information or other valuable data for financial gain, for use in other attacks or sometimes to destroy."
He is of the view that the best techniques for catching these attempts exist in a full data theft prevention solution, and include scanning outbound content for proprietary material; scanning images with OCR technology; and using "data drip protection" technology.