EXPLORING ADVANCED THREATS

Security

Empowers

Business

EXPLORING

ADVANCED

THREATS

Advanced Threat Protection

(ATP) Essentials, Part 1

I

ntroduction

Virtually every article, blog, or white paper about cyber

security begins the same way: by trying to scare the living

daylights out of you. Horrifying statistics, alarming news

reports – we’re sure you’ve seen them.

Here’s the thing: when you really take a hard look at today’s

security threats and vulnerabilities, even the new breed

of advanced threats, you start to see that security isn’t

only about preparing for the worst. Security is also about

empowerment. When you know enough to implement the

right security the right way, security instills confidence,

creates opportunities, and opens doors to new possibilities.

We’ve written this series of papers to help you see

advanced threats in a whole new light. Because the more

you understand about advanced threat protection, the more

you’ll understand how it can empower your business.

In this paper, we present the basics about advanced threats:

what they are, how they differ from traditional threats, where

they originate, and how they can impact your business. Then

in the next two papers, we take a closer look at how best

to mitigate the threats – and how to get started putting an

effective business empowerment solution in place.

SECURITY ISN’T

ONLY ABOUT

PREPARING FOR

THE WORST

Contrasting Basic and Advanced Threats

The following are key characteristics of basic and advanced cyber threats: • Basic or “mass-market” threats are the ones everyone should be blocking.

They’re the known threats against known operating system (OS) or application-level vulnerabilities. They are commonly detected by traditional signature-based network- and endpoint-security defenses, including intrusion prevention systems (IPSs), secure web and e-mail gateways, and antivirus platforms.

• Advanced threats are unknown threats against unknown OS or application-level vulnerabilities. They can’t be detected by traditional signature-based defenses. Advanced threats are far more difficult to detect. Traditional security

defenses that rely on pattern-matching signatures are useless. Now it’s important to point out – traditional defenses such as firewalls, IPSs, and secure web and e-mail gateways are your front line in a defense-in-depth (layered defense) strategy. But you can’t rely on these exclusively for detecting today’s advanced threats.

Basic Threats: Oldies but Baddies

The mass-market cyberattacks described in this section are largely mitigated by traditional network and endpoint security solutions. Yet we keep seeing them over and over again – because users still fail to take them seriously and protect against them. So reacquaint yourself, because left unchecked any of these could be your downfall.

Worms, Trojans, and viruses

A computer worm is malware that exploits the vulnerabilities of a computer’s OS (such as Microsoft

amounts of bandwidth, causing degradations in network performance. Unlike a virus, a worm doesn’t attach itself to computer programs or files.

A Trojan (or Trojan horse) is malware disguised as a legitimate application to trick a user into installing it on a computer. Unlike worms, Trojans can’t propagate to other computers on their own. Instead, they join networks of other infected computers (called botnets), wait to receive instructions from the attacker, and then transfer stolen information. Trojans are commonly delivered through social media and spam e-mails; they may also be disguised as installers for games or applications.

A computer virus is malicious code that attaches itself to a program or file so that it can spread from one computer to another, leaving infections as it propagates. Unlike

a worm, a virus can’t travel without a human helper – in this case, a user who sends (usually unknowingly) an infected program or

file to another user.

Spyware and botnets

Spyware is a form of malware that aggregates user information without the user’s knowledge and

forwards it to the perpetrator via the Internet. Sometimes, spyware is employed for the purpose of advertising (in which case it’s called

adware and displays pop-up ads). Other times, it’s used to collect confidential information such as usernames, passwords, and credit-card numbers.

A botnet is a group of internet-connected computers on which malware is running (bots). Bots are often used to commit denial-of-service attacks (attacks that overload a server’s processing power), relay spam, steal data, and/ or download additional malware to the infected host

Phishing

Phishing is an attempt to steal confidential information – usernames, passwords, credit-card numbers, Social Security numbers, and so on – via e-mail by

masquerading as a legitimate organization. After clicking a seemingly innocent hyperlink in the e-mail, the victim is directed to enter personal information on an imposter website that looks almost identical to the one it’s emulating. And it doesn’t matter what type of device is being used – phishing is device agnostic. In fact, mobile users are sometimes more vulnerable because the smaller screen size may reduce context clues.

Baiting

Baiting is when a criminal casually drops a USB flash drive or CD-ROM in a public area (perhaps a parking lot or cybercafé) within close proximity of the targeted organization. The media device is labeled with enticing words such as Product Roadmap or Proprietary & Confidential to spark the finder’s interest. When the victim inserts the device into her computer, it installs malware.

Buffer overflows and SQL injections

These two common techniques exploit vulnerabilities in web applications:

• In a buffer overflow attack a hacker knowingly writes more data into a memory buffer than the buffer is designed to hold. Data spills into adjacent memory, causing the application to execute unauthorized code that may grant the hacker administrative privileges or even crash the system.

• In a SQL injection attack, the attacker enters SQL statements into a web form in an attempt to pass an unauthorized SQL command to the database. If successful, the attack can give its perpetrator full access to database content such as credit-card numbers, Social Security numbers, and passwords.

Malnets

A malnet (malware network) employs a distributed network infrastructure in the internet that is purpose built and maintained by cybercriminals to launch a variety of attacks over extended periods of time. Blue Coat estimates that nearly two-thirds of cyberattacks originate from malnets.

Advanced Threats: Emerging Dangers

Now that you’re up to speed on basic threats, let’s explore the advanced threats that are emerging.

Advanced persistent threats

Advanced persistent threats (APTs) – also known as advanced targeted attacks

(ATAs) – are multi-vectored (perpetrated through multiple channels) cyberattacks in which an attacker gains unauthorized network access and stays undetected for a long period. The goal is usually data theft. Let’s break down the components of the acronym:

• Advanced: Attackers use a full spectrum of intrusion technologies and techniques, often exploiting unreported vulnerabilities in operating systems and applications. • Persistent: After a network is breached, the perpetrator operates low and slow to

remain undetected until the ultimate target has been identified.

• Threat: The attacker initiates each APT with a specific objective in mind and won’t stop until that objective is achieved.

Zero-day threats

A zero-day threat is a cyberattack on an OS or application vulnerability that’s unknown to the general public. It’s called a zero-day threat because the attack was launched before public awareness of the vulnerability (on day zero).

Polymorphic threats

A polymorphic threat is a cyberattack that continuously changes, making it impossible for traditional signature-based security defenses to detect.

Blended threats

A blended threat employs multiple attack vectors (paths and targets) and multiple types of malware to disguise the attack, confuse security analysts, and increase the likelihood of a successful data breach. Classic examples of blended threats include Conficker, Code Red, and Nimda.

Time and the Window of Opportunity

Initial Attack to Compromise

Initial Compromise to Discovery

Hours

60%

84%

78%

Minutes

13%

Days

13%

Seconds

11%

Months

62%

Weeks

12%

Hours

9%

Years 4% Days

11%

Minutes 1% Months 1% Weeks 2%

Hours

60%

Minutes

13%

Days

13%

Seconds

11%

Months

62%

Weeks

12%

Hours

9%

Years 4% Days

11%

Minutes 1% Months 1% Weeks 2%

Insider threats

Not all threats originate outside the network. Some originate within, introduced by two types of users:

• Malicious users: These users may consist of ill-intentioned contractors, disgruntled employees, or even criminals who use social engineering techniques to gain physical access to the network after being admitted to the building by a negligent receptionist.

• Unknowing employees: Even well-intentioned employees may bring malware-infected laptops and mobile devices into the office after surfing the web at home over the weekend.

Know Thy Enemy

It’s not enough just to know what kind of cyberthreats you face. You also need to know the sources and goals of those threats. Here’s some insight into potential attackers – and potential attacks.

Types of attackers

Today’s cyber-attackers fall into three broad categories: cybercriminals, state-sponsored hackers, and hacktivists.

Cybercriminals

As the name suggests, cybercriminals hack for profit. They penetrate a company’s network security defenses in an attempt to steal something valuable (such as credit-card numbers) and sell them on the black market. Today, cybercrime is a multibillion-dollar industry.

State-sponsored hackers

Cyber-attacks committed by nations against foreign corporations and

governments are perpetrated by state-sponsored hackers – people who hack for a paycheck with the objective of compromising data, sabotaging systems, or even committing cyber warfare.

Hacktivists

Hacktivists are computer hackers driven by political ideology. Typical attacks include website defacements, redirects, information theft and exposure, and denial-of-service attacks.

DATA BREACHES BY THE NUMBERS

In 2013, Verizon analyzed 621 data-breach incidents that occurred in 2012, resulting in 44 million compromised records, and came up with the following interesting statistics: • 40 percent incorporated malware

• 52 percent involved some form of hacking • 78 percent took weeks, months or years to

discover

• 84 percent compromised their targets in seconds, minutes, or hours

• 69 percent were discovered by a third party • 92 percent were perpetrated by outsiders • 95 percent of state-affiliated attacks

employed phishing

You can download the full report at www.verizonenterprise.com/DBIR/2013

Hidden Costs of a Breach

The true costs of a breach are difficult to quantify and are often underreported as they’re spread across many areas, including both hard-dollar and soft-dollar costs such as:

• Investigation and forensics costs

• Customer and partner communication costs • Public relations costs

• Lost revenue due to damaged reputation • Regulatory fines and civil claims

• Opportunity costs and missed sales due to outages

How to Fight Back against Advanced Targeted Attacks

Security defenses have traditionally been built with standalone products that protect against known threats. But with today’s increasingly sophisticated hackers and advanced threats, that’s no longer enough.

What’s needed is a way to get the siloes of security solutions working together, sharing intelligence and analysis so that they can adapt, scale, and extend protection to unknown threats as well. What’s needed is a lifecycle approach to implementing a complete, multi-layered defense. And it would look something like the diagram below (we’ll discuss specific products that implement the lifecycle defense in Part 2 of this white paper series, “Buying Criteria for Advanced Threat Protection.”).

The three core capabilities of the lifecycle defense include:

• Ongoing operations: The lifecycle starts with detection and blocking of all known threats as part of routine, day-to-day operations. Unknown threat events are escalated to the containment phase.

• Incident containment: Unknown (novel) threats are analyzed and mitigated via closed-loop feedback, through which threat intelligence is automatically shared with other security systems to inoculate the organization from future attacks. Threat information is also shared in real time among millions of users in thousands of organizations via a global intelligence network, so the defense system can learn, adapt, and evolve to stay a step ahead of advanced threats.

• Incident resolution: Breaches that do occur are investigated, analyzed, and quickly remediated, and the resulting intelligence is shared via the global intelligence network, which in turn helps convert unknown threats into known threats. This lifecycle approach can help organizations prepare for advanced and unknown attacks that occur – so that companies can mitigate the damage, resolve the issue quickly, learn from incidents, and apply new intelligence so that future attacks do not succeed.

Simply put, the lifecycle defense is part of a holistic security approach that integrates

GLOBAL INTELLIGENCE NETWORK

3

Incident

Resolution

Investigate & Remediate Breach Threat Profiling & Eradication

Fortify &

Oper

ationalize

R

e

tr

_o

sp

ec

tiv

_e

E

sc

ala

tio

_n

2

Incident

Containment

Analyze & Mitigate

U

nk

no

w

n

Ev

en

t E

sc

al

a

ti

o

n

1

Ongoing

Operations

Detect & Protect

Block All Known Threats

Blue Coat Systems Inc.

www.bluecoat.com

Corporate Headquarters

Sunnyvale, CA

+1.408.220.2200

EMEA Headquarters

Hampshire, UK

+44.1252.554600

APAC Headquarters

Singapore

© 2013 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos,

ProxySG, PacketShaper, CacheFlow, IntelligenceCenter, CacheEOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, Mach5, Packetwise, Policycenter, ProxyAV, ProxyClient, SGOS, WebPulse, Solera Networks, the Solera Networks logos, DeepSee, “See Everything. Know Everything.”, “Security Empowers Business”, and BlueTouch are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. Blue Coat makes no warranties, express, implied, or statutory, as to the information in this document. Blue Coat products, technical services, and any other technical data referenced in this document are subject to U.S. export control and sanctions laws, regulations and requirements, and may be subject to export or import regulations in other countries. You agree to comply strictly with these laws, regulations and requirements, and acknowledge that you have the responsibility to obtain any licenses, permits or other approvals that may be required in order to export, re-export, transfer in country or import after delivery to you. v.WP-ADVANCED-THREAT-PROTECTION-EN-v1f-1113