Advanced threat protection
Analyst Coverage: Fran Howarth
Attacks that specifically target an individual or an organisation potentially provide gains far higher than opportunistic attacks launched en masse. The motivations behind targeted attacks include stealing valuable information or money, causing harm by blocking business operations, and the wish to cause reputational or financial losses at specific organisations.
Opportunistic attacks are still being seen and currently account for around three-quarters of the total volume of attacks. But growth rates for targeted attacks are considerably higher. From 2012 onwards, growth rates for targeted attacks are around 50%.
Not only are such attacks growing in volume, but they are also increasing in sophistication, with malware strains increasingly being seen that have been created for a specific target. From mid-2013 onwards, some two-thirds of targeted attacks use malware strains that are seen just the once.
There is an ever-wider range of actors involved in such advanced targeted attacks, including hacktivists, nation states and organised criminal groups with resources available to them that rival those of large organisations. As well as this, as networks are increasingly opened up—to outsiders such as business partners, to provide freedom and flexibility through the use of mobile devices, and through growing use of new technology delivery mechanisms such as cloud computing and web-based services—potential attack vectors are proliferating. Insider threats also remain a significant problem, from well-meaning employees making mistakes to those bent on causing the organisation harm. Further, the penalties for being the victim of a security breach where personal data is lost are already high and look set to grow significantly as new regulations and mandates are in the offing. Such breaches—as well as attacks targeting valuable information such as intellectual property—can be devastating both financially and in terms of tarnished reputations.
Advanced targeted attacks target specific individuals in order to gain an entry point into the network. But that initial target is almost never the final goal of the attacker. Rather, the attacker is merely looking to gain a foothold on the network and then aims to move laterally through network systems to find information of greater value. They are also not generally looking for a one-off hit, but aim to remain undetected on the network to steal greater volumes of information over time. For this information to be of value to the attacker, it is necessary for them to exfiltrate the information to command and control servers that they maintain.
The current mantra in the security industry is “it is not if, but when, you will be breached”. Organisations of any size in any industry are being targeted and statistics show that not only has almost every organisation been breached in the past year, but attacks are occurring on a more regular basis. Roughly half of advanced targeted attacks are aimed at small organisations with fewer than 2,500 employees and particular growth is being seen in attacks targeting organisations with fewer than 250 employees. In some cases it is not particularly the information within those small organisations that is the main goal of the attacker, but they are being used as a conduit into larger organisations with which the smaller organisation does business. For example, the attacker may look for enough information regarding a particular employee or business deal at the smaller organisation in order to impersonate that employee in communications or create a realistic communication that is likely to interest the larger organisation.
Advanced targeted threats are today’s reality for organisations of all sizes and traditional technology controls, often based on countermeasures in the form of signatures for threats that are known about, are not up to the task of defending networks. More advanced controls, using techniques that are constantly evolving, provide a much higher level of protection. Yet attackers are increasingly determined and it is a certain bet that some attacks will always get through. Organisations need to be constantly on their guard and use the latest technologies for proactively monitoring their networks for those threats that have evaded their defences. In many cases, they need to be thinking like an attacker and using the same tools, techniques and procedures that they use for responding to those incidents that inevitably occur.
Yet that, in itself, is not sufficient. No matter how good the frontend controls are, some exploits will always get through. The ability to uncover threats lurking on networks is therefore a key consideration in protecting networks and the valuable information that they contain against advanced targeted attacks so that actions can be taken to remediate and recover from incidents as quickly as possible before serious damage can be done.
Raising awareness among employees of the dangers of advanced targeted attacks is of prime importance. They should be made aware of the dangers of posting too much personal information about themselves, or that related to the organisation for which they work, online. It is imperative that all individuals treat unsolicited communications with caution, even where they seemingly come from a legitimate source, and not to open attachments they are not expecting to receive, as this is a prime way of gaining a foothold in organisations, using attachments riddled with malware. Similarly, URLs within communications should be treated with suspicion as they can lead to websites riddled with malware. Increasingly, legitimate websites are being subverted and new techniques such as watering hole attacks are being used in an effort to attempt people to visit websites that appeal to their particular interests, but that are in fact spurious.
The market for advanced threat protection technologies is vast and there are many vendors that could quite reasonably claim to be players in this space, although perhaps not all with fully rounded capabilities.
Among the vendors that are represented in this market space, there is a high level of investment activity. Many of the privately held vendors have received significant funding recently. Noteworthy acquisitions have been made—Bit9 acquired Carbon Black in February 2014; Blue Coat Systems acquired Norman Shank in December 2013 and previously acquired Solera Networks in May 2013; FireEye acquired Mandiant in January 2014; Hexis Cyber Solutions is a new commercial venture from KEY W Corporation that incorporates acquisitions that include Sensage; IBM acquired Trusteer in September 2013; McAfee acquired Stonesoft in May 2013; Palo Alto Networks acquired Morta Security in January 2014; and Sourcefire was itself acquired by Cisco Systems in July 2013, although it retains its branding. Palo Alto Networks underwent an IPO in 2012, as did FireEye in September 2013.
Within this market space, vendors can be called out for particular specialisations. Whilst there are some vendors that provide a one-stop shop for advanced threat protection and remediation, others have particularly strong capabilities in specific areas, from protecting against threats to providing automated incident response capabilities, or providing this through a combination of automation and services expertise. In many cases, the more specialised vendors have noteworthy partnerships in place to provide a full offering.
This is a market that will continue its vibrancy. Further investment and consolidation seems almost certain and new players are poised to enter the market as they broaden out existing capabilities to fully enter the advanced threat protection space. There is also room for more innovative start-ups to shake up the market.
Further resources to broaden your knowledge:
Security is a human problem
Live phishing detection technology for protecting against sophisticated web-based attacks.
Turning the tables on cyber criminals - using the cyber kill chain framework to protect your organisation
This document describes what options are available for disrupting attackers at each stage of the kill chain.
Managing indicators of compromise - taking a more proactive stance on security breach remediation
This document introduces the concept of IOCs and explains how organisations can use them for their benefit.
The need to secure all business communications - a competitive overview of major players in the market
The market for email and web security has seen much consolidation recently and this has changed the landscape considerably.