Page 38 - CDM Cyber Warnings February 2014
P. 38
How to select the right cyber-defense against targeted
attacks and APTs
10 questions to ask your next generation cyber-defense solution vendor
By Gal Diskin, Chief Research Officer, Cyvera LTD
Those who feel they are familiar with the challenges that led to the creation of the new generation of cyber-security
solutions might want to skip part 1 and go directly to part 2.
PART 1: WHY THE �TRADITIONAL� SECURITY SOLUTIONS DON�T WORK
It is an open secret known to everyone in the security industry
that anti-viruses and IPSs as well as any other solution based
on matching signatures do not offer any protection against
determined attackers. The reason for this is simple – a
signature is a form of identification that can be generated only
for known attacks, which means that anti-viruses or IPSs
need to capture an attack in a honeypot, analyze and identify
that it is indeed an attack, generate a signature for it and
eventually distribute the signature database update to its
users. However, attackers can automatically modify their
attack code by recompiling executables or modifying exploits
and communication methods in seconds. Attackers can also
test their attack in a controlled environment against available
defense products in order to verify their malware is not
caught. This leads to the vicious cycle depicted in Figure 1.
The latest numbers I�ve seen from AV companies indicate
250,000 new signatures are found every day. Figure 1: The endless cycle of signatures
Nowadays, many groups focus on performing targeted attacks against organizations. A targeted attack may be conducted
by a government, organized crime, competitors (industrial espionage) and even by hacktivists (though these attacks are
usually less sophisticated). Targeted attackers invest time in collecting intelligence about your organization before
launching their attack. They will know email addresses and employee PII (Personally Identifiable Information) and will
employ spear-phishing techniques to get employees to open specific attachments. Their aim is usually to steal secrets or
sabotage operations. To do so they infect a small number of endpoints with custom malware and customized exploits.
Naturally, custom attack signatures will not be detected by �traditional� defense tools, leaving your organization
defenseless against such attacks.
There are two main vectors currently employed by attackers in order to gain control of their target computer.
1. Malicious Executables – These are basically camouflaged malicious programs such as Trojans and RATs that, under the
guise of a legitimate program or an innocent (non-executable) file, are used to gain control of the user�s computer.
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 38