Score: Fifteen-Love, Keeping Ahead of the Latest ThreatsBy: Barry Hensley
Score: Fifteen-Love, Keeping Ahead of the Latest Threats
It’s not as if all the money you’ve spent on your recent added security controls has been a waste. However, with highly skilled, relentless adversaries, it’s near impossible to prevent a network breach in today’s complex threat landscape. It just takes one threat actor to successfully lob their latest tradecraft into your network and game over. When that occurs, you’d better swing fast ensuring rapid detection and rapid response minimizing damage inflicted.
Since threats continue to evolve, adding new challenges to prevention, security vendors are focusing on the latest detection technologies to address these elusive threats. Unlike traditional security controls, such as firewalls and IDS/IPS devices, Advanced Threat Detection (ATD) appliances examine traffic that enters or exits your network while performing a level of inspection that other’s simply lack. In addition to monitoring network traffic for traditional pre-knowledge threat indicators (e.g. IP addresses, domain names, and URLs), these appliances also monitor files/objects for suspicious activity allowing early detection and informed response. These ATD devices use sandboxing technologies which execute code on the network inside a tightly controlled environment, in which one can monitor and analyze the code’s behavior to identify malware including many zero day threats. If this suspicious code starts doing anything perceived as malicious like changing registry keys or files, or sending files to a suspected bad IP address, the appliance report detailed breach information to enable your follow on response. I personally like the next generation sandboxes that perform full-system emulation (e.g CPU, Memory) that provide the deepest level of visibility into previously unknown malware behavior. They are also the hardest for evasive malware to circumvent.
The challenge is these new advanced malware detection solutions produce so much detail about the suspicious activity that most organizations do not have the resources to thoroughly investigate/analyze. The output is a report containing a chain of thousands of low level events (e.g. threads) generated by the detonation of the malware inside the controlled sandbox. Each of these threads must now be pulled by the organization in order to determine the origin of this newly discovered malware. It is easy to confuse one type of malware component for another. Most organizations have to rely on open-source information via exhaustive Internet searches only to ultimately draw the wrong conclusion based on behavior similarities of various malware families. Meanwhile, an adversary remains in a network.
Whoever is analyzing the incidents will need to help the organization answer the following pertinent questions:
- Is this a minor intrusion or a major breach?
- Is the intrusion contained or has data been lost?
- How do we respond?
- Have we seen this threat actor before and if so what is his most likely next move?
To answer those questions, the analyst will need to have an existing robust intelligence framework that tracks the thousands of movements of the most elusive threat groups.
With more than a billion threat indicators gathered from research, targeted threat hunting, incident response engagements, third parties and 4,000+ clients worldwide, Dell SecureWorks can accurately identify the threats and the best ways to remediate them. Our Advanced Malware Protection and Detection (AMPD) service provides organizations with an Advanced Threat Detection (ATD) appliance that routes incoming and outgoing email, file and Web traffic to an engine–hosted at Dell SecureWorks — which continuously monitors traffic. Anything that seems suspicious is immediately forwarded to our advanced security analysts to determine what the threat is and what needs to be done to remove it.
Before spending money on an appliance that sends you alerts about suspicious activity and leaves it up to your team to decide what to do about them, ask yourself a few questions:
- Do you have specialized analyst who can accurately identify and diagnose evasive threats once you receive alerts?
- Can your analyst ensure your organization has the ability to respond effectively to the incident and close all the backdoors a threat actor may have opened?
Advanced threat actors can quickly gain access to your networks moving laterally within minutes of their initial compromise, often assuming the role of system administrators. So be careful of just buying another product when what you really need is a solution that evens the score and ensures results.