Context is the most important element to defending corporate information In the face of increasingly targeted attacks, according to security organisation Trend Micro
“Traditional security cannot protect against targeted attacks because that is precisely what they are designed to circumvent,” said Rik Ferguson, vice-president of security research at Trend Micro.
The problem is that many organisations believe their current systems are protecting them when that is not true, Ferguson said.
“Relying on traditional security systems to protect against targeted attacks is like using a claw hammer to peel an orange; it is an inappropriate tool for the job,” said Ferguson.
The best way to tackle attacks that use indirect paths and stealthy movement in targeted networks to get to valuable corporate data, he said, is to use context continually to identify malicious activity.
“Traditional security tends to discard the good, but in doing so, organisations lose a lot of context, making them less able to distinguish malicious activity from normal behaviour,” said Ferguson.
Read more about targeted attacks
- Study finds spear phishing at heart of most targeted attacks
- Custom, targeted malware attacks demand new malware defense approach
- Beebus virus targets aerospace and defence
- Security Think Tank: Are companies too confident about targeted attacks?
- Phishing attacks cast wider nets in businesses
Only context can provide a fuller picture and enable businesses to see the anomalies that can point to malicious activity, he said.
“All too often, businesses focus on security products such as firewalls and intrusion prevention in isolation,” said Ferguson.
But this “myopic” view of security is ineffective in the face of the increased exploitation of zero-day vulnerabilities, made even easier by their incorporation into exploit toolkits, he said.
Threats from redirects and cross-platform attacks
Ferguson expects these toolkits to evolve even further in 2013, with most exploits aimed at circumventing traditional security systems reducing their effectiveness even further.
Ferguson predicts malware will increase its ability to target by browser, geography and exploit. He said growing dynamic URL-generating capabilities will increasingly defeat security systems based on blacklisting known bad URLs.
“In the coming year we will see greater use of redirection to malicious sites and software on a per-user basis,” said Ferguson.
He also predicts we will see the first cross-platform attacks in 2013, which will be a “game changer”, he said, because mobile malware will no longer rely on social engineering to work.
Once PC malware techniques are unleashed on the mobile platform through compromised websites, attackers will be able to do what they like on phones.
“It won’t matter how secure the app stores are,” said Ferguson.
Commoditisation of custom malware
The trend of avoiding sandbox technologies, he said, is likely to continue and expand with increased investment by attackers in avoiding these technologies, common in many security systems.
The commoditisation of custom malware is also likely to continue, with a growing number of custom attacks being incorporated quickly into exploit kits such as Blackhole.
“As a result, we could see everyday attacks becoming more like sophisticated target attacks,” said Ferguson.
Finally, he predicts 2013 will see the first data breach facilitated by smart mobile devices.
“Enterprises just do not have a handle on managing security on these devices yet,” Ferguson said.