“For 25 years, businesses have had the mentality of scan, detect, fix, relax, but that approach to security is no longer working,” said Adrian Culley, Damballa’s technical consultant for Europe.
Businesses need to recognise that they probably have been compromised without their knowledge, and should adapt their security strategy to continually look for signs of compromise, he told Computer Weekly.
“Vulnerability is a function of complexity, and systems are only getting ever more complex,” said Culley.
Increasing complexity makes it more difficult to find vulnerabilities or guarantee that these systems are free of vulnerabilities. At the same time, it makes it easier for cyber criminals or their collaborators to hide vulnerabilities.
For this reason, he believes that security strategies aimed only at preventing attacks are no longer realistic, and have led to a false sense of security. Instead, security needs to be about looking for signs of compromise and being able to respond effectively when data breaches occur.
Security strategies aimed only at preventing attacks are no longer realistic, and have led to a false sense of security
“As GCHQ director Iain Lobban pointed out recently, the question is no longer whether there are foreign intelligence agencies on your network, but whether or not you have found them,” said Culley.
According to Damballa researchers, traditional security systems have been blind to a whole class of attacks that are specifically designed to evade detection.
Advanced attack methods
In recent times, attacks commonly referred to as advanced persistent attacks, or APTs, have resulted in a growing awareness of this class of detection-evading attacks.
“These so-called APTs are not a ‘super virus’ or ‘advanced malware’, but are typically modular in design with many moving parts designed by several teams with the aim of evading detection,” said Culley.
Many elements are innocuous when viewed in isolation, he said. Lua, for example, is merely a scripting language that has been used in many applications, such as Adobe's Photoshop Lightroom, yet it was a key component of the Gauss, a Flame and Stuxnet-related cyber threat.
For this class of threat, said Culley, evading firewalls, data leakage prevention, intrusion prevention, antivirus an any other rule-based or signature-based security systems is “trivial”.
Just as in the physical world, he said, all cyber tools can be used for malicious purposes, therefore it is more important for security software to focus on how these tools are being used, and to be able to identify and shut down malicious activity.
“No carpentry hammers are made or sold to commit murder, yet they can be used for this purpose,” said Culley, a former member of the computer crime unit at Scotland Yard.
More on APTs
- FortiGuard Labs: Advanced persistent threats are escalating
- Advanced threat protection: Behavior-profiling network communications
- SIEM best practices for advanced attack detection
- The evolution of threat detection and management
- Researchers uncover advanced cyber espionage campaign
- How does advanced malware use the network against you?
- Boost advanced persistent threat (APT) security levels in six steps
- Department of Labor website hack highlights advanced attack trends
Measuring risk across the network
Damballa, which specialises in advanced threats, profiles all network communications within an organisation to identify any attempts by malware to make contact with its command and control server, and automates inspection of computer memory, where it is more difficult for attackers to hide their actions.
“By making the network part of the solution, it is possible to identify, eliminate or contain problems as soon as they arise,” said Culley.
Automatically detecting problems within computer memory produces a “heat map” of a network, but the key thing is being able to translate this into risk, and to balance this against business need, he said.
“Not all of this can be done by technology alone; it requires an understanding of the business and how each machine affects the business to determine the order of remediation,” said Culley.
Human beings are also a key, non-technical, element of security, he said, with highly targeted phishing attacks a common element of attacks because people are often the weakest link in any defences.
According to Culley, there is an urgent need for everyone in the modern, digital society to have the basic skills required to be safe.
“Tangible, physical crime is decreasing because it is relatively easy to detect and report, but criminals are always among the first adopters of any new technologies, and crime prevention needs to keep up,” he said, adding that few crimes today do not have a digital element.
Culley believes that society needs to develop an appropriate level of ability for every age group and that equal emphasis should be placed on cyber safety as basic literacy.