Today’s cyber attacks have changed radically from just a few years ago. They have replaced the broad, scattershot approach of mass-market malware designed for mischief with advanced tactics, techniques, and procedures.
Most of today’s attacks are targeted to get something valuable—sensitive personal information, intellectual property, authentication credentials, insider information—and each attack is often multi-staged with pre-meditated steps to get in, to signal back out of the compromised network, and to get valuables out.
Traditional protections, like traditional and next-generation firewalls, intrusion prevention systems (IPS), anti-virus (AV) and Web gateways, only scan for the first move, the inbound attack. These systems rely heavily on signatures and known patterns of misbehavior to identify and block threats. This leaves a gaping hole in network defenses that remain vulnerable to zero-day and targeted advanced persistent threat (APT) attacks. For example, consider the time lag in signature development due to the need for vulnerability disclosure and/or the mass spread of an attack to catch the attention of researchers. Malicious code is identified over the course of a few days as it spreads. However, polymorphic code tactics counter-balance the effects of signature-based removal. Signatures represent a reactive mechanism against known threats. However, if attacks remain below the radar, the malware is completely missed, and the network remains vulnerable especially to zero-day, targeted advanced persistent threats. No matter how malicious the code is, if signature-based tools haven’t seen it before, they let it through.
Heuristic-based protection alone has not proven to be operationally effective. They use rough algorithms to estimate suspicious behavior generating lots of false alerts. While these heuristic techniques have merit, the true positive to false positive ratio (a.k.a. Signal-to-Noise ratio) is too low for a cost-effective ROI. The false positives clutter up security event logs and real-time blocking based on these heuristic alerts is simply not an option. Administrators often “dumb down” available heuristics to catch only the most obvious suspicious behavior. Multi-stage targeted attacks don’t trip this coarse-grained filter.
Cyber criminals have figured out how to evade detection by bypassing traditional defenses. Using toolkits to design polymorphic threats that change with every use, move slowly, and exploit zero-day vulnerabilities, the criminals have broken in through the hole left by traditional and next-generation firewalls, IPS, anti-virus and Web gateways. This new generation of organized cybercrime is persistent, capitalizing on organizational data available on social networking sites to create very targeted ‘phishing’ emails and malware targeted at the types of applications and operating systems (with all their vulnerabilities) typical in particular industries.
Once inside, advanced malware, zero-day and targeted APT attacks will hide, replicate, and disable host protections. After it installs, it phones home to its command and control (CnC) server for instructions, which could be to steal data, infect other endpoints, allow reconnaissance, or lie dormant until the attacker is ready to strike. Attacks succeed in this second communication stage because few technologies monitor outbound malware transmissions. Administrators remain unaware of the hole in their networks until the damage is done.
APTs can be characterized by the attackers’ quest to gain long-term control of compromised computer systems. Whether attackers use viruses, Trojans, spyware, rootkits, spear phishing, malicious email attachments or drive-by downloads; their malware enables the simple disruption or long-term control of compromised machines. APTs can be nation-state or rogue actors using completely unknown malware or buying access to systems previously compromised with known malware installed through social engineering, spear phishing, or drive-by downloads.
Today’s new breed of cyber attacks necessitates a new security model that can protect against unknown malicious code delivered over multiple threat vectors.
Over 95% of companies already have compromised systems within their networks*. Why? Sophisticated malware has eroded the effectiveness of traditional defenses, leaving a hole in the network. Designed to use signatures to block known threats, traditional, and next-generation firewalls, IPS, AV, and gateways do nothing when zero-day, targeted APT malware attacks.
To fill this gap in network defenses, a new generation of security protections has emerged, ready to do battle against today’s new breed of cyber attacks. These next-generation security systems must plug the hole left by firewalls, IPS, AV, and Web gateways by applying advanced, coordinated techniques to identify, confirm and block the activities of today’s threats.
- Dynamic defense to stop today’s new breed of cyber attacks – Analyze network traffic to identify new and unknown attacks in real time, rather than just comparing bits of code to signatures or shielding known vulnerabilities
- Real-time protection to block data exfiltration attempts – Stop outbound callback communications to disrupt compromised systems from being controlled and exploited from the external Command and Control servers
- Integrated inbound and outbound filtering across protocols – Take protective action across multiple protocols in both directions of communications, inbound exploits and infections and outbound callback channel communications to malicious Command and Control servers
- Accurate, low false positive rates – Confirm malware through comprehensive, automated testingthat avoids the flood of false alarms inevitable with crude heuristics
- Dynamic threat intelligence on attacks to protect the local network – Efficiently distribute newly confirmed threat intelligence, both within a site and across the Internet, to share the latest insight on both inbound attacks and outbound callbacks
The FireEye Malware Protection System automates these techniques to supplement traditional defenses, adding integrated inbound and outbound protection to combat today’s stealthy Web, email, and file-based threats. While these traditional security defenses provide a relevant policy enforcement function, they have been outclassed by today’s new breed of cyber attacks. FireEye appliances combine signature-based detections to detect the known with signature-less code execution to reveal the unknown. By linking inbound and outbound protections with dynamically generated threat intelligence exchanged through the FireEye Dynamic Threat Intelligence cloud, FireEye uniquely short-circuits the multiple stages and subtle communications of today’s cyber attacks.
Despite bold claims and billions of dollars invested, legacy protections like traditional and next-generation firewalls, intrusion prevention systems, anti-virus, and Web gateways no longer stop advanced malware or targeted APT attacks.
These systems rely too heavily on signatures, known patterns of misbehavior, and reputation to be effective at accurately identifying and blocking advanced targeted attacks. This leaves a gaping hole in network defenses that remain vulnerable to today’s new breed of cyber attacks. In the following pages, we review how each technology has been victimized and bypassed by today’s cyber attacks.
Next-generation firewalls (NGFWs) have proven to be incapable of stopping advanced malware and targeted attacks. While NGFWs typically take a more application-centric approach to traffic classification, they do not detect nor block the new breed of advanced attacks such as zero-day, targeted attacks or advanced persistent threat (APT) attacks.
At their core, NGFWs’ anti-malware technologies rely on traditional anti-virus and IPS signatures, reputation analysis, and URL blacklists. These approaches are reactive and have proven incapable of stopping advanced threats. With more than 286 million new malware variants surfacing in 2010 alone, it is no wonder NGFWs, like traditional firewalls, fall short when it comes to next-generation threats.
NGFW vendors have tacitly conceded this point and are now augmenting their products with cloud-based analysis of binaries and DLLs and “rapid” hourly updates of the firewall signature set.
Fundamentally, cloud-based analysis does not provide advanced malware protection.
Does not stop Web page attacks NGFW cloud-based analysis does not analyze document and file formats for malware (PDFs, Microsoft documents, image formats) used to exploit application vulnerabilities.
Does not stop email-based attacks NGFW cloud-based analysis does not analyze emails for malware, so it cannot stop spear phishing attacks. Spear phishing is a primary mechanism used in targeted APT attacks.
Cannot address encrypted binaries NGFW cloud-based analysis is based on the premise that malware binaries will be transmitted in the clear and that there is no need to detect the exploit phase that actually initiates a binary download.
Too slow and reactive Hourly updates of attack signatures are too slow even if they manage to detect a new attack binary. FireEye research has found that 90% of binaries morph within one hour and initiate callbacks within minutes of compromise to download further malware infections.
Key gaps in NGFW protection:
The Operation Aurora APT attack that targeted Google and many others used an XOR encoding to mask the binary. Without visibility into the exploit phase, NGFWs did not detect the encrypted binary, and therefore missed the Aurora attack entirely.
Also, there are many APT attacks that utilize email attachments as the initial exploit phase of the attack. The attack on RSA in early 2011 utilized an infectious spreadsheet to begin the process of infiltrating deep inside RSA’s network to target valuable source code. Again, NGFWs are architecturally incapable of detecting or blocking an email attachment-style attack.
In short, NGFWs have fundamental architectural flaws as they relate to the detection and blocking of the advanced malware and APT-style attacks. These flaws leave the end user’s network wide open to web page exploits that subsequently mask or encrypt the binary download phase. Without any real-time analysis within the locally deployed firewall, NGFWs are unable to address advanced malware and targeted APT attacks. Companies deploy FireEye products to complement traditional NGFWs to ensure they are fully protected against cyber attacks.