- Feb 7, 2014
- 1,540
Today's cyber attacks have changed radically from just a few years ago. Broad, scattershot attacks designed for mischief have been replaced with attacks that are advanced, targeted, stealthy, and persistent. Today's advanced attacks are focused on acquiring something valuable-sensitive personal information, intellectual property, authentication credentials, insider information-and each attack is often conducted across multiple threat vectors, Web and email, and across multiple stages, with premeditated steps to get in, to signal back out of the compromised network, and to get valuables out.
Today's Advanced Cyber Attacks
Traditional protections, like traditional and next-generation firewalls (NGFW), intrusion prevention systems (IPS), anti-virus (AV) and Web gateways, only scan for the first move, the inbound attack. These systems rely heavily on signatures and known patterns of misbehavior to identify and block threats. This leaves a gaping hole in network defenses that remain vulnerable to zero-day and targeted advanced persistent threat (APT) attacks. For example, consider the time lag in signature development due to the need for vulnerability disclosure and/or the mass spread of an attack to catch the attention of researchers. Malicious code is identified over the course of a few days as it spreads. However, polymorphic code tactics counter-balance the effects of signature-based removal. Signatures represent a reactive mechanism against known threats. However, if attacks remain below the radar, the malware is completely missed, and the network remains vulnerable especially to zero-day, targeted advanced persistent threats. No matter how malicious the code is, if signature-based tools haven't seen it before, they let it through.
Heuristic-based protection alone has not proven to be operationally effective. They use rough algorithms to estimate suspicious behavior generating lots of false alerts. While these heuristic techniques have merit, the true positive to false positive ratio (a.k.a. signal-to-noise ratio) is too low for a cost-effective ROI. The false positives clutter up security event logs and real-time blocking based on these heuristic alerts is simply not an option. Administrators often "dumb down" available heuristics to catch only the most obvious suspicious behavior. Multi-stage targeted attacks don't trip this coarse-grained filter.
Today's Advanced Cyber Attacks
Traditional protections, like traditional and next-generation firewalls (NGFW), intrusion prevention systems (IPS), anti-virus (AV) and Web gateways, only scan for the first move, the inbound attack. These systems rely heavily on signatures and known patterns of misbehavior to identify and block threats. This leaves a gaping hole in network defenses that remain vulnerable to zero-day and targeted advanced persistent threat (APT) attacks. For example, consider the time lag in signature development due to the need for vulnerability disclosure and/or the mass spread of an attack to catch the attention of researchers. Malicious code is identified over the course of a few days as it spreads. However, polymorphic code tactics counter-balance the effects of signature-based removal. Signatures represent a reactive mechanism against known threats. However, if attacks remain below the radar, the malware is completely missed, and the network remains vulnerable especially to zero-day, targeted advanced persistent threats. No matter how malicious the code is, if signature-based tools haven't seen it before, they let it through.
Heuristic-based protection alone has not proven to be operationally effective. They use rough algorithms to estimate suspicious behavior generating lots of false alerts. While these heuristic techniques have merit, the true positive to false positive ratio (a.k.a. signal-to-noise ratio) is too low for a cost-effective ROI. The false positives clutter up security event logs and real-time blocking based on these heuristic alerts is simply not an option. Administrators often "dumb down" available heuristics to catch only the most obvious suspicious behavior. Multi-stage targeted attacks don't trip this coarse-grained filter.
