May 27, 2015 By Jean-Paul Bergeaux In

The Evolution of an Attack: Moving Beyond Malware

Today’s most dangerous cyber threats are the cyber “snipers” who hide within the noise created by less advanced threats. Here’s how they work: Cyber attackers begin by funding and encouraging attacks by botnets, mass phishing Emails, morphing malware and other APTs in order to overwhelm their targets with threats.  Then when the bad guys actually attack, they are harder to spot because they look nothing like those threats, but instead look more like traditional traffic. They work like snipers, picking off targets one by one.

Think of it like a thief who sends accomplices dressed as cartoon characters into a room to distract the crowd.  Then the thief, looking like everyone else, walks unnoticed around the room, picking pockets as he goes.

The first question usually asked about this analogy is how these APTs look different.   One example  highlighted at a recent RSA Conference session described how targeted attacks aren’t using malware. That is, after using social engineering or brute force to breach an account, they don’t lay down malware files but instead upgrade their access and create a persistent administrative account. And then they come back whenever they feel like it.

It’s a scary scenario because most of today’s security product companies are focused on finding malware files at the end point or the command and control associated with malware in the network.   If you deploy these defenses, you will miss many of the advanced bad guys.

So what do you do?  At a high level, there are two ways to defend against this.  First, look for indicators of activity.  Either pre-defined by historical data or defined by on the fly-by baseline analytics that can detect new types of activity.  Second, defend the data specifically through separation of duties.

The second action is the easiest to do first, but only with the right technology.  As was pointed out in the RSA session, once the bad guys are in, they will create administrative accounts.  If the access to data does not come by default to a super user, then the data is not at risk—at least, not yet.  If the correct controls of separation of duties are put in place, then the bad guys will encounter a whole new barrier. It would take a multi-step process for them to gain access to important data, and many of those steps would set off very loud alarms.

This is not easily done with default identity management systems, but this defense has proven extremely effective with a product like Vormetric, Data Security Manager which we at SwishData believe is a must-have security tool for any enterprise government agency.  You can read more about the Next-Gen Security Platform here and register here to attend our webinar on June 4th.