Can We Possibly Turn the Tables Against Sophisticated Attackers?

Is it too late? Have corporate IT and security teams lost the war with cybercriminals, state-sponsored hackers and other persistent adversaries?

Every week new headlines announce thefts of credit card numbers, personal information and intellectual property from retailers, financial institutions, government agencies, high-tech manufacturers and others. Industry analysts, experts and practitioners are stating that we must learn to live in a world of “continuous compromise” because prevention-centric strategies are “obsolete.”

Even worse, statistics show that attackers can evade detection, not only at the initial time of a breach, but for extended periods. According to the Verizon 2014 Data Breach Investigations Report, 68% of web app attacks take weeks or longer to discover. Unfortunately, in 72% of the cases attackers were able to extricate stolen data in days or less. The survey also reported that only 12% of financially motivated web attacks were discovered by the enterprise under attack (the other 88% were discovered by outside parties such as customers and law enforcement agencies).

Respondents to a Ponemon Institute survey estimated that 35% of all cyber attacks were undetected, and of those that were detected, 38% could take a year to know the root cause.

These are damning figures given the vast sums organizations have invested in information security.

Why is the current record so woeful? This paper will look at four major factors that give persistent attackers “unfair advantages” against corporate information security groups. These include techniques to:

• Bypass signature-based defenses
• Press attacks from a single endpoint
• Evade “sandboxing”
• Use “low and slow” methods to escape detection for long periods

But it is possible to turn the tables on sophisticated attackers with a more adaptive approach. The key is gaining visibility into the behaviors of attackers on real laptop, workstation and server endpoints, in real networks, then quickly placing those behaviors in context relative to other network, application and security events for security and incident response teams.

The paper will then look at a new approach to security, Endpoint Detection and Response, that allows enterprises to take back the initiative by turning some of the methods used by attackers against them. By combining the right security analytics and Big Data management tools, security analysts and incident response groups can:

• Identify attacks as they are happening
• Separate real attacks from “noise”
• Establish trust in endpoints
• Prioritize high-risk, persistent threats
• Respond quickly enough to prevent attackers from damaging the enterprise.

Four Unfair Advantages of APT’s

Many of today’s attackers are sophisticated, well funded, and patient. Their attacks can last for weeks or months. Typically they begin with probes to find endpoint systems with vulnerabilities, because endpoints are more numerous and less well defended than applications and systems in the corporate data center. The attacker uses a vulnerability to plant malware on a target system, then uses that malware to execute an attack from within the enterprise’s network. The attacker probes “laterally” to find other systems with valuable information, accesses the data using legitimate credentials captured from compromised systems, moves the data to a staging server, and exfiltrates the data outside of the network to a server controlled b the attacker.

As shown by the statistics from the Verizon report cited earlier, most of the time security teams have no knowledge of the APT process as it plays out within their enterprise, much less visibility into the impact and potential damage.

In pursuing this type of attack, cybercriminals and state-sponsored hackers enjoy four “unfair advantages” over enterprise IT groups.

‘Techniques to bypass signature-based defenses

Attackers have developed many techniques to bypass information security products that rely on signatures, such as anti-malware packages, next-generation firewalls (NGFWs) and intrusion prevention systems (IPSs). Methods include using encryption and archiving programs to disguise malware, hiding malware in encrypted web traffic (particularly SSL), embedding malware in legitimate applications posted on the web, and creating “polymorphic” malware that retains its core functionality while changing its code just enough to avoid existing signatures.

In addition, many types of sophisticated malware now include functionality to detect and turn off anti-malware packages running on enterprise endpoints.

Ability to press attacks from a single endpoint

Cybercriminals and hackers can launch a complex attack from a single system inside the enterprise network. In contrast, security and IT groups need to defend every PC, laptop, tablet, server and smart phone in the organization. Many of these are controlled by end users who blithely click on unknown email links, download files and apps from untrustworthy web sites, and otherwise unwittingly abet attackers.

This striking asymmetry, on one side the need to compromise only one system, and on the other the requirement to defend thousands, or even hundreds of thousands of devices, has grown into a massive “unfair advantage” for patient attackers over defenders.

The imbalance is exacerbated by the fact that attackers can bypass defenses at the network perimeter, for example by infiltrating and subsequently infecting employees’ laptops at home. Social engineering methods tilt the scale even more in the direction of attackers by providing a seemingly infinite number of ways to reach their targets.

Evading “sandboxing”

“Sandboxing” is a form of behavioral analysis used to detect malware that bypassed signature- based defenses. As unknown files enter the network, they are placed in an isolated environment and allowed to execute. Suspicious behaviors, such as changing registry entries, turning off anti-malware packages, and searching for passwords, are observed and used to identify probable malware, which in the future is blocked at the perimeter.

Behavioral analysis is a very powerful tool for identifying malware. However, conventional sandboxing products have important limitations that limit its effectiveness. These products test files in virtual environments, running on appliances placed at the network perimeter. These constraints have allowed attackers to develop counter-measures to evade sandboxing products.

Some sophisticated malware can detect and disable the sandboxing software itself. Some can detect virtual environments and refuse to “detonate” in them. Others delay execution until they sense mouse movements, clicks in dialog boxes, or other evidence of human users. Still others delay execution for minutes or hours, long enough for the sandboxing product to stop testing and give the file a clean bill of health.

These techniques allow sophisticated malware files to bypass sandboxing tests and pass through to systems on the corporate network, where they can come to life and begin an attack.

Use “low and slow” methods to escape detection

Enterprises use security information and event management (SIEM) systems and network flow monitoring tools to search for patterns that might indicate an attack in progress. These are very effective when impatient attackers show their hand by compromising many endpoints at the same time, or by creating anomalies (e.g., employees accessing servers belonging to other departments, or transferring gigabytes of data outside the network at two o’clock in the morning).

However, SIEM and network flow monitoring tools are handicapped by reliance on log and network flow data, which don’t capture many “compromise indicators” that occur on individual systems. In addition, patient attackers have learned how to spread out their activities, and to string together actions that appear to be legitimate when viewed individually. Limited data and long time horizons make it extremely difficult for log-oriented tools to detect attacks as they are occurring, or even reconstruct attacks after the fact through advanced artifact collection and forensic analysis.

A Different Approach: Endpoint Threat Detection and Response

A new approach to threat detection and response has been maturing in recent years that can defeat the evasion techniques of APTs. Industry analyst firm Gartner calls this approach “endpoint threat detection and response,” or ETDR, while IDC classifies it as a form of “specialized threat analysis and protection,” or STAP.

This section of the paper provides a brief outline of the essentials of endpoint threat detection and response, and the next section describes how it can eliminate the four unfair advantages of APTs described above.

Endpoint threat detection and response technology combines real-time monitoring of potentially threat-related behaviors on endpoints with Big Data analytics tools that provide enterprise-wide scale and correlation of “compromise indicators.”

As implemented by technology leaders like CounterTack, it also has the ability to turn methods used by attackers against them.

CounterTack’s approach and architecture that combines stealthware-based monitoring capabilities with a Big Data Analysis Cluster fits Gartners chart in figure 1 below, around Continuous Response to Endpoint Threats.

Real-time, continuous data capture on endpoints

A small surveillance module on each system continuously monitors endpoint behaviors, including file, process, registry and network events.

This module operates at the kernel level, so it is invisible to malware and secure from tampering or evasion. This leverages the attackers’ greatest asset – stealth – against them. Every action of the malware on the endpoint is exposed to view, without knowledge of the attacker.

All actions are recorded, not just those that would normally be captured. A driverless kernel module makes such minimal use of system resources that there is no impact on the performance or stability of the endpoint, because there is no user mode presence.

All of this behavioral data is collected at central points, then made available to a real-time, on premise analysis platform.

Threat analysis at scale

The real-time analysis platform is built around a powerful analysis engine that correlates behavioral information from endpoints across the enterprise in order to classify malicious activities and assess the potential impact of each threat.

The platform uses “Big Data” analytics tools to sift through millions of data points in seconds and detect patterns indicating malicious activity giving teams a level of specificity what activity actually transpiring on the endpoint – a capability not commercially available in the past.

Detection is aided by the CounterTack Knowledge Library, which contains extensive information on stateful compromise indicators (SCI), malware profiles, attack patterns, and profiles of millions of malware variants.

The analysis platform also includes a robust array of tools to allow security analysts, incident response team members and others to watch attacks unfolding in real time, providing them with information on origins and targets, as well as detailed event streams and event sequences through ‘trace-based analysis.’

An illustration of trace-based analysis is shown in Figure 2. Endpoint monitoring captures an event (opening a file), which causes code to execute, which performs two key events associated with an attack, in this case a type of Trojan.

Not only is this information available very quickly, but it can be correlated with a wide range of other actions across the enterprise, such as attempts to replicate malware to other systems, find servers with confidential information, acquire legitimate credentials from other users, or set up a staging server that can be used to collect files and send them to an external system.

Eliminating the Four Unfair Advantages of APTs

Endpoint threat protection and response solutions combine stealth surveillance of malicious activities with Big Data analytics. By delivering actionable, real-time intelligence and using a knowledge base of compromise indicators to highlight high-risk activities, these tools help organizations make better security decisions and focus on the most serious threats.

They also help enterprises eliminate the four unfair advantages of APTs.

Stealthy attack detection without signatures

Endpoint threat detection and response solutions cannot be evaded by encrypted, concealed or polymorphic malware, because they do not rely on signatures to detect malware. This is critical given the proliferation of malware creation tools that allow even novice attackers to bypass antivirus packages with the click of a checkbox.

ETDRs are difficult to evade, because they identify malware files based on their capabilities and impact on the endpoint, rather than on ‘what they look like’ on the wire. In order to evade an ETDR such as CounterTack’s Sentinel, the attacker must fundamentally modify the behavior of the malware. Such modifications are not only costly to the attacker, they are ultimately selfdefeating.

Stealth is also critical against sophisticated attackers. Once an endpoint sensor is unmasked it is vulnerable to evasion, misdirection or outright attack. CounterTack’s endpoint monitoring module operates completely within the kernel, at the system service-call level, and includes anti-evasion and anti-tampering technology that misleads attackers. It shows them precisely what they expect to see when they interrogate the memory of a vulnerable endpoint. Even if attackers discovered the existence of the kernel module, they would still lack the means to undermine its integrity. In this manner the kernel module deprives the attacker of the weapon of concealment and puts stealth to work for the enterprise.

Complete coverage of all endpoints

CounterTack’s endpoint surveillance modules are extremely easy to deploy and manage, which makes it practical for an enterprise to monitor comprehensively, at scale. As a result, attackers lose the advantage of finding and exploiting a few endpoints that have not been patched or are otherwise neglected by the IT group.

One of the main reasons that CounterTack’s endpoint modules are so easy to manage is that because they operate in the kernel, they are completely invisible to end-users and to other software running on the endpoints, including operating systems. There are no issues with users trying to disable the software or with software incompatibilities.

Also, attacks can be monitored and identified no matter what their point of origin in the enterprise, even on systems that were infected at home or on the road and later connected to the corporate network inside the firewall.

Elimination of malware hiding places

As mentioned earlier, some sophisticated malware “hides” from sandboxing appliances by concealing suspicious behaviors in virtual environments, by waiting to detect user actions, or simply by delaying until the sandboxing appliance gives up.

Endpoint threat protection and response tools eliminate the artificiality of sandbox environments. By operating directly on production assets, they eliminate the possibility of “hiding.” In order to achieve its aim on an endpoint malware must act, and as soon as it does its behavior is subject to scrutiny and detection.

Correlate events to detect “low and slow” attacks

SIEM tools are only as effective as the quality of the data provided. Since this data is typically from logs and network sensors, SIEM systems often lack the kind of information needed to quickly and accurate identify and validate persistent threats. In addition, while SIEM tools offer significant correlation technology, their analysis of behavior is limited to identifying statistical anomalies across isolated events observed by disparate sensors. They are not well suited to analyzing endpoint behavior directly.

As a result, the information accessible to SIEM tools does not provide the context required to identify causal relationships between otherwise inconspicuous events. This makes them particularly susceptible to evasion by knowledgeable attackers who utilize “low and slow” tactics where the components of the attack are spread out over time and across target systems. Even when SIEM systems do manage to identify such tactics, their lack of context means they have no visibility into the impact of the attack on the endpoint or on the enterprise at large.

ETDR solutions that specialize in capturing system behavior on the endpoint offer a much richer set of data, with true context, coupled with real-time analysis. And because ETDR solutions capture the full context of endpoint behavior, they are able to quickly dissect the anatomy of an attack in progress. This allows security analysts to quickly identify, validate and classify attacks that otherwise would not be visible. This enhanced context extends beyond malware execution to expose the attacker’s intentions, allowing analysts to prioritize threats based on their risk to the enterprise.

The emergence of ETDR solutions does not mean that the end is near for SIEM systems. On the contrary, the two technologies can work together to create a ‘force multiplier’ that makes the entire security infrastructure smarter and more agile. Endpoint threat detection and response solutions can export their real-time contextual data to SIEM solutions that have already been deployed in enterprise SOCs (Security Operations Centers). Their ability to capture detailed, precise endpoint data and share it with other security and aggregation platforms gives SOC operators and incident responders a fuller, more comprehensive view of threats.

Conclusion

Today it seems as if APTs are winning the information security war. Enterprises live in a state of "continuous compromise". They need weeks or months to detect unfolding attacks, and sometimes months or years to determine the root causes of those attacks.

However, endpoint threat protection and response solutions can turn the tables on attackers by providing comprehensive detection, visibility and contextual information across the enterprise. In short, endpoint threat detection and response solutions can eliminate the unfair advantages of persistent attackers and give IT organizations a powerful tool for closing the window on attack activities, identifying and remediating vulnerabilities, and preventing current and future breaches.