The global cyber security situation has reached a tipping point, where the volume and frequency of attacks penetrating an organization’s perimeter is causing IT administrators around the world to question the effectiveness of their existing security architecture. This is despite the organizations deploying traditional signature-based defenses such as firewalls, intrusion prevention, and anti-virus systems to mention a few. Security technologies considered state-of-the-art three years ago are quickly becoming inadequate given the changes in the cyber threat landscape. The result is the cyber security industry getting redefined in a big way by new technologies and players.

New Breed of Multi-Stage Cyber Attacks

The biggest change in the cyber-attack model over the last couple of years is indicated by the phenomenal success of the targeted attack. Just in the first four months of 2013, attacks have compromised the systems and networks at large banks, a popular social network site and a few well-known technology companies, each of which was targeted and not a victim of a randomwide-spread attack.

Next-generation threats are complex, cutting across multiple attack vectors to maximize the chances of breaking through network defenses. Multi-vector attacks are typically delivered via the Web or email. They leverage application or operating system vulnerabilities, exploiting the inability of conventional network-protection mechanisms to provide a unified defense. In addition to using multiple vectors, advanced targeted attacks also utilize multiple stages to
penetrate a network and then extract the valued information. This makes it far more likely for attacks to go undetected. The five stages of the advanced attack lifecycle are as follows:

Stage 1:

System exploitation: The attack attempts to set up the first stage, and exploits the system using "drive-by attacks" in casual browsing. It's often a blended attack delivered across
the Web or email threat vectors, with the email containing malicious URLs.

Stage 2:

Malware executable payloads are downloaded and long-term control

established: A single exploit translates into dozens of infections on the same system. With exploitation successful, more malware executables—key loggers, Trojan backdoors, password

crackers, and file grabbers—are then downloaded. This means that criminals have now built long-term control mechanisms into the system.

Stage 3:

Malware calls back: As soon as the malware installs, attackers have cracked the first step to establishing a control point from within organizational defenses. Once in place, the malware calls back to criminal servers for further instructions. The malware can also replicate and disguise itself to avoid scans, turn off anti-virus scanners, reinstall missing components after a cleaning, or lie dormant for days or weeks. By using callbacks from within the trusted network, malware communications are allowed through the firewall and will penetrate all the different layers of the network.

Stage 4:

Data exfiltration: Data acquired from infected servers is exfiltrated via encrypted files over a commonly allowed protocol, such as FTP or HTTP, to an external compromised server controlled by the criminal.

Stage 5:

Malware spreads laterally: The criminal works to move beyond the single system and establish long-term control within the network. The advanced malware looks for mapped drives on infected laptops and desktops, and can then spread laterally and deeper into network file shares. The malware will conduct reconnaissance: it will map out the network infrastructure, determine key assets, and establish a network foothold on target servers.

NextPage >>