5 Keys to Preventing Advanced Attacks

February 2013
- 1 -
Overview:
It is no secret that modern information-based attacks have become increasingly sophisticated and common, and
these advanced threats present one of the most important challenges facing network security teams today.
Attackers have learned to customize and modify their malware in order to bypass traditional security controls, and
then use that malware as a control point to orchestrate patient, sophisticated network attacks. As a result, security
teams must adapt and find new security technologies that can identify and even prevent infections from malware
that may never have been seen before in the wild. This paper describes some of the most important criteria to
consider when architecting your defenses against advanced attacks and modern malware.

#1 Find and Block New Malware and Their Variants
Malware is often the key enabler for advanced attacks because malware is easily customized, repackaged, and
re-encoded such that it no longer matches any known malware signatures or hash values. As a result, security
teams must be able to actively test unknown files to determine if they are malicious even if the file doesnt trigger
any known signature. Furthermore, malware will often change their filenames, domains, and even hash values to
avoid signatures based on these superficial characteristics. A modern malware solution, therefore, must identify
the unique internal identifiers within malware or it will risk being on a never-ending treadmill where it constantly re-
analyzes simple variants of malware it has already seen without ever blocking them.

#2 Analyze All Traffic Inside and Out
It is always important to remember that any traffic you arent analyzing can hurt you, and this is especially true of
advanced attacks. Advanced attacks will often use malware to get inside and then perform further hacking against
the internal network where IPS and other security measures may not be looking. As a result, its increasingly
important to look at internal traffic for threats and anomalies that can reveal an attack. Additionally, attackers have
a variety of techniques at their disposal to hide their attacks. For instance attackers will use SSL to keep malware
and command-and-control traffic beyond the prying eyes of security teams. Likewise malware payloads and
command-and-control traffic very commonly use non-standard ports and custom tunnels in order to evade
traditional security, and variety of proxies, anonymizers and encrypted tunneling applications to further obscure
their communications. If a modern malware solution fails to control these mechanisms, then any subsequent
advanced analysis of malware could easily be for naught as the attackers simply avoid the solution altogether.

#3 Employ True In-line Enforcement of All Traffic
In order for security solutions to do their job, they have to be deployed in line to ensure that they can
directly block risks and threats in the traffic. This is true of all major security solutions that provide
enforcement including firewalls, IPS products and even web-proxies. This is also particularly true for solutions that
control modern malware and advanced attacks. Since by definition these attacks are typically unknown at the time
of the attack, you have to monitor all network traffic for these threats. Likewise, when blocking malware and
malware traffic, it is critical that the enforcement be in line and able to truly drop malicious traffic as opposed to
relying on other factors such as TCP resets. Malware is often very small, and could easily result in a race
condition where the malware is delivered before the reset is effected. Similarly, TCP resets are similarly unreliable
when attempting to control malware communications given that both end-points are malicious and can simply
ignore or filter reset messages. As a result, it is imperative that modern malware solutions are judged by the same
block rate, performance, and reliability standards as all other established security solutions.

#4 - Adapt Quickly to New Malware Techniques
Much like attackers are always changing the signatures of their malware, they are also always updating their
tactics to avoid analysis and detection. Now that active analysis of malware has become increasingly common,
malware authors have begun accelerating the development of various anti-analysis and virtual system detection
techniques to prevent their malware from being detected. Modern malware solutions therefore must be flexible
and easily updated in order to keep pace with these evolving techniques. However, this is considerably more
challenging than simply updating signatures in a traditional security solution. Anti-analysis techniques often target
the virtual OS, host, or introduce new hooking techniques that require changes to the virtual environment itself.
Without the ability to easily update the internal logic, a modern malware can quickly regress to being a static piece
of security attempting to control a far more dynamic threat.

5 Keys to Preventing Advanced Attacks

February 2013
- 2 -


#5 Do All the Above at Scale
In addition to evaluating the standard scalability aspects of a security solution such as throughput, sessions and
latency, security teams must also analyze the scalability of the virtual environment itself. It is important to
remember that every unknown file that requires active analysis will likewise require one or more virtualized
systems where the file can be executed and analyzed. In a production network, this can require lots of virtual
systems, which can easily overwhelm local hardware depending on the traffic being analyzed. However, this leads
to a problem that is significantly bigger than simple hardware sizing and cost problems. If virtual analysis is limited
only to local hardware, then attackers can simply overwhelm the solutions with files to analyze, allowing malicious
files to go through.


Learn more about W||dI|re and how you can beg|n protect|ng your network from modern ma|ware today.

http:]]www.pa|oa|tonetworks.com]products]techno|og|es]w||df|re-ana|ys|s.htm|