Are there ways to catch sophisticated malware that hides in trusted processes and services? Deb Radcliff finds out.

Despite their investments in endpoint security systems, organizations are waking up to the ugly truth that they are nearly blind when it comes to advanced attacks and malware lurking in their networks. 

“The million-dollar question is: ‘How do you know if you have an advanced threat in your network’?” asks Doug Powell, chair of the critical infrastructure working group for ASIS, an international alliance of security professionals with 38,000 members, and manager of security, privacy and safety at Vancouver, British Columbia-based BC Hydro, which operates 31 hydroelectric facilities and three thermal generating plants. 

In a February report by NSS Labs, 69 percent of the leading intrusion prevention system (IPS) and network gateway firewalls failed to detect the top three exploits thrown at them – in most cases, multiple devices failed to protect against a single exploit. Another survey, released in February by SafeNet, reveals that 95 percent of 230 security professionals continue making the same investments, even though 35 percent of them believed that their investments are being made in the wrong technologies.

“All your garden variety of controls and sensors are not going to catch today’s advanced, evasive threats,” says Steve Hanna, distinguished engineer with Juniper Networks, a Sunnyvale, Calif.-based manufacturer of networking equipment, and co-chair of the Trusted Computing Group’s Trusted Network Connect Group. “Look at Stuxnet, Flame or Aurora,” he says. “Even security products are vulnerable to advanced toolkits like these.”

What it comes down to, says Powell, is connecting the right architectures and processes to capture incidents with more sophisticated, real-time data analysis. 

“You can’t just rely on your IPS and your security information and event management (SIEM) solutions to catch advanced attacks occurring somewhere in your network,” says Powell. “You need to know the value of your assets, the motivation of the attacker and, as importantly, you need to know how to interpret data for signs of trouble, while filtering out data that is just background noise.”

All in the details

With advanced attacks, the differences between good and bad activity are so minute that the small details needed to connect the dots and determine malicious behavior cannot be captured by most of the security software running on networks and endpoints today, says Darren Hayes, computer information systems program chair and assistant professor at Pace University’s Seidenberg School of Computer Science and Information Systems in New York.

“The differences that an investigator must pick up on are so slight,” he says. “There was a case in which a company had been owned for five years without its knowledge. Once alerted by the FBI to the breach, forensic investigators found the evidence hiding in Dynamic Link Library, or DLL, files associated with the company’s Windows machines.”

The dropped-in DLL files looked legit, so detection tools couldn’t catch them, he adds. However, the tipoff was that this data was all in the wrong version of what the Windows system should be using. That version discrepancy was the smoking gun needed to track and remediate the impacted devices and applications. 

However, if it weren’t for an outside agency alerting that company to the problem, its network could have been owned indefinitely. Indeed, according to a Ponemon survey of 3,529 IT/security professionals, the average time it takes to detect an advanced attack in the network is 80 days, and another 123 days to resolve the compromise. 

In other words, knowing there’s a problem in order to launch a discovery investigation is still the 800-pound gorilla in the room, calling for highly specialized skillsets to know where to look for signs of trouble in approved operations and traffic.

It is equally important to determine the value of internal systems and data to understand the motivation of the attacker, says Rick Holland, senior analyst with Forrester, a New York-based global research and advisory firm. Thinking like the bad guys will help organizations understand how advanced attackers will try and penetrate systems, what data they’d like to siphon out, and where they may attempt to hide. 

“Ideally, organizations should be able to plug in tactics, techniques and procedures of the bad guys, and search their environment for these indicators,” Holland says. “This should be as easy as reaching out for a menu option of threat intelligence shared securely among peers.”

These details should cross the boundaries between physical and technical operations, adds Powell.

Share the knowledge

The exchange of attack information among peer organizations is key, says the CISO of a large high-tech information security company and a member of the Bay Area CSO Council, based in Los Gatos, Calif. The CISO asked not to be identified for this article. 

Participation is small at the CSO Council – limited to 30 – but those members are powerful in the software community. “Members of the CSO Council share these attack intelligence signatures internally so we can see if we’ve been compromised collectively or independently,” he says. “We need data that can point to what the signs were and what the objective of the attack is.”

Members of the council have the deep resources to gather attack information and create their own intelligence profiles, build filters for their systems, hire forensic experts to investigate potential events and follow through with remediation. 

However, Mike Cloppert, security intelligence analyst for Lockheed Martin, the Bethesda, Md.-based defense contractor, says small and midsize organizations are not so well staffed, nor could they afford to be. These will be the first organizations to demand automation of threat intelligence information. Forensic services vendors, for example, are beginning to package their collective knowledge as “security intelligence.”

And, applying intelligence to data analysis is critical in a world where attackers are outsmarting layers of security, says Sean Bodmer, chief researcher of CounterTack, a Waltham, Mass.-based security intelligence firm.

“If you can’t look at the data from the right perspective at the right moment, then what you’re left with is a bunch of detection information going into a SIEM bullpen for someone to go search it,” Bodmer says. “That is the detection gap right there.”