Suspect everything: Advanced threats in the network
Suspect everything: Advanced threats in the network

Are there ways to catch sophisticated malware that hides in trusted processes and services? Deb Radcliff finds out.

Despite their investments in endpoint security systems, organizations are waking up to the ugly truth that they are nearly blind when it comes to advanced attacks and malware lurking in their networks. 

“The million-dollar question is: ‘How do you know if you have an advanced threat in your network'?” asks Doug Powell, chair of the critical infrastructure working group for ASIS, an international alliance of security professionals with 38,000 members, and manager of security, privacy and safety at Vancouver, British Columbia-based BC Hydro, which operates 31 hydroelectric facilities and three thermal generating plants. 

In a February report by NSS Labs, 69 percent of the leading intrusion prevention system (IPS) and network gateway firewalls failed to detect the top three exploits thrown at them – in most cases, multiple devices failed to protect against a single exploit. Another survey, released in February by SafeNet, reveals that 95 percent of 230 security professionals continue making the same investments, even though 35 percent of them believed that their investments are being made in the wrong technologies.

“All your garden variety of controls and sensors are not going to catch today's advanced, evasive threats,” says Steve Hanna, distinguished engineer with Juniper Networks, a Sunnyvale, Calif.-based manufacturer of networking equipment, and co-chair of the Trusted Computing Group's Trusted Network Connect Group. “Look at Stuxnet, Flame or Aurora,” he says. “Even security products are vulnerable to advanced toolkits like these.”

What it comes down to, says Powell, is connecting the right architectures and processes to capture incidents with more sophisticated, real-time data analysis. 

“You can't just rely on your IPS and your security information and event management (SIEM) solutions to catch advanced attacks occurring somewhere in your network,” says Powell. “You need to know the value of your assets, the motivation of the attacker and, as importantly, you need to know how to interpret data for signs of trouble, while filtering out data that is just background noise.”

All in the details

With advanced attacks, the differences between good and bad activity are so minute that the small details needed to connect the dots and determine malicious behavior cannot be captured by most of the security software running on networks and endpoints today, says Darren Hayes, computer information systems program chair and assistant professor at Pace University's Seidenberg School of Computer Science and Information Systems in New York.

“The differences that an investigator must pick up on are so slight,” he says. “There was a case in which a company had been owned for five years without its knowledge. Once alerted by the FBI to the breach, forensic investigators found the evidence hiding in Dynamic Link Library, or DLL, files associated with the company's Windows machines.”

The dropped-in DLL files looked legit, so detection tools couldn't catch them, he adds. However, the tipoff was that this data was all in the wrong version of what the Windows system should be using. That version discrepancy was the smoking gun needed to track and remediate the impacted devices and applications.