​The growing challenge of Advanced Persistent Threats

by David Higgins, Regional Director – ANZ, WatchGuard Technologies

In the medical world, there's a raging battle against microbes and bacteria that are evolving and becoming resistant to existing treatments and drugs. The same thing is happening in the world of technology.

When computing first emerged as a powerful business tool, protection from threats required little more than the installation of anti-virus software. These tools efficiently scanned for malicious code and kept systems safe from attack.

But, while antivirus is still vital, it's no longer enough. The threats facing IT infrastructures today are rapidly evolving and require more and more sophisticated responses. Just like the doctor's patients, if organisations fail to remain a step ahead of the threats, they risk falling victim to them.

The rise of Advanced Persistent Threats

The early viruses and worms that targeted IT systems have evolved into something altogether more powerful and problematic. Dubbed Advanced Persistent Threats (APTs), this malicious malware can evade many antivirus barriers and cause significant damage and disruption to IT infrastructures.

APTs use a range of techniques to avoid network and device defences. These include encrypted communication channels, kernel-level root kits and zero-day vulnerabilities.

As their name suggests, APTs are persistent, meaning they are designed to be stealthy and remain within a target system for an extended period. Some are able to clean up after themselves by deleting logs and use strong encryption to evade discovery by security tools.

The effect of these new and rapidly evolving threats has already been seen around the world. Organisations from small businesses to large multi-national companies have fallen victim with some suffering significant financial losses as a result.

For example, in 2013, retailer Target fell victim to an APT which stole large numbers of customer credit card details. According to business magazine Forbes, Target's sales declined by almost 50 per cent during the final quarter of that year and between 5 and 10 per cent of customers indicated they would never shop there again.

Other high-profile examples include bank JP Morgan Chase which lost account information on 76 million households and 7 million small businesses, and US health insurance firm Anthem which had the personal information of 80 million customers compromised during an attack in 2015.

In the same year, hackers also targeted the US Office of Personnel Management (OPM) and obtained sensitive information about employees who had had undergone background checks for security clearances. According to reports, more than 21 million records were compromised.

The bottom line is that antivirus tools, though still important, no longer provide sufficient protection against the rising tide of threats.

The sandbox approach

One approach being adopted by many organisations is the use of a sandbox. This involves running suspect code within a secure environment (the sandbox) to check whether or not it represents a threat before allowing it into the IT infrastructure.

However malware creators are countering this approach by adding additional capabilities to their code. They can design their malware to 'sleep' during sandbox checks to evade discovery or behave differently if it detects it is running within a virtual machine - something many IT departments use to host their sandboxes.

A smarter approach is therefore required, and this involves the use of an emulator. Emulator software simulates the functionality of another program or piece of hardware. When suspected malware is run within an emulator it can be tricked into thinking it's not in a sandbox but has, in fact, managed to infect a real system. It will then act normally and be detected by the security tools.

Unfortunately, malware writers continue to evolve their code and some have been able to evade even this emulation approach. Because operating system emulators cannot replicate every call in a real operating system, some malware can spot that things are missing and remain silent and undetectable.

The most effective approach is to undertake full system emulation where the emulator used also simulates physical hardware, including a computer's CPU and memory. This makes it particularly difficult for malware to detect the emulator and more likely that it will become active and be spotted.

Simple detection is not enough

However, while detection of malware is a vital step in ensuring system security, it is not the end of the process. IT teams need to receive clear, actionable information that will alert them to the presence of the problem before any damage occurs.

The teams need to be sent email alerts when harmful files are found and be given a clear indication of why the file is suspected to avoid the alert being dismissed as a false positive.

Such tailored alerts can ensure that remedial action can be undertaken quickly, rather than the threat being lost in a sea of notifications and log files.

Advanced Malware Detection is key

Hacking techniques will continue to evolve and the threats being faced by organisations will become ever more complex. Clearly the security approaches that have been used in the past are no longer sufficient.

The signature-based malware detection that has been widely used in the past is no longer able to cope with the increasingly sophisticated pieces of malware being produced. Antivirus and intrusion prevention systems, while still vital, must be supplemented with new Advanced Persistent Threat detection tools that have four key characteristics:

  • A sandbox capable of full system emulation and with the ability to analyse multiple file types

  • An ability to extend beyond the sandbox and detect different forms of advanced malware

  • Good visibility so IT teams receive clear, actionable alerts of all detected malware and explanations of why it has been identified

  • The capability to proactively take action and block malicious code when it is detected.

Just as is the case for the doctors and medical researchers battling bacteria and viruses, the battle to maintain strong security remains an ongoing challenge for all organisations.

By deploying sophisticated and powerful APT detection tools and effective visibility into their networks, organisations can give themselves the best possible chance of detecting malware before it has a chance to carry out its intensions within their IT infrastructure.