Download Building an in-depth defense with Vectra and sandbox security

yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Buffer overflow protection wikipedia , lookup

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Security-focused operating system wikipedia , lookup

Wireless security wikipedia , lookup

Address space layout randomization wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Storm botnet wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Malware wikipedia , lookup

Cross-site scripting wikipedia , lookup

Cyberterrorism wikipedia , lookup

Cyberwarfare wikipedia , lookup

Computer security wikipedia , lookup

Cyberattack wikipedia , lookup

Mobile security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Solution brief
Building an in-depth defense with
Vectra and sandbox security
Vectra® Networks is a leading innovator in the realtime, automated detection of in-progress cyber
attacks. This solution brief examines how Vectra
complements sandbox security solutions to create an
in-depth defense against advanced persistent attacks.
Security solutions are imperfect by nature. There are hundreds of millions of malware
variants, which make it extremely challenging to protect organizations from advanced
persistent threats (APTs).
A layered defensive approach using complementary technology is very typical. With
each layer being imperfect, you can think of it as a slice of Swiss cheese. Choosing
complementary technologies for each layer ensures that the sum of layers do not have
overlapping holes.
Phases of a cyber attack
An advanced persistent cyber attack is a sequence of stealthy and continuous attack
phases often orchestrated by a person targeting a specific organization. The phases
include command and control, botnet monetization, reconnaissance, lateral movement,
and data exfiltration. These phases require a high degree of covertness over a long
period of time.
The exploit for the initial compromise
A cyber attack starts with the attacker using an exploit. An exploit is a piece of software or a
sequence of commands that takes advantage of a vulnerability of a host computer system.
The exploit enables the attacker to gain control of the host and install malware on it.
In most cases, an employee inadvertently downloads the exploit by visiting a website that
has been compromised by the attacker or by clicking on a link in an email or opening an
attachment that appears legitimate.
Command and control
Once the exploit is downloaded and activated, it will initiate communication with the
command-and-control (C&C) servers that the attacker uses to remotely control each
phase of the cyber attack. The attacker uses the C&C servers to send commands to and
receive responses from hosts under his control as a result of downloading the exploit.
Cyber attacks that are targeted differ from botnet monetization (e.g., ad click fraud,
distributed denial of service) attacks in that the command-and-control servers and
channels of communication will be specific to the target in order to remain undetected.
Botnet monetization attacks use the same command-and-control servers and
communication channels for a large number of infected computers, eventually
enabling security vendors to include them on a reputation list and block them to prevent
future attacks.
Malware installation
Once the attacker has control of a host computer system, malware
is loaded to execute the next phase of the attack. The malware
may be code, scripts, executable content, and other software to
disrupt computer operations and gather sensitive information.
Malware used in an advanced persistent attack is typically modular,
rather than monolithic. The attacker usually loads a piece of malware
Reconnaissance will enable the attacker to identify other hosts in
an effort to get closer to the location of valuable data and provide
relays for accumulating and exfiltrating the data.
Data acquisition and exfiltration
Once the attacker locates the data to steal, one of the infected
hosts may be used to accumulate the data.
to perform a specific task for each phase of the attack. This is often
Data exfiltration is the unauthorized transfer of data to an external
the case because the attacker modifies tactics as new systems and
location that the attacker controls. While the attacker may be
vulnerabilities are discovered in the organization’s network.
in another country, an external server in the same country as
the victim organization will likely be used as the initial waypoint
Botnet monetization
Botnet monetization occurs when the attacker controls a host for
the purposes of making money through internal activities such as
Bitcoin mining or external activities such as advertising click fraud.
The presence of botnet monetization behavior indicates this is not
a targeted attack and allows an organization to focus its time and
attention on higher-priority risks.
Reconnaissance and lateral movement
Once a cyber attack is initiated, the attacker will use
reconnaissance techniques to map out the target network as
a prelude to expanding the footprint of host systems running
malware. The exploit that enabled the attacker to establish an initial
foothold will rarely be at or near the location of the ultimate target
for the stolen data. Because data routinely moves in and out of
networked organizations, data exfiltration can closely resemble
normal network traffic, making detection of exfiltration attempts
challenging for IT security groups. Once the data is out of the
organization, the attacker can move it to servers in other countries
without risking detection.
Using sandboxes to detect a cyber attack
Sandbox security products detect the initial exploit of an attack by
executing e-mail attachments (e.g., exe, PDF) and content in Web
traffic (e.g., JavaScript, XSS), and identify some forms of C&C using
reputation lists. These types of security products focus on the exploit
and initial C&C phases of an attack to stop it before it spreads inside
the organization.
of attack.
Figure 1: The phases of the cyber attack kill chain.
Vectra Networks
Vectra and Sandbox Security
A sandbox can’t detect exploits it doesn’t see. One example is
Complementing sandboxes and
reputation lists
when a user’s device is infected by an exploit while off premise
Vectra offers a network security solution that detects an attack
on a guest Wi-Fi network. The user will literally walk the computer
during the C&C, botnet monetization, reconnaissance, lateral
containing the exploit into the organization. In addition, attackers
movement, and exfiltration phases of a cyber attack. With
have designed armored malware to specifically evade detection
algorithms to detect all phases, Vectra has several opportunities
by remaining stealthy when running in a sandbox.
to detect an ongoing cyber attack and simultaneously reduce the
Inherent sandbox imperfections
False positives occur when an exploit is detected in the sandbox,
rates of false negatives and false positives.
but the exploit fails to install malware on the target computer.
Deploying Vectra with sandbox and reputation security products
The exploit may fail if the vulnerability has been patched, the
offers the highest level of effectiveness for detecting and either
computer is not running the operating system with the exploit
stopping or mitigating a cyber attack. These two solutions give
(e.g., Mac OS rather than Windows) or is missing the software
organizations the broadest visibility into all phases of a cyber attack,
package containing the targeted vulnerability.
the highest detection efficacy and lowest rate of false positives.
Inherent reputation list imperfections
A defense in depth security architecture
Most detections from sandbox security products are reputation
Since security solutions are imperfect by nature, bringing
detections rather than sandbox detections.
together complementary technologies increases the strength
Even signature and reputation databases with the broadest
coverage fail to detect some exploits and generate false positives.
of an organization’s defense. Sandbox and reputation security
solutions can detect an attack at the earliest phase. However,
there are critically important threats that they cannot detect.
Complementing sandbox and reputation security with Vectra
enables organizations to detect attacks at the C&C phase
that may not be detected as well as detect the attack at every
subsequent phase in the event an alert is missed.
Attack Phase
Sandbox Product Capability
Detects exploits by executing e-mail attachments (e.g., exe, PDF)
and content in Web traffic (e.g., JavaScript, XSS).
Command and control
Uses reputation lists to detect infected hosts communicating with
a C&C server.
Ve c t r a N e t w o r k s C a p a b i l i t i e s
Uses algorithms to detect communications between an infected
host and a C&C server.
Botnet monetization
Uses algorithms to detect infected hosts performing internal
monetization (e.g., Bitcoin mining) or external monetization
(e.g., ad click fraud). These are not targeted attacks.
Uses algorithms to detect infected hosts performing
Lateral movement
Uses algorithms to detect infected hosts spreading laterally.
Uses algorithms to detect infected hosts accumulating and
exfiltrating data.
Table 1 illustrates the strengths that both a sandbox security solution and Vectra deliver in an organization’s security architecture.
[email protected] Phone +1 408-326-2020
© 2016 Vectra Networks, Inc. All rights reserved. Vectra, the Vectra Networks logo and Security that thinks are registered trademarks and the Vectra Threat Labs and the Threat Certainty Index are
trademarks of Vectra Networks. Other brand, product and service names are trademarks, registered trademarks or service marks of their respective holders.