* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Building an in-depth defense with Vectra and sandbox security
Survey
Document related concepts
Buffer overflow protection wikipedia , lookup
Distributed firewall wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Security-focused operating system wikipedia , lookup
Wireless security wikipedia , lookup
Address space layout randomization wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Storm botnet wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Cross-site scripting wikipedia , lookup
Cyberterrorism wikipedia , lookup
Cyberwarfare wikipedia , lookup
Computer security wikipedia , lookup
Cyberattack wikipedia , lookup
Transcript
Solution brief Building an in-depth defense with Vectra and sandbox security Vectra® Networks is a leading innovator in the realtime, automated detection of in-progress cyber attacks. This solution brief examines how Vectra complements sandbox security solutions to create an in-depth defense against advanced persistent attacks. Security solutions are imperfect by nature. There are hundreds of millions of malware variants, which make it extremely challenging to protect organizations from advanced persistent threats (APTs). A layered defensive approach using complementary technology is very typical. With each layer being imperfect, you can think of it as a slice of Swiss cheese. Choosing complementary technologies for each layer ensures that the sum of layers do not have overlapping holes. Phases of a cyber attack An advanced persistent cyber attack is a sequence of stealthy and continuous attack phases often orchestrated by a person targeting a specific organization. The phases include command and control, botnet monetization, reconnaissance, lateral movement, and data exfiltration. These phases require a high degree of covertness over a long period of time. The exploit for the initial compromise A cyber attack starts with the attacker using an exploit. An exploit is a piece of software or a sequence of commands that takes advantage of a vulnerability of a host computer system. The exploit enables the attacker to gain control of the host and install malware on it. In most cases, an employee inadvertently downloads the exploit by visiting a website that has been compromised by the attacker or by clicking on a link in an email or opening an attachment that appears legitimate. Command and control Once the exploit is downloaded and activated, it will initiate communication with the command-and-control (C&C) servers that the attacker uses to remotely control each phase of the cyber attack. The attacker uses the C&C servers to send commands to and receive responses from hosts under his control as a result of downloading the exploit. Cyber attacks that are targeted differ from botnet monetization (e.g., ad click fraud, distributed denial of service) attacks in that the command-and-control servers and channels of communication will be specific to the target in order to remain undetected. Botnet monetization attacks use the same command-and-control servers and communication channels for a large number of infected computers, eventually enabling security vendors to include them on a reputation list and block them to prevent future attacks. Malware installation Once the attacker has control of a host computer system, malware is loaded to execute the next phase of the attack. The malware may be code, scripts, executable content, and other software to disrupt computer operations and gather sensitive information. Malware used in an advanced persistent attack is typically modular, rather than monolithic. The attacker usually loads a piece of malware Reconnaissance will enable the attacker to identify other hosts in an effort to get closer to the location of valuable data and provide relays for accumulating and exfiltrating the data. Data acquisition and exfiltration Once the attacker locates the data to steal, one of the infected hosts may be used to accumulate the data. to perform a specific task for each phase of the attack. This is often Data exfiltration is the unauthorized transfer of data to an external the case because the attacker modifies tactics as new systems and location that the attacker controls. While the attacker may be vulnerabilities are discovered in the organization’s network. in another country, an external server in the same country as the victim organization will likely be used as the initial waypoint Botnet monetization Botnet monetization occurs when the attacker controls a host for the purposes of making money through internal activities such as Bitcoin mining or external activities such as advertising click fraud. The presence of botnet monetization behavior indicates this is not a targeted attack and allows an organization to focus its time and attention on higher-priority risks. Reconnaissance and lateral movement Once a cyber attack is initiated, the attacker will use reconnaissance techniques to map out the target network as a prelude to expanding the footprint of host systems running malware. The exploit that enabled the attacker to establish an initial foothold will rarely be at or near the location of the ultimate target for the stolen data. Because data routinely moves in and out of networked organizations, data exfiltration can closely resemble normal network traffic, making detection of exfiltration attempts challenging for IT security groups. Once the data is out of the organization, the attacker can move it to servers in other countries without risking detection. Using sandboxes to detect a cyber attack Sandbox security products detect the initial exploit of an attack by executing e-mail attachments (e.g., exe, PDF) and content in Web traffic (e.g., JavaScript, XSS), and identify some forms of C&C using reputation lists. These types of security products focus on the exploit and initial C&C phases of an attack to stop it before it spreads inside the organization. of attack. Figure 1: The phases of the cyber attack kill chain. Vectra Networks Vectra and Sandbox Security 2 A sandbox can’t detect exploits it doesn’t see. One example is Complementing sandboxes and reputation lists when a user’s device is infected by an exploit while off premise Vectra offers a network security solution that detects an attack on a guest Wi-Fi network. The user will literally walk the computer during the C&C, botnet monetization, reconnaissance, lateral containing the exploit into the organization. In addition, attackers movement, and exfiltration phases of a cyber attack. With have designed armored malware to specifically evade detection algorithms to detect all phases, Vectra has several opportunities by remaining stealthy when running in a sandbox. to detect an ongoing cyber attack and simultaneously reduce the Inherent sandbox imperfections False positives occur when an exploit is detected in the sandbox, rates of false negatives and false positives. but the exploit fails to install malware on the target computer. Deploying Vectra with sandbox and reputation security products The exploit may fail if the vulnerability has been patched, the offers the highest level of effectiveness for detecting and either computer is not running the operating system with the exploit stopping or mitigating a cyber attack. These two solutions give (e.g., Mac OS rather than Windows) or is missing the software organizations the broadest visibility into all phases of a cyber attack, package containing the targeted vulnerability. the highest detection efficacy and lowest rate of false positives. Inherent reputation list imperfections A defense in depth security architecture Most detections from sandbox security products are reputation Since security solutions are imperfect by nature, bringing detections rather than sandbox detections. together complementary technologies increases the strength Even signature and reputation databases with the broadest coverage fail to detect some exploits and generate false positives. of an organization’s defense. Sandbox and reputation security solutions can detect an attack at the earliest phase. However, there are critically important threats that they cannot detect. Complementing sandbox and reputation security with Vectra enables organizations to detect attacks at the C&C phase that may not be detected as well as detect the attack at every subsequent phase in the event an alert is missed. TABLE 1 Attack Phase Sandbox Product Capability Exploit Detects exploits by executing e-mail attachments (e.g., exe, PDF) and content in Web traffic (e.g., JavaScript, XSS). Command and control Uses reputation lists to detect infected hosts communicating with a C&C server. Ve c t r a N e t w o r k s C a p a b i l i t i e s Uses algorithms to detect communications between an infected host and a C&C server. Botnet monetization Uses algorithms to detect infected hosts performing internal monetization (e.g., Bitcoin mining) or external monetization (e.g., ad click fraud). These are not targeted attacks. Reconnaisance Uses algorithms to detect infected hosts performing reconnaissance. Lateral movement Uses algorithms to detect infected hosts spreading laterally. Exfiltration Uses algorithms to detect infected hosts accumulating and exfiltrating data. Table 1 illustrates the strengths that both a sandbox security solution and Vectra deliver in an organization’s security architecture. Email [email protected] Phone +1 408-326-2020 www.vectra networks.com © 2016 Vectra Networks, Inc. All rights reserved. Vectra, the Vectra Networks logo and Security that thinks are registered trademarks and the Vectra Threat Labs and the Threat Certainty Index are trademarks of Vectra Networks. Other brand, product and service names are trademarks, registered trademarks or service marks of their respective holders.