In about two weeks, I’ll be participating in the Mid Market CIO Forum in Austin, Texas. Events such as these are vital as they bring IT professionals together in a setting that is intimate enough to get real answers to their unique set of challenges. For cybersecurity practitioners in particular, the market is incredibly confusing. On top of a profusion of various technologies you have a rapidly changing threat landscape where the threat of the day seems to dictate the conversation.
The article below was sent to attendees of the Mid Market Forum, but is relevant to many of us in the security field. Only when asking different questions, moving beyond the standard security discussion, will security practitioners find the set of solutions that meets the specific needs of their business.
This article was previously published on the Boardroom Events blog.
Many times, getting good answers and outcomes depends on asking the right question. Recently, the following question crossed my desk: “What is the best tool for detecting advanced cyberattacks, including fileless attacks?”
Asked like this, the question suggests the only way to protect yourself from advanced attacks is to detect them. But detection has more than its fair share of shortcomings, from false positives and missed attacks to the operational burden of analyzing and investigating alerts and, in the event of a breach, time-consuming remediation or worse.
What if the question was framed differently, something like: “Is there a way to prevent advanced attacks on the endpoint pre-emptively, without prior knowledge of the attack form or type?”
In this model, prevention would come first and detection second. After all, preventing attacks is the real aim of cyber professionals. The reason the question isn’t asked this way is because no practical answer existed for so many years. But technology advances in quantum leaps and questions shouldn’t be limited by past assumptions.
To answer the prevention question, we need to understand the problem. Hackers head for the most vulnerable spots in the network – the endpoints. Up to 80% of attacks happen there, exploiting flaws in applications, browsers and operating systems. The most dangerous cyberattacks are memory-based attacks, accounting for approximately 40% of today’s total.
Cyber-criminals understand that antivirus and other solutions are blind to advanced attacks that execute in memory. And that tools like memory mitigation and whitelisting are impractically complex and burdensome. As a result, they have turned the development of in-memory attacks into a core competency and the foundation of their business.
In-memory attacks work by exploiting a memory resource at some point in the attack cycle. A DLL like kernel32.DLL is but one example. Cyber criminals specialize in designing attacks that exploit in-memory resources in this way because they evade detection tools like AV, static code analysis, and file reputation.
So, if these attacks are evasive and undetectable, how can they be prevented? The most effective approaches disrupt the accepted attacker-defender paradigm. Moving Target Defense, for example, breaks completely away from the malware detection model and reliance on prior knowledge of the malware. It morphs the system runtime environment, making it impossible for the attack to find and exploit the memory resource it is targeting. It turns the attack’s greatest strength, the exploitation of a memory resource, into its greatest weakness.
There are several advantages to this model of prevention: First, it is immune to the attack technique. All attacks must attack a resource and if they can’t find it, they can’t complete the attack.
Links to analysis of several advanced attacks illustrate this:Attack Example: Jaff Ransomware
Second, it is impervious to future attacks. Attackers know how detection tools work and design attacks to evade them. But if the means of preventing the attack don’t involve detection, their new attacks are impotent.
Third, it is simple in execution. There are no signatures, configurations, or rules and no exposure to errors of detection (false positives and negatives).
In fact, the issue of simplicity in cybersecurity warrants its own discussion. There is much talk from experts about baking security into a business, but what about baking business objectives into security models?
Another good question with good answers. More about that next time!