Timely and correct approach for protection of the IT system should be a business foundation for every organization. Frivolous approach in understanding this field could have grave consequences, and you definitely want to avoid feeling them on your own skin.
With the increasing growth of more advanced and targeted cyber-attacks, there is a demand for more advanced protection of the IT systems. Traditional security, antivirus software, e-mail gateways, intrusion detection and prevention systems, are not enough anymore to prevent these type of attacks. Traditional security relies on the pattern recognition from already known lists, but what if there is a new type of an attack, and protection doesn’t have that attack sample in their list?
First line of defense for every ICT system is usually protection like: firewalls, intrusion prevention systems, web and e-mail gateways. With updated threat lists, they will successfully protect the ICT system from all known threats, and some better security tools will even recognize unknown threats or changed variations of known threats that are targeting the known vulnerabilities.
When we are talking about threats we can divide them into basic and advanced threats. Already mentioned traditional security tools will be able to successfully deal with the basic threats which variations are present for many years and they can be separated into three different categories: malware software, malware networks and malicious techniques.
Basic threats
Among basic threats we can notice different malware software like computer worms, Trojan horses and viruses. Many people don’t really know the difference between them and they will call all of them viruses, but one thing is for sure, whatever you call them, you don’t want them on your computer as their primary goal is to inflict damage to the computer. Then there are malware networks, known as malnets, that are created and maintained by malicious hackers whose only intention is to launch different attacks during a longer period of time.
There are also different malicious techniques like social engineering, where a malicious person psychologically manipulates user and tries to convince them to perform some actions to gain access to their resources or to reveal any confidential information with a goal to steal that information. One of the well-known and most used technique is Phising. The dangers are hidden in different oversights of the web applications. For example, there are common attacks by injecting commands (SQL, OS, LDAP) to gain access to the database and steal information like credit card information and passwords.
Advanced threats
Beside the basic threats, the number of advanced ones rises ever day. As the name says, advanced threats are much harder to detect, and traditional protection doesn’t have a lot of chances to prevent them.
Advanced persistent threats are multi-vector attacks where the attacker gains unauthorized network access and remains hidden for a long period of time. The goal of these attacks is usually data theft.
Why is this attack considered to be an advance attack, and how it is different than any other “basic” attack where attackers are stealing data? The reason is that in this case the attacker is using the whole spectrum of intrusive technologies and techniques, combined with already mention basic threats during multiple phases while attacker is trying to remain hidden, in most cases exploiting unreported vulnerabilities in the operating systems and applications.
After the network is breached, the attacker will go “low” and slow to remain hidden for a long period of time, and during this period, the attacker has specific goals in his sight and will be persistent to achieve it.
The most serious threat is the “zero-day” vulnerability. This is referred to a cyber-attack that uses a vulnerability of the operating system or application that is not known to the public, and the name itself arises from the fact that the attack is launched before the public awareness that vulnerability exists (which is day zero).
Threats that will make a lot of problems for the traditional protection are metamorphic and polymorphic threats. These are cyber-attacks that are altered continuously, so traditional protections that are based on threat lists are not able to detect them, especially if we are talking about the metamorphic threats where the malicious code is changed completely.
Blended threats are using multiple attack vectors (paths and goals) and multiple types of malicious code to conceal the attack, which includes viruses, computer worms, Trojan horses or any other malicious software and combine them with techniques that confuse system security analyses which increases the chance for successful completion of the attack.
Classic example of this threat is the Conficker and its variations, an aggressive threat that uses multiple channels for expanding and advanced techniques for concealment. Conficker successfully infected millions of computers worldwide. Some of the symptoms of the infection are: disabled system security features, disabled automatic backup security copies, deleted restore points, and open connections for receiving instructions from the remote computer that is controlled by the malicious user.
Lately, a very popular way to make the user’s life a living hell, is the ransomware software. It is a type of malicious software which, in a specific way, limits partially or completely the access to the computer, and it wants some type of a ransom in an exchange for the normal usage of the computer. Most definitely, one of the most infamous types is the CryptoLocker software which, when activated, encrypts certain data types on the drives using the RSA cryptography.
This malicious software has already infected hundred thousand computers, while its clones and different variations that are emerging, are continuing to be successful in inflicting enormous damage to the computer systems as they are still not addressed seriously enough.
How to defend from the advanced threats?
Security protections are traditionally built as independent, self-standing products that are protecting the system from known threats, but today, due to the more sophisticated hacking techniques and advanced threats, it is not enough.
Solutions should work together on different network control points, they should share information and different analysis so that they could adapt and expand the protection to include the unknown threats. As hacker attacks are becoming more and more advanced and sophisticated, at the same time, security tools should become more and more advanced which brings us to unified security solutions that could deal with this new type of attacks.
One of these solutions is the Advanced Threat Protection (ATP) by Symantec, which, assisted by several security technologies, can successfully recognize all threats that were mentioned above with 100 % efficiency.
The Symantec ATP solution is capable to:
- Uncover advanced threats across endpoints, networks, and e-mail gateways;
- Prioritize what matters most by giving “advantage” to the threats that are really critical, while filtering and decreasing the number of false alarms and false positive incidents;
- Swift and fast threat removal by using one central console
What is this exactly about and how come that this solution recognize the threats so successfully? As already mentioned, ATP is monitoring all events on every part of the network infrastructure and constantly scanning and reviewing every network point so nothing will go unnoticed. Everything that is happening on the network will be scanned by one of the Symantec technologies:
- Symantec Cynic – it is cloud based service which detects advanced threats and unknown malicious code, and it works in a way that it isolates suspicious files in an isolated environment where the Cynic launches that code and analyses its behavior to determine is it a malicious code or not.
- Symantec Synapse – it is a technology that correlates data with the information from Symantec Endpoint Protection and Symantec Email Security.cloud solution. A direct result of this approach is a decrease in false positive incidents, an increase of the priority for critical threats and decrease of the priority for already resolved threats;
- Symantec Global Intelligence Network – it is a service that collects, categorizes and analyses over 10 trillion security events annually and it covers the whole world. That means that ATP solution can easily check the information from that archive and in a really short period of time determine is a specific file or URL suspicious or are there enough information to conclude that they are safe.
Do I really need this solution?
If you want to be sure that you are secure from the newest and the most advanced hacker techniques and technologies the answer is yes. Timely and correct approach for protection of the IT system should be a business foundation for every organization. Frivolous approach in understanding this field could have grave consequences for the organization, if inadequate investment does not keep up with the fast-growing cyber-threats. Many organizations sooner or later will feel these consequences, and when they do, it is usually too late.
At that point, the companies usually start to do the rash investments in security products that solves the specific issue that they encountered instead that they have proactive and systematic approach for investment in the IT security. Exactly that approach can be accomplished with the Advanced Threat Protection technologies, a solution that will cover the whole organization’s network and it will be effective in protection from, basic and advanced, threats.