Download PDF - Codenomicon

More documents

Recommendations

Info

CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs) 1 Introduction The security landscape is changing: Governments, critical infrastructure providers and defense organizations increasingly rely on the Internet to perform mission-critical operations. At the same time, cyber attacks have become more professional with attackers investing more time and money into creating detection evasion techniques and developing sophisticated, targeted attacks exploiting zero-day vulnerabilities. Zero-day exploits are the biggest threat to security, because there are no defenses against them and the attacks can go unnoticed. Most organizations are not even prepared against popular untargeted malware, not to mention for Advanced Persistent Threats (APTs). They rely largely on signature-based security solutions, which only defend against known threats and require continuous rule updates to even stay up-to-date on cyber attacks. In this paper, we take a two-fold approach to securing networks against APTs. Firstly, we discuss using fuzzing, a robustness testing technique, to discover exploitable zero-day vulnerabilities proactively. Secondly, we present a botnet-inspired system which enables organizations to expand their knowledge of Internet abuse without straining their security resources by better utilizing security information already provided by the security community. By collecting security information from public and private feeds and automatically generating actionable abuse reports organizations can adopt cost-effective processes for detecting malicious activity and mitigating incidents. It is equally important to ensure the security and robustness of critical networks and services and to develop capabilities for detecting attacks at the earliest possible moment. By implementing fuzzing into your software development and procurement processes and having good abuse situation awareness, you can prepare your networks against APTs. 2 Advanced Persistent Threats (APTs) Internet abuse refers to the misuse of the Internet to injure and disturb other users. It is an umbrella term covering cyber crime, hacktivism, attacks by nation-state sponsored adversaries and hobbyist crackers. Different types of internet abuse include unauthorized network access, data theft and corruption, disruptions to normal traffic flow (e.g. DoS and DDoS attacks), the propagation of malware, spamming, phishing and botnets. APT refers to sophisticated Internet abuse performed by highlymotivated and well-resourced groups, such as organized cyber criminals, hostile nation states and hacktivists. These attacks frequently utilize unknown, zero-day vulnerabilities. Zero-day vulnerabilities pose the greatest threat to network security, because there are no defenses for attacks against them [1]. The attacks can go unnoticed and once discovered it takes time to locate the vulnerabilities and to create patches for them [1]. Advanced attacks, like the Stuxnet, can utilize multiple zero-days making them extremely difficult to defend against.
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs) Preventing Advanced Cyber Attacks Crackers need to find a vulnerability in the protocol implementation in order to devise an attack against a target system [2]. By removing potential zero-day vulnerabilities proactively, you can make it significantly harder for crackers to devise attacks. Thus, the best way to prevent zero-day attacks is to get rid of exploitable vulnerabilities proactively [1]. Fuzzing enables you to find previously unknown, zero-day vulnerabilities by triggering them with unexpected inputs [1]. By incorporating fuzzing best practices into your organization’s development and procurement processes you can improve the security and robustness of your networks. Detecting Advanced Cyber Attacks Not all attacks can be prevented, thus organizations must be able defend against attacks. Organizations commonly rely on signature-based security defenses, such IPS/IDS solutions, vulnerability scanners and firewalls [3]. They are fairly efficient in defending against known attacks. However, they can only detect pieces of malware, for which an identifier, known as a signature, already exists and has been deployed [4]. Advanced attacks exploiting zero-day vulnerabilities can completely bypass these defenses [3]. Automating abuse information collection and processing is key to getting actionable information on incidents in your network. Good abuse situation awareness is key to establishing systematic and efficient processes for responding to cyber incidents. Zero Exposure Limited Exposure Public Exposure 3 Vulnerability Exposure Vulnerabilities are flaws in software or software components in hardware, which enable crackers to exploit a system. Vulnerabilities are not created when a system is being attacked. They are design and implementation errors that are introduced into the code during development [4]. The errors become vulnerabilities once the software is released, and it gets exposed to outside attacks [5]. Security researchers, security companies and hackers discover some of the vulnerabilities, and if they choose to report the findings, they can enable software developers to create patches for the found vulnerabilities [5]. After the patch release the vulnerability becomes public knowledge [5]. No exposure, no publicity Figure 1 categorizes vulnerabilities based on exposure. The exposure of a vulnerability depends firstly on whether the vulnerability can be accessed by outside attackers, and secondly on how public the vulnerability is. During development, new vulnerabilities have zero exposure to attacks: nobody knows that they exist and they cannot be exploited by outsiders [5]. After release the vulnerabilities have limited exposure: they are open to attacks, but the attackers first have to find them [5]. After a patch is released, the exposure is full: the attackers have both the possibility to attack and the information they need [5]. Public exposure can be avoided by deploying patches in a timely manner. In this paper, we focus on techniques used to discover zero-day vulnerabilities with zero-exposure prior to release or implementation and to detect attacks exploiting zero-day vulnerabilities with limi-ted exposure. inside access only Release/ Implementation Patch Release in-and outside access Figure 1: Vulnerability exposure. Based on [5].
Page 1: Codenomicon whitepaper: Proactive C
Page 5 and 6: CODENOMICON WHITEPAPER - Proactive

Download PDF - Codenomicon

Create successful ePaper yourself

Delete template?

Save as template?