Some security professionals believe that a network can be fully protected against advanced persistent threats (APTs) by protecting against the transmission of malicious files across the gateway. The truth is that an APT is not a malicious file entering your network; it is a person or group of people pulling out all the stops to get access to your network and compromise your company.
While it may be the case that detecting malicious files crossing your gateway does afford some level of protection, relying solely on that technology is like hiding under the covers believing that monsters won’t find you. In-depth defense is not a new idea but it can be occasionally overlooked when “the next new thing” is showing off its bells and whistles during a demonstration. No matter how shiny the object, it’s important to remember that no single device is a silver bullet that will stop all attackers from getting into your network and stealing sensitive data.
Let’s get back on track and consider the claim that protecting a network against incoming malicious files equates to defending against APT attacks. This is simply not true, and the mathematician inside me wants to scream, “the set of all APT attacks contains the set of malicious files, but the set of malicious files does not contain the set of all APT attacks; malicious files are only a small subset of advanced persistent threat attacks!” The following is an example to clarify my point:
An enterprise has put in place a network anti-virus solution, or detection and sandbox technology, at the gateway and now feels fully protected because all malicious files (or more correctly stated as – all detected malicious files) are prevented from entering their network. A hacker then decides that he really wants something from this network such as intellectual property, financial records, or customer data. He sets up shop at a local café and scans the company’s network, discovering a web server that the company runs is not patched to date (does this scenario sound familiar?) and is vulnerable to a known RPC request exploit that will allow the hacker to gain remote access, i.e. a shell on the system (for an actual example and further description of this exploit click here). The hacker launches his attack, exploits the server and gains administrative access to the machine. Now the attacker simply browses the file system to find files of interest and sends them back to his system. Perhaps he even creates a new administrative user and ensures the Remote Desktop Service is enabled so that he does not need to exploit the system to gain access again in the future. He will simply logon as an authorized user.
Nowhere in the scenario were malicious files passed through the gateway. A network AV system scanning incoming executable files, PDFs, MS Office documents, etc. would never have seen this attack. Nor would a list of known command and control sites maintained on an IPS, Firewall, or network AV device have triggered during the exfiltration phase, since the attacker was launching the attack from a coffee shop with free WiFi, not a known malicious server.
So, how would an enterprise protect against an attack of this nature? There are many ways to solve this particular problem, but many of these solutions only solve the symptom of the larger issue – malicious activity is not only the transfer of malicious files. One actual and effective solution to the problem would be to implement a device that constantly monitors all network traffic for anomalous sessions – based upon the content of the session itself, not on specific file types – along with analyzing file objects for malicious behavior. Let’s again review the previously mentioned scenario and notice the glaring security vulnerability of a command shell occurring over some TCP port passing through the gateway. A true network security device should be intelligent enough to notice that this behavior is atypical of a normal enterprise environment and represents a possible compromise. It should also have the ability to analyze file objects for signs of malicious behavior.
One singularly focused solution will not protect an enterprise from APT attacks or complete compromise. When designing security stacks, organizations need to always keep their strategic mission in mind and develop a security implementation (or posture) that provides a best effort at defending against attackers. Only after a robust solution is implemented should products providing solitary defenses be considered, and only then as supplemental to the existing security stack's capabilities.