FEATURE: THREAT ASSESSMENT
Nimble attackers can easily
create and hide their exploits
in an infinite number of ways.
Ammar Enaya, Regional
Director – Middle East,
Turkey and North Africa at
Vectra, says: “The limitations
of signatures should be
complemented with automated
threat management models
that continuously learn new
attack behaviours and adapt to
network changes.”
There’s an alarming cybersecurity
gap between the time an attacker
evades prevention security at the
network perimeter and the time
when an organisation discovers that key
assets have been stolen or destroyed. This is
the attacker dwell time gap and is measured
in weeks or months for most organisations
who are breached.
Attackers have a big advantage in this gap.
Traditional, widely embraced approaches
to detecting threats – including signatures,
reputation lists and blacklists – are
inherently reactive, ceding the first-mover
advantage to cybercriminals.
The inherent limitations
Signatures have had a good run, especially at
detecting large-scale commodity threats like
command-and-control communications of
botnets, automated crawlers and vulnerability
scanners that scour the Internet.
But the signature model is limited and leaves
multiple blind spots for a barrage of perilous
attacks. Attackers who value stealth, over the
number of systems they control, are finding
ways around signatures. And unfortunately,
these sophisticated attackers tend to think
more strategically and pose a significant risk
to organisations.
Understanding the blind spots caused by
signatures requires understanding the
weaknesses. For one, signatures, reputation
lists and blacklists only recognise threats
that have been previously seen. This means
someone needs to be the first victim, and
everyone hopes it’s not them. Detecting
threats usually depends on key security
applications installed at endpoints and
gateways. New threats are caught in
virtual sandboxes and new signatures are
generated on-the-fly. The process takes
time and malware can gain a foothold as
endpoints and networks are left vulnerable.
Secondly, signatures have no response to
attackers that have already penetrated
your network, as they live off of the land
using common protocols and services,
and not the malware they used to find a
way in. Signatures and other Indicators of
Compromise won’t help you identify and
stop a malicious insider with legitimate
access and legitimate tools. Attack
behaviours and deviations from normal
activity can’t be detected with signatures.
Custom malware also makes its way around
signatures. Most malware is unique to the
organisation under attack, which means it
won’t be caught by signatures. According to
How cyberattackers
evade threat signatures
– The case for behaviour-based threat detection
34 INTELLIGENTCIO www.intelligentcio.com