System security is a never-ending battle trying to be fought with conventional techniques. Yet the enemy is anything but conventional. They create a fog of war by launching a barrage of low level attacks on a near continuous basis while maintaining a high degree of stealth.

These attackers are not only gaining in sophistication but are increasing through the use of offensive attack weapons that are numerous and affordable. This mercenary like army of attackers operates with stealth and through deception. The elite among them sneak in undetected and quietly roam from within the corporate network searching for targets of opportunity that lay in wait.

The result has been an escalation in arms and defense tactics. As organizations work hard to ensure complete anti-malware coverage on desktops, servers, and at the perimeter, the smartest attackers are looking for techniques completely outside those detected by traditional security tools.

Ultimately, the increase in attacks, particularly by organized groups, means that complacency is not an option. Enterprises must consider alternative approaches to defending their infrastructure and must turn their focus to tools, products and techniques that approach security in new and different ways.

Detecting malware is far from the best approach to avoiding security compromises. Instead, IT managers should think about ways to avoid malware altogether. If it's not on the network, then it doesn't have to be detected and neutralized. Often, the rise in shifting attacks requires re-evaluating traditional security products in a new light.

Following the Attack Sequence to Stop Advanced Threats

Digital Guardian is following the attack sequence to discover and prevent targeted attacks that must exploit at least one attack vector in order to compromise a host. If an attacker discovers a weakness they intend to use to exploit a system, the attacker has to go through a series of well-defined steps to achieve success. The number of steps can vary; it may be three steps or could be seven. It depends on the nature of the attack, but they would have to execute a sequence of steps. What we’re doing is analyzing the system to understand how it is behaving. For example, when binaries execute, do they operate appropriately? When an email attachment is opened, does it spawn a process associated with the application type?

The Initial Phase of an Attack: Exploitation and Entry

The initial phase of an attack begins by exploiting a weakness. The attack vectors for this phase can vary but are generalized into three basic categories:

1. Messaging: a broader category that encompasses the user interacting with any messaging service – for example, email – where a user receives an email that contains a hidden or visible binary, which executes when the user clicks on it.
2. Web-based social engineering: where a user is tricked into clicking on a legitimate-looking URL which in turn triggers code execution using browser or browser-plugin vulnerabilities. More advanced attacks can hide in legitimate traffic without requiring any user interaction and are commonly referred to as waterhole attacks and drive-by downloads.
3. Physical: a user plugging in a USB containing malware, stealing the physical media or the user writing the data directly to removable media and walking out of the building.

Let’s examine an example from the cyber world. If someone were to execute an attack utilizing the most popular entry vector, spear phishing, they would persuade a user to click on a link or open a document that included an embedded macro. That macro is designed to execute a series of commands via PowerShell to beacon out until establishing a secure tunnel with an unknown Command and Control host. From there, the host begins downloading a never-seen-before exploit that executes in memory and begins hijacking processes associated with trusted applications running on your system.

Individually these atomic events mean nothing, but collectively they accurately depict an attack in progress. They allow us to break down the most common and most successful tactics used by targeted attackers.

Indicators are not focused on the specific tools or the malware signatures the attacker uses to accomplish their objectives. By monitoring the execution points and analyzing system behavior we can assess the indicators and process them via a stateful correlation engine to derive differences in the stages of an attack. This allows us to determine if an attacker successfully gains access to the systems – if so, we can infer intent. No advance knowledge of the tools or malware is required – a true zero-day agnostic solution.

Subsequent Phases: Infection and Exfiltration

A successful solution must be able to monitor the system via the many stages of an attack beyond accessing a system via an initial entry vector. The next phase represents the point where the attacker has avoided traditional defenses and is focused on getting malicious code to execute on the host. The attacker then may propagate his whereabouts, elevate his privilege and/or establish a foothold by moving from a memory-based attack to writing to disk. Lastly, the attacker has the option to stage his content for exfiltration. This is the area where visibility and context meet. The Digital Guardian agent resides in the kernel to deliver unfettered visibility into all system and process events while our stateful correlation engine analyzes the sum of all events to determine when a malicious event or attack has occurred.

Finally, as an attack is progressing through these various stages, it’s important to record the activity in order to reassemble an attack timeline. Detecting and containing an attack at the earliest point of identification is of utmost importance. Should an attacker gain access to your systems, it’s critical to detect their activity as early as possible and this requires unparalleled visibility into the activity on the host.

Digital Guardian includes real-time and historic visibility into more than 200+ parameters associated with system activities. This includes: process activity, user-mode and kernel execution events, file system activity, network and registry activity, and user-logon activity. Deep visibility ensures you have all the critical information needed to identify “patient zero” and drastically reduce your overall response time while validating the impact the attack had on your data. Real-time visibility is a key requirement in data-aware security solutions to avoid the risk of missing critical artifacts and to maintain a full narrative of an attack.

The good news for defenders leveraging the Digital Guardian solution is that we not only provide the visibility but the intelligence needed to understand the very nature of the attack. The Digital Guardian solution is intent on classifying sensitive data and protecting it no matter where the attack originates, from inside or outside.

Bridging the Gap between System Security and Data Protection

Our industry has continuously tried to solve the system security problem by employing more resources to address it. We continue to purchase more and more technology only to receive marginal gains in efficacy with each new purchase. Yet, time and time again history has proven this approach will fail as attackers have the advantage and new techniques will be created to circumvent additional controls.

The battlefield has expanded right before our very eyes. Its time we bridge the gap between system and data security and embrace the need to remain data aware. As tools and techniques to overcome endpoint system security continue to evolve, we will require new and better approaches to protect our data from compromise and avoid the risk of data breach. It’s time we embrace a solution that can deliver both system security and data protection from a single platform – we believe that Digital Guardian 7.0 does exactly that. To learn more, download the Digital Guardian Technical Overview or check out our Managed Security Program Datasheet to learn how we can manage the process for you.