The work from home (WFH) transition over this past year has triggered a historic change in how corporations do business. This has also triggered a massive change in the approach of increasingly advanced threat actors looking to take advantage of this WFH shift. Many adversaries now take advantage of new vulnerabilities and convert them into weaponized attacks very easily and very quickly, while the extreme adversaries are now focusing on supply chain and targeted attacks. This combination makes for a very challenging environment for any modern enterprise.
These increasingly advanced threats fall into two categories. Those that are (1) known and easiest to execute broadly and (2) well-funded and planned, which are also the most sophisticated and damaging. In the former, there are known threats and evasive malware. Zero-day attacks are still split between the two categories but with a growing likelihood for a new zero-day to be broadly exploited very quickly. Meanwhile, in the most sophisticated and damaging category are supply chain and targeted attacks.
Just like the name indicates, a zero-day attack happens the same day a new weakness is discovered before a fix is available. Obviously, since the software defect is brand new, standard approaches leave a window between the zero-day disclosure and when a protection or fix is implemented which attackers can leverage.
Fileless and targeted attacks are equally as abhorrent. A fileless attack is a type that doesn’t install malware in a computer, so traditional anti-virus tools are likely to miss it. As for the targeted attack, these particular threat actors – with considerable savvy and resources – go after, track, and compromise a targeted entity’s infrastructure or more recently the supply chain to enable access to many other enterprises. In addition to the sophistication, these attackers maintain obscurity in the networks they target for as long as possible.
These threats continue to get more sophisticated. Moreover, vulnerabilities are increasing. Both dynamics lead to more susceptibility to breaches.
What makes preventing known threats so difficult? The truth is, the basics are simply left uncovered by traditional security solutions, putting the burden on security teams that aren’t properly resourced to identify or patch vulnerabilities to confidently avoid data breaches.
Let’s take a look at traditional network security approaches out there in the industry. They have limited visibility, meaning traffic is often only inspected on certain ports without understanding the context of the traffic. This is the biggest challenge. Poor performance is another challenge. While adding single-function devices to the defensive stack may alleviate certain problems, the fact is, enabling all security functionality on many security controls at the network level can severely impact throughput, resulting in poor performance.
That’s further exacerbated because traditional intrusion prevention or detection systems (IPS/IDS) still use the same defensive strategies they did before the threat landscape evolved.
Need for Holistic Threat Prevention
What is holistic threat prevention? In short, it means you have total visibility and ability to detect unknown threats and quickly change them into known threats, or better yet leverage inline Machine Learning (ML) to detect and prevent new threats immediately. This approach means you have consistent protections and security policies at all locations for your users and resources. So, you have the same level of threat prevention, whether your employees are working from home or at the corporate office or at a coffee shop. Plus, this ensures that data accessed from the data center, from a remote branch office, or from a SaaS service is done securely.
That’s one side of the story. The other, more salient one is that threat prevention goes beyond your run-of-the-mill IPS and into inspecting all threat traffic, regardless of port, protocol or encryption. Then it automatically blocks known vulnerabilities, malware, exploits, spyware and command and control (C2). Modern threat prevention is also increasingly leveraging inline ML techniques to detect and prevent new unknown threats before they can cause damage.
A threat prevention service should be designed to automatically stop vulnerability exploits with IPS capabilities. It should offer in-line malware protection and block outbound C2 traffic. Other services can be combined with IPS capabilities to further protect at every stage of the attack lifecycle, including from both known and unknown threats.
One such service is a cloud-based threat analysis service, like Palo Alto Networks’ WildFire. It’s a highly advanced analysis and prevention engine for evasive zero-day exploits and malware. Other services include URL filtering and DNS security to prevent web-based threats including malicious content and phishing pages.
Let’s now look at vulnerability protection. The National Institute of Standards and Technology (NIST) and National Vulnerability Database (NVD) reported in 2020 that there were over 170k new vulnerabilities. That number is an increase of over 15x from 2016. Your threat prevention service should provide a method to detect and block exploitation of these software vulnerabilities, which are now easily exploitable by threat actors via commodity tools.
Any modern threat prevention solution should include comprehensive vulnerability (exploit and malware) and C2 preventions which in conjunction with core integrated solutions like sandboxing, inline ML based preventions, advanced URL security and DNS security, will intelligently eliminate threats at every phase of the attack.
Why are each of the core threat prevention capabilities important?
Vulnerability protection prevents exploit attempts, evasion techniques, obfuscation attempts, and other known software weaknesses. This should also include protections against brute force attempts such as port scans, buffer overflows, and protocol fragmentation. Antivirus and anti-spyware protection targets specific known malicious families and should be able to identify variants, not just specific malicious files which are easy to modify to avoid hash based signatures.
Command and control protection prevents C2 activity from being used to exfiltrate data, deliver secondary malware payloads, or provide additional instruction for future stages of an attack. Advanced ML based techniques are also required here to keep up with an increasing mobile adversary.
In conclusion, the threat prevention measures discussed here provide a high-level of protection against known threats. However, it’s also important to also consider the operational overhead of managing a network security system. A single and complete platform to connect and secure everything provides consistent protection and experience wherever applications and users reside. That’s on your network, in the cloud, or mobile. Ideally, what you want is a best-in-class network transformation, while being protected against the most sophisticated attackers.