Most traditional security products are built to act based on known threats. The moment they see something that is known to be malicious, they block it. To get past security products that successfully block known threats, attackers are forced to create something that is previously unknown. How do they do it, and what can we do to prevent both known and unknown threats?
Let’s look at a few scenarios:
Recycle the Threat
Recycled threats are considered to be the most cost-effective attack method, which is why attackers often recycle existing threats using previously proven techniques. What makes these recycled threats somewhat “unknown” lies within the limited memory of security products. All security products have limited memory, and security teams choose the most up-to-date threats to protect against, hoping they can block the majority of incoming attacks. If an old threat not tracked by the security product attempts to enter the network, it could bypass the security product because it is not categorized as something seen before.
To protect against these “unknown” recycled threats, it is critical to have access to a threat intelligence memory keeper, these days often placed in an elastic cloud infrastructure capable of scaling to address the volume of threat data. In the event that a security product doesn’t have a particular threat identified and stored, access to the larger knowledge base of threat intelligence could help determine if something is malicious and enable the security product to block it.
Modify Existing Code
This method is somewhat more expensive than recycling threats. Attackers take an existing threat and make slight modifications to the code, either manually or automatically, as the threat actively transitions in the network. This results in polymorphic malware or a polymorphic URL. Like a virus, the malware continuously and automatically morphs and changes rapidly. If a security product identifies the original threat as known and creates a protection for it based on one variation only, any slight change to the code will turn that threat into an unknown. Some security products match threats using hash (#) technology, which generates a number based on a string of text in such a way that it is extremely unlikely that some other text will produce the same hash value. In our context, the hash value only matches one variation of the threat, so any new variation of the threat will be considered new and unknown.
To better protect against this threats security products needs to use smart signatures. Smart signatures are based on the content and patterns of traffic and files, rather than on a hash, and can identify and protect against modifications and variations of a known threat. The focus on the behavior, rather than the appearance of fixed encoding, allows for the detection of patterns in modified malware.
Create a New Threat
Attackers who are more determined and willing to invest the money will create an entirely new threat with purely new code. All aspects of the cyber attack lifecycle have to be new for an attack to truly be considered a previously unknown threat.
Focus on Business Behavior
Protecting against these new threats requires focus on your unique business behavior and data flows. This information can then be implemented into cybersecurity best practices. As an example, leveraging zoning with user ID and application ID, can help prevent new threats from spreading around your organization and block downloads from new, unknown and unclassified websites.
Utilize Collective Intelligence
No single organization will ever initially experience all new threats globally, which is why it is so important to be able to benefit from collective threat intelligence. Targeted attacks with unknown, never-before-seen threats can quickly become known with global information sharing. When a new threat is analyzed and detected in one organization, the newly identified threat information can be distributed across the community, with mitigations deployed a head of time to limit the spread of attacks and their effectiveness globally.
Turning unknown threats into known and actively prevent against them can happen in a combined environment. First, you need to predict the next attack step and location. Second, you need to be able to develop and deliver protection quickly to the enforcement point in order to stop it.
When a truly new threat enters your organization, the first line of defense is having cybersecurity best practices that are specific to the organization. At the same time, you should be sending unknown files and links for analysis. The effectiveness of sandbox analysis is depended on the time it takes to provide an accurate verdict on an unknown threat and the time necessary to create and implement protections across the organization. Your security posture needs to be changed fast enough to block the threat before it has the ability to progress – in other words, as soon as possible. And to ensure that this threat does not further traverse the network, preventions need to be created and implemented automatically across all security products faster than the threat can productively spread.
A recent SANS survey reported that 40 percent of attacks have previously unknown elements. The ability to detect unknown threats and prevent successful attacks defines the effectiveness of your security deployment. A true next-generation security platform is agile, quickly turning unknown threats into known protection and prevention on a global level. Automatically sharing new threat data while extending new protections throughout the organization to stop the spread of an attack. Learn more about the Palo Alto Networks Next-Generation Security Platform.
[Palo Alto Networks Research Center]