Traditional Defensive Security Can't Stop New APTs, Zero-Day Threats

A security vendor warned that firewalls, antivirus, filters and intrusion prevention systems are not enough to stop cyber-attackers from getting into the network.

So long as organizations continue to invest in security products that are defensive, cyber-attackers will continue to successfully breach networks and steal information, warned a security expert.

Organizations have invested in traditional defenses that are "fundamentally reactive" as they rely on known methods of attack, Ashar Aziz, CEO, CTO and founder of FireEye, told eWEEK. The fact that defense contractors Lockheed Martin, L-3 Communications and Northrop Grumman or companies like Dow Chemical and Google are hit by cyber-attacks is not because they "forgot to do something," but because the vulnerability is systemic and pervasive across all organizations, according to Aziz.

Firewalls, antivrus, e-mail filters, Web gateway, intrusion prevention systems and other security products are "obsoleted" by the current threat, because they tend to use unexpected attack vectors or exploit zero-day vulnerabilities. These existing products all require the threat to be analyzed, understood, and a signature, patch or policy created to detect and block future incidents. The "biggest security handicap" is that organizations invested in technology that depends on defensive mechanisms, Aziz said.

"The underlying story is that virtually every organization, whether it's a financial services company, a large company like Google, or a technology company like Juniper Networks, is equally vulnerable to attack," Aziz said.

To illustrate his point, Aziz mentioned two FireEye customers - both defense contractors - who recently deployed FireEye's Malware Protection System "downstream" from their existing security products. Within 24 hours, the MPS had detected a number of threats that had slipped past the other systems, Aziz said.

"Every organization allows Web pages to come in. They don't know which pages are going to attack and which ones are safe," Aziz said.

FireEye MPS creates a virtual execution environment to processes all content that enters the network. As soon as the virtual environment notices suspicious activity, whether it's a new process running, a processing being arbitrarily shut off (such as the antivirus), or some other unexpected change to the environment, the system blocks the malware from continuing to execute. Once detected, MPS logs the events in real-time to track what the malware is doing, such as installing a keylogger. The MPS can work with e-mail to examine all incoming messages and attached files, as well as process Web pages while the user is surfing the web.

Aziz compared letting the Web site or e-mail attachment execute in the virtual environment to sending a canary down into the coal mine. "If the canary dies, there's malware," Aziz said.

Existing security products tend to be reactive to the threat and are incapable of protecting yesterday's threats, not the latest attack. However, attackers are continuously evolving their methods and testing malware against the same security products to ensure they can be bypassed. What organizations need to do is to deploy "second-generation" security tools to "augment" existing security products, Aziz said.

There are more nation-sponsored, advanced persistent threats, but they aren't the only kind of attacks. Cyber-criminal motivated attacks are equally successful in infiltrating and compromising organizations, precisely because they use stealth tactics. Security products fail at "counter-stealth," according to Aziz

Invincea is another company that believes a virtual environment was necessary to trap threats from executing on the network. Unlike FireEye, Invincea just puts the entire user into a "protective bubble" when surfing the Web or opening up a PDF file, said Anup Ghosh, founder and chief scientist of Invincea. The Web browser and PDF reader open in a virtual environment so malicious scripts and programs can't damage the user's computer or spill into the rest of the network, according to Ghosh.

The user has become the primary target for our adversaries, regardless of whether the attacks are launched by cyber-criminals or nation-states, Ghosh said. "Regardless of all the patches applied to technology, one cannot apply a patch to Layer 8- the human brain," said Ghosh. Curious users make mistakes that result in the network getting "pwned" and intellectual property "exfiltrated, " he said.

"So far, the bad guys keep showing they're getting better and smarter and rather than being proactive about potential threats and attacks, the security industry is still reactive," said Ghosh.