It’s been 38 years since the invention of email and today, it is still the number one communication tool in and out of enterprises. While technology, hardware, infrastructure and the internet itself evolved tremendously in the past almost 4 decades, email is the spoiled child of the family that declines to grow up.
Several weeks ago we started a series dedicated to considering APTs (Advanced Persistent Threats) and possible ways to mitigate them. In the first post we strived to define and “contain” the APT as category of threats as the term is abused, and today most all the sophisticated attacks are presented as APTs – the supreme evil.
Working from the definition, we now remain with two aspects:
#1: Advanced – as APTs are sophisticated, out of the range even for organized crime networks – “we are sorry, no botnets or banking trojans allowed”.
#2: Persistent – as we have seen and described, we are talking about organized attackers with myriad resources - the most important being time and patience, until they can reach their objective. A modern characteristic is that they prefer, with few exceptions, the “low and slow” approach; doing “the job” as silently as possible.
The thesis we don’t agree with is that APTs can pass over any antimalware technology. As a matter of fact, the majority of their components have been spotted-out as suspicious files prior to being investigated and detection being added.
This is the second post from a series we thought necessary to dedicate to APTs (Advanced Persistent Threats) and the new wave of security technologies claiming that they replace or complement antimalware solutions to help organizations defeat this new threat.
We see, day after day, real and so-called security experts announcing the newest security apocalypse we face. Claiming that antivirus is a dead technology, they invite you to uninstall it and buy new next-generation technologies that will automatically collect, analyze and detect malicious intentions of attacks or data compromise from the moment they are born in the minds of the bad guys.
Sometimes they come from people more or less familiar with the topic - Is Anti-Virus Scanning/Detection Obsolete? - and you can see that most of the opinions there are not so negative, apart from the classic advertising for some AV brands. Other times they come from specialists in the field, trying to give an opinion or just sell their “stuff”.
In my last blog post I began a conversation about virtual patching. In this post, I’ll further the discussion by talking about why effective virtual patching at the network is so difficult.
The story really begins by considering context, or really, the lack thereof. If a vulnerability exists in an application (a web application, or a browser) there is a certain context associated with the application that is difficult to be aware of at a point outside of the application. The simplest example is a session. A web application may create a session when a user logs-in, destroying the session after a period of inactivity, or when a user logs-out (and when was the last time you logged-out instead of just closing the browser window?).
