Two months since the news of the massive Target breach broke, reports are starting to reveal bits and pieces of how the perpetrators were able to get a foothold inside Target’s point of sale system to steal tens of millions of customer account records. In time, there will be a complete forensic analysis of the breach, with lessons for every IT security professional to take back to their own workplaces.
In the meantime, there is one lesson in security that everyone can take to heart: detecting and preventing (or at least stopping) sophisticated attacks requires a multi-dimensional approach that reaches all corners of an enterprise. It also requires looking outside an enterprise as well as within to understand the broader scope of modern threats.
This is the approach taken by the Israel-based security company Seculert as it moves away from its original offering of analyzing botnets to advanced threat protection as a cloud-based service. Seculert focuses on zero-day attacks, advanced malware, and advanced persistent threats (APTs). According to Seculert, several characteristics set these types of attacks apart from “conventional” malware:
•They are designed to survive or persist over a period of time in order to collect as much information as possible, or in order to avoid detection until they are launched.
•They involve a network of hosts that are controlled by, or report back to, a Command and Control (C&C) server.
•They employ a constantly-changing variety of malware – including polymorphic malware that changes independently – in order to penetrate their targets and replicate.
•They are often targeted at a particular organization, individual or region as opposed to being random and opportunistic.
Threats that possess these characteristics are easily able to evade detection by traditional perimeter security defenses such as firewalls, intrusion detection/prevention systems, and anti-virus/anti-malware solutions. New advanced techniques are needed to supplement and complement the traditional defenses.
Seculert’s security platform is comprised of several core technologies that work together to comprehensively address advanced threats. Let’s have a look at each of these solution components.
Traffic Log Analysis
The first component of the Seculert solution is traffic log analysis which can be performed over an extended period of time and across multiple entities. This is important because threats are networked and typically not isolated to any one company and may occur over days, weeks or months.
Seculert’s traffic log analysis is powered by statistical analysis and Big Data analytics. First the vendor defines a malware profile, which it calls a vector derived from a “learning set” of behaviors. The Elastic Sandbox and Botnet Interception modules (described below) are able to represent a thorough picture of how the malware behaves in a variety of situations, such as uploading data, performing remote access and sending email. Then machine learning algorithms use that profile and other means to analyze the traffic logs and look for anomalous behavior and “outliers” that are only created by malware.
A botnet is a network of compromised devices that are controlled by a series of Command and Control servers. Simple botnet monitoring services provide a list of known C&C servers in order to block them. Attackers are aware of this so they are constantly shifting from one C&C server to another, which forces the need for more sophisticated detection techniques.
Seculert operates a farm of devices that are intentionally infected with malware in order to gain a position inside a botnet. By going into the tiger’s den, Seculert can gather all sorts of intelligence about the botnet, including the transmissions between infected devices and the C&C servers. Seculert uses various techniques to intercept and analyze this traffic, and determine if its customers have any devices that are part of the net.
According to Seculert, the solution can identify users and endpoints up to the machine name, both inside and outside a corporate network, including remote workers and business partners—even those who are using their own devices (BYOD). Customers provide Seculert with keywords or IP address ranges which allows the vendor to search the botnet data for information that correlates with a customer’s network. Seculert acts on this information by updating customer dashboards, sending email alerts, and through an API, informing proxies and firewalls of which users and devices to block.
For example, if an enterprise is using off-network access to allow a remote employee to read his emails from home, and the home device is infected, the malware will send a string of information to the C&C server that is identifiable by Seculert. When Seculert intercepts this string, the security vendor can notify the enterprise that the employee’s home machine is compromised and needs to be remediated.
The Elastic Sandbox
There are plenty of security solutions that use a sandbox to isolate and then execute suspicious code to see what it does. Seculert uses what it calls an elastic sandbox in the cloud to study and profile malware. What makes this sandbox unique is that it has the capability to do long-term analysis over a period of days, not just minutes. This is critical because attacks in the past have used malware that sits idle for days to avoid detection before beginning its nefarious work.
Similar to many threat analysis vendors, such as ThreatGrid and Lastline, Seculert’s sandbox analyzes more than 40,000 new malware samples every day. These samples come from customers who upload suspicious code; from the Log Analysis module; and from partner companies. Seculert studies the malware behavior and uses machine learning algorithms to create malware profiles that are used in the Seculert Traffic Log Analysis and Botnet Interception modules.
Seculert offers integration with existing perimeter security solutions through an API, bolstering their value to an enterprise. The API can be used to:
•Enable an organization’s proxies and firewalls to pull information about Command and Control servers that must be blocked as well as users and endpoints that have been compromised
•Enable a company’s SIEM platform to pull information about users and devices that have been compromised along with deep-dive information for forensics
•Upload suspicious code to the Elastic Sandbox for analysis and receive results in the dashboard
Tying It All Together and Delivering It through the Cloud
The various modules of the Seculert platform are quite powerful on their own. However, the combination of all of Seculert’s technologies working together, along with the sharing of information from multiple organizations and security vendors, increases the benefits.
Seculert describes these benefits in a scenario involving several customers. Suppose that one customer, Acme Corporation, uploads its traffic log files to the Seculert cloud solution for analysis. Big Data analytics identify malware and go back in time within the logs until the original infection is detected. Through the API and the customer’s dashboard, Acme is alerted to the infection and begins blocking and remediating.
The malware that was found is automatically uploaded to the Elastic Sandbox and executed over time until the botnet is detected along with its C&C servers. Botnet Interception is used to read the traffic and identify the users and devices that are infected. Additional remote users at Acme Corporation were found to be infected, and Acme was alerted. But another Seculert customer, Big Anvil Company, also had users and devices in the botnet, and this company also was alerted.
Through the API, Acme and Big Anvil both pull information about the infected users and devices and block their communication to the C&C servers. Both companies undertake the steps to remediate the devices. On an ongoing basis, each company’s dashboard continuously provides information about threat detection as well as deep-dive data for forensic investigations.
All of this is delivered through the cloud as a service, with nothing to install or maintain locally or on premise. It is a simple and cost effective solution that provides full coverage for all sites and users—even remote and guest users and those workers who are using their personally owned devices.