In cyberspace, attackers are honing their skills and using more advanced techniques to silently compromise systems. Advanced threat protection systems offer targets a way to defend themselves against determined intruders. Here’s how.
To understand what advanced threat protection is and why it’s so important, we have to understand advanced persistent threats (APTs). These are attacks in which an intruder gains access to and slowly infects large parts of a network, lurking unseen while stealing valuable data.
Network intrusions aren’t new—hackers have been finding their way into systems for decades—but APTs refine and formalize these techniques with military rigor, using strict methodologies designed for efficiency and stealth. Network defenses must evolve to cope, which is where advanced threat protection comes in.
An advanced attack on a network consists of multiple stages. Just like bullet resistant glass uses multiple layers to slow and hopefully stop a projectile, advanced threat protection presents obstacles at each step. It uses a mixture of defense in depth and enhanced visibility to help thwart attackers by combining protective measures at multiple points in your infrastructure.
The primary stage of an advanced attack involves gaining access to the network. Intruders frequently find their way in by compromising an endpoint. The first component of an advanced threat protection solution is therefore endpoint protection.
Antimalware solutions can help to secure desktop and mobile devices from malicious attachments and links. These can be complemented by network-based email malware scanning systems that stop malicious emails before they even reach a target’s mailbox. In addition, traffic scanners can monitor outbound network connections and block those trying to reach malicious online destinations.
What if an attacker somehow gains control of an endpoint in spite of these measures? Then, the next stage of the attack begins as they move laterally through the network, finding other parts of the infrastructure and infecting those too.
Finally, when intruders have infected as much of the infrastructure as they can, they can execute their attack. This generally involves stealing information and moving it off the target’s systems. It can go on for months or even years.
Network-based defenses can help to spot and block attacker activities during these later phases, too. Traffic scanners can prevent infected endpoints from reaching command and control servers to download an attacker’s instructions and payloads. A network or host intrusion prevention system can also watch the network for indicators of compromise in the form of unusual internal traffic. If it spots a potential threat, it can quarantine any machines that it identifies as a source of compromise.
The smartest intruders are those that fly under the radar, using techniques to obfuscate their attacks. These techniques include fileless malware, which infects computer memory but doesn’t leave telltale artifacts on a hard drive. Attackers may also use legitimate tools such as PowerShell to spread their attacks and steal information without raising the alarm in a technique known as living off the land.
These techniques are difficult to spot, which makes network visibility an important aspect of advanced threat protection. Aggregating and monitoring system logs enables administrators to spot network incidents that may seem innocuous on their own but which ring alarm bells when found together. An advanced threat protection system might also allow administrators to set rules that are triggered by suspicious events such as inappropriate system access or unexpected communications between different systems.
The final component of an advanced threat protection arsenal is outward visibility.
This knowledge comes in the form of threat intelligence. Specialist service providers gather known threat information from across the internet, identifying historical and ongoing threats by examining malicious traffic and logging its sources. This helps companies to understand emergent attack patterns so that they can be prepared for intruders before they begin rattling the doors on their networks.
An advanced threat protection system can significantly reduce your chances of compromise, but companies looking for true defense in depth can and should go still further. User education, antisocial engineering campaigns, and strict information security policies can mitigate the risks even more, as can proper cybersecurity hygiene in the form of regular software patches, application whitelisting, and access protection.
Every extra layer of defense you add to your network will help make you a harder target. In a world where cyberattacks are becoming increasingly intense, defenders need all the help they can get.
Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.
© 2019 SolarWinds MSP UK Ltd. All rights reserved.