Security Experts:

Threat Detection Beyond Two Applications

Threat Detection

Imagine this: you wake up tomorrow and realize your security devices are missing nearly 10% of all threats targeting your organization because of a simple assumption. Not only this, but what if this assumption was so pervasive throughout the security industry that if affected nearly every single one of your peers? Accepting the “status quo” is never enough, as it lulls you into a false sense of security, one that adversaries are keenly aware of, and masters at taking advantage of.

Now, let’s set the stage. The assumption is simple: malware and advanced threats stick to two basic attack vectors: Corporate email (SMTP), and Web-browsing (HTTP). When you examine which applications tend to be most active on corporate networks, you will likely find these two at the top of the list. The same holds true for the delivery of threats, as attackers have learned to hide inside these common applications, since they often offer the path of least resistance.

The vast majority of detection technologies have followed a similar path: scan for threats only on Web and SMTP. As an industry, we have invested tremendous resources into these two vectors, building walls and advanced detection techniques, often stacked on top of each other. While protecting Web and Email is incredibly important, a very old phrase springs to mind, “You’re missing the forest for the trees.” This approach inherently relies on threats only traveling these two applications, but there is so much more to the story today:

• Traditional security solutions only have the ability to detect threats on two of the hundreds of applications organizations use during the course daily course of business, which include popular applications across file-sharing, remote desktop, file-transfer, social media, and many other categories.

• Threats can use any application as an entry point into the network, and are not constrained to just Web and corporate email.

• Advanced threats typically establish a foothold on the endpoint using more traditional means such as Web and corporate email, but often use different applications, across non-standard ports, to delivery secondary payloads.

• Once inside the network, threats will pivot laterally using many different applications, and rely on command-and-control communication to direct their efforts.

I recently had the opportunity to review intelligence on unknown threats delivered to a group of more than 4,200 global enterprise organizations. Keep in mind, these are threats that have never been seen before, and many would have passed through traditional anti-malware technologies, so they represent the most dangerous category of malware. The findings speak for themselves:

• 82.5% of threats come in over SMTP/Port 25

• 9% arrive via Web-browsing/Port 80

• 9.5% are detected over 44 different applications, using a variety of ports Within that 9.5%, some common sources emerge: POP3, IMAP, FTP, the Google Play and Apple App stores, among many others.

Now we can come back to the original question, “What would you do if your current security solutions were missing nearly 10% of threats?” I would argue that as we rapidly move toward 2015, security organizations should consider a few critical steps to better protection their networks in the New Year:

• Assess your risk posture by evaluating the number and type of applications being used on your network.

• Establish a baseline for which applications should be used by specific groups of users to conduct business, enabling these, and blocking all others.

• Building into your security policy the fundamental premise that any application can be used to deliver threats, whether they are known or unknown.

• Choose security technologies that have the ability to detect and prevent threats on applications beyond just Web and corporate email, including those using non-standard ports.

• Consider segmenting your network and scanning for threats at these key points of segmentation to prevent lateral movement.

We should never lower our ability to detect threats on the most prevalent applications on corporate networks, but this is not enough. As more organizations build applications other than Web and corporate email into the course of their business, adversaries are taking note and adjusting their tactics. It is no more difficult to deploy malware over FTP than through an email, and your security solutions should have the visibility to prevent these threats just as easily.

view counter
Scott Simkin is a Senior Manager in the Cybersecurity group at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products. He is a seasoned speaker on an extensive range of topics, including Advanced Persistent Threats (APTs), presenting at the RSA conference, among others. Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility. Scott is a graduate of the Leavey School of Business at Santa Clara University.