Why Don't Traditional Defenses Work?
Despite bold claims and billions of dollars invested, legacy protections like traditional and next-generation firewalls, intrusion prevention systems, anti-virus, and Web gateways no longer stop advanced malware or targeted APT attacks. These systems rely too heavily on signatures, known patterns of misbehavior, and reputation to be effective at accurately identifying and blocking advanced targeted attacks. This leaves a gaping hole in network defenses that remain vulnerable to today's new breed of cyber attacks.
In the following pages, we review how each technology has been victimized and bypassed by today's cyber attacks.
Next-generation firewalls (NGFWs) have proven to be incapable of stopping advanced malware and targeted attacks. While NGFWs typically take a more application-centric approach to traffic classification, they do not detect nor block the new breed of advanced attacks such as zero-day, targeted attacks or advanced persistent threat (APT) attacks.
NGFW vendors have tacitly conceded this point and are now augmenting their products with cloud-based analysis of binaries and DLLs and "rapid" hourly updates of the firewall signature set.
Fundamentally, cloud-based analysis does not provide advanced malware protection.
Does not stop Web page attacks
NGFW cloud-based analysis does not analyze document and file formats for malware (PDFs, Microsoft documents, image formats) used to exploit application vulnerabilities.
Does not stop email-based attacks
NGFW cloud-based analysis does not analyze emails for malware, so it cannot stop spear phishing attacks. Spear phishing is a primary mechanism used in targeted APT attacks.
Cannot address encrypted binaries
NGFW cloud-based analysis is based on the premise that malware binaries will be transmitted in the clear and that there is no need to detect the exploit phase that actually initiates a binary download.
Too slow and reactive
Hourly updates of attack signatures are too slow even if they manage to detect a new attack binary. FireEye research has found that 90% of binaries morph within one hour and initiate callbacks within minutes of compromise to download further malware infections.
Key gaps in NGFW protection:
The Operation Aurora APT attack that targeted Google and many others used an XOR encoding to mask the binary. Without visibility into the exploit phase, NGFWs did not detect the encrypted binary, and therefore missed the Aurora attack entirely.
Also, there are many APT attacks that utilize email attachments as the initial exploit phase of the attack. The attack on RSA in early 2011 utilized an infectious spreadsheet to begin the process of infiltrating deep inside RSA's network to target valuable source code. Again, NGFWs are architecturally incapable of detecting or blocking an email attachment-style attack.
In short, NGFWs have fundamental architectural flaws as they relate to the detection and blocking of the advanced malware and APT-style attacks. These flaws leave the end user's network wide open to web page exploits that subsequently mask or encrypt the binary download phase. Without any real-time analysis within the locally deployed firewall, NGFWs are unable to address advanced malware and targeted APT attacks. Companies deploy FireEye products to complement traditional NGFWs to ensure they are fully protected against cyber attacks.
Intrusion Prevention Systems:
Network intrusion prevention systems (IPS) and the intrusion detection systems (IDS) that preceded them were developed to address the firewall's visibility and granularity limitations. To filter out attacks, IPS solutions inspect network communications to understand the various application data being transmitted.
Earlier IDS solutions performed passive monitoring, analyzing network traffic and identifying the attack based on signatures of known exploits. As IDS morphed into IPS these solutions could prevent attacks in which a signature had matched a known exploit.
Over time, IPS vendors began to claim that their solutions could prevent unknown, or zero-day attacks. In reality, however, these claims have not proven to be true. These claims were based on the shift from IDS detection of an individual attack based on an exploit signature to IPS detection of a class of attacks based on a vulnerability signature. This basic improvement provided the basis for vendors' zero-day protection claims, specifically that attacks against a particular vulnerability would be stopped whether a known or unknown exploit was being used. The critical part IPS vendors fail to mention is that this unknown exploit prevention is based on having a rich understanding of the vulnerability universe. In other words, IPS vendors have moved the network signature problem from one of having to know about all exploits to that of having to know about all vulnerabilities.
The challenge is that vendors must account for both the exponentially increasing number of known vulnerabilities, as well as all the unknown vulnerabilities in today's threat landscape. It simply proves to be impossible given how IPS technology was originally designed. FireEye's exploit research in our Malware Intelligence Lab indicates that the most severe and successful attacks against organizations are those that exploit unknown vulnerabilities. It is only after these attacks eventually become public, thus prompting a vulnerability disclosure, that IPS vendors are able to reactively update their products to look for exploits targeting these previously unknown vulnerabilities.
The other major limitation of IPS offerings is that these systems were originally built to detect and analyze network services-based attacks on the OS and server applications, rather than the client-side application attacks that dominate the landscape today. The everyday client applications being used by consumers and business users, such as browsers, PDF readers and Flash plug-ins, are the number one target for attackers. The ability for attackers to encapsulate and obfuscate these application-based attacks within layer upon layer of application and network protocols makes it nearly impossible for IPS systems to find the needle in the haystack. Not to mention, even if they could identify these attacks, it is only for attacks against known vulnerabilities, while most attacks target the unknown.
As advanced malware, zero-day and targeted APT attacks exploit unknown vulnerabilities and grow more dynamic, anti-virus is rendered helpless in combating today's attacks. With over 286,000,000 new malware variants in 2010 alone1, anti-virus vendors understand that they offer minimal protection against advanced malware. Based on research from the FireEye Malware Intelligence Lab, 90% of binaries morph within one hour making it easy to bypass anti-virus since it relies primarily on signature-based detection.
Because anti-virus cannot release updates quickly enough, advanced malware has a large window of opportunity to propagate once it gets into that first system. It also has plenty of time to download and install follow-on infections, such as keyloggers and password crackers that use rootkit techniques to deeply embed into compromised systems. This makes removal a complex, if not impossible, task. APT actors also hide malware that remains largely dormant and only periodically calls back to criminal servers to update, repair, or re-install any missing malware components.
However, anti-virus remains an element of IT security because organizations increasingly use it as a clean-up mechanism complemented by advanced security. The FireEye Malware Protection System (MPS) analyzes the advanced malware missed by anti-virus and the resulting FireEye malware forensics can be sent to AV vendors to develop clean-up routines. Organizations remain secured by the FireEye MPS since it blocks the malware callback communications preventing data theft.
1 "Symantec Logged 286 Million New Threats In 2010" http://www.darkreading.com
What the traditional security industry refers to as "defense-in-depth" has so far been iterations of pattern-matching techniques deployed in network or host-based systems. These technologies represent an ongoing effort to augment basic port-based blocking and to overcome the inherent limitations of the previous round of signature-based or list-based security product deployments. Web gateway security is no different.
As attackers shifted tactics to deliver both attacks and malware communication over the Web, organizations found a need to tighten their control over Web-based communications. As a result, Web gateways were developed. These technologies, like the ones before them, use lists of "known bad" URLs and do not look to the evolving, unknown threats of the future. Vendors have based their prevention capabilities on a list-based approach, preventing the transmissions of Web data and Web sites that are known to be malicious.
Today, Web gateways mainly provide policy enforcement and some low-level security value. Meanwhile, cyber attackers have shifted tactics to be able to easily bypass Web gateways. They have moved to completely dynamic and obfuscated models of both attack delivery and malware communication, which render lists of malicious Web sites obsolete. Consequently, just as Web gateways were beginning to be widely adopted, they became outmoded from a security perspective. While these technologies still have utility in enforcing HR policies that limit employee Web browsing, when it comes to combating modern attacks, Web gateways have been relegated to an increasingly marginal security role. The same is true of anti-virus and other technologies due to the shift in tactics by cyber criminals.