Today's cyber attacks have changed radically from just a few years ago. They have replaced the broad, scattershot approach of mass-market malware designed for mischief with advanced tactics, techniques, and procedures. Most of today's attacks are targeted to get something valuable—sensitive personal information, intellectual property, authentication credentials, insider information—and each attack is often multi-staged with pre-meditated steps to get in, to signal back out of the compromised network, and to get valuables out.
Traditional protections, like traditional and next-generation firewalls, intrusion prevention systems (IPS), anti-virus (AV) and Web gateways, only scan for the first move, the inbound attack. These systems rely heavily on signatures and known patterns of misbehavior to identify and block threats. This leaves a gaping hole in network defenses that remain vulnerable to zero-day and targeted advanced persistent threat (APT) attacks. For example, consider the time lag in signature development due to the need for vulnerability disclosure and/or the mass spread of an attack to catch the attention of researchers. Malicious code is identified over the course of a few days as it spreads. However, polymorphic code tactics counter-balance the effects of signature-based removal. Signatures represent a reactive mechanism against known threats. However, if attacks remain below the radar, the malware is completely missed, and the network remains vulnerable especially to zero-day, targeted advanced persistent threats. No matter how malicious the code is, if signature-based tools haven't seen it before, they let it through.
Heuristic-based protection alone has not proven to be operationally effective. They use rough algorithms to estimate suspicious behavior generating lots of false alerts. While these heuristic techniques have merit, the true positive to false positive ratio (a.k.a. Signal-to-Noise ratio) is too low for a cost-effective ROI. The false positives clutter up security event logs and real-time blocking based on these heuristic alerts is simply not an option. Administrators often "dumb down" available heuristics to catch only the most obvious suspicious behavior. Multi-stage targeted attacks don't trip this coarse-grained filter.
Today's Cyber Attacks: Targeted, stealthy, personalized and zero-day
Cyber criminals have figured out how to evade detection by bypassing traditional defenses. Using toolkits to design polymorphic threats that change with every use, move slowly, and exploit zero-day vulnerabilities, the criminals have broken in through the hole left by traditional and next-generation firewalls, IPS, anti-virus and Web gateways. This new generation of organized cybercrime is persistent, capitalizing on organizational data available on social networking sites to create very targeted 'phishing' emails and malware targeted at the types of applications and operating systems (with all their vulnerabilities) typical in particular industries.
Once inside, advanced malware, zero-day and targeted APT attacks will hide, replicate, and disable host protections. After it installs, it phones home to its command and control (CnC) server for instructions, which could be to steal data, infect other endpoints, allow reconnaissance, or lie dormant until the attacker is ready to strike. Attacks succeed in this second communication stage because few technologies monitor outbound malware transmissions. Administrators remain unaware of the hole in their networks until the damage is done.
APTs can be characterized by the attackers' quest to gain long-term control of compromised computer systems. Whether attackers use viruses, Trojans, spyware, rootkits, spear phishing, malicious email attachments or drive-by downloads; their malware enables the simple disruption or long-term control of compromised machines. APTs can be nation-state or rogue actors using completely unknown malware or buying access to systems previously compromised with known malware installed through social engineering, spear phishing, or drive-by downloads.
Interactive Cyber Threat Maps
Global Advanceed Cyber Attack Landscape
FireEye monitored more than 12 million malware communications-or callbacks-to command and control (CnC) servers across hundreds of thousands of infected enterprise hosts. Callbacks were sent to more than 184 countries with more than 12 million communication events logged during 2012. This map shows the percent of callbacks to the top five locations of CnC servers detected by FireEye appliances around the world. Target countries indicate where the companies being attacked are located. Callback countries are where the initial CnC servers are located. Additional callbacks may occur from the initial CnC servers to locations in different countries.