While network-based security solutions provide protection for an enterprise’s network, it is only on the endpoint that full visibility and immediate prevention are possible. For example, consider employees who work remotely or travel frequently and are thus not subjected to network controls, or those who use untrusted removable media that could get infected and introduce malware into the corporate network. In favor of business continuity, some network-based security controls allow suspicious files to download while they are analyzed and only sound the alarm after it’s too late.
Additionally, advanced malware is constantly evolving to bypass security controls, learning how to travel through encrypted channels, stay concealed in password-protected files or remain idle while waiting to be triggered by user action.
Having a presence on the endpoint is imperative for real-time protection against advanced malware.
Advanced Malware Is Getting Smarter
In recent years, advanced malware has become more sophisticated in multiple ways. First, it is evasive. Advanced malware aims to infect systems without being noticed. Many traditional security controls rely on blacklisting known malicious files, behaviors or command-and-control (C&C) destinations. To bypass such controls, malware has taken to polymorphism — slightly changing the malicious code so it won’t match the known signatures or patterns — and using dynamically assigned servers. In the underground market, cybercriminals can find off-the-shelf tools to help facilitate this. In response to sandboxing solutions that tried to cope with evasive malware, new, more sophisticated threats can identify whether they’re being run in a user environment or a sandbox or simply await a specific user interaction to activate.
Second, it is persistent. The threat of advanced malware doesn’t end with the download of malicious code. In order to achieve its goals, malware needs to run and stay unnoticed for a long time — even after the infected host has been rebooted. To achieve this goal, malware will install and disguise itself as a benign, legitimate application to prevent identification by traditional controls.
Finally, malware communicates outside the network. The goal of attackers is to gain access to and/or steal sensitive information with which they can achieve a competitive advantage, compromise a company’s reputation or gain leverage. For that, advanced malware needs to communicate with some C&C servers to announce it has completed the first phase of entering the target organization, receive updates and, of course, send the stolen sensitive information to the attacker.
When a threat is carried out by exploiting a vulnerability that has never been previously published, it is called a zero-day threat. Since the vulnerability is not publicly known, there is no available patch that addresses it and fixes the bug that caused the vulnerability. Malicious code that makes use of this vulnerability cannot be identified as a known exploit by security controls that rely on prior knowledge.
Corporate Credentials Theft
People prefer to use as few passwords as possible. It is not uncommon for someone to use the same password to access a corporate intranet site, their personal Web mail, a public social network and an e-commerce site. In October 2014, millions of Dropbox passwords were compromised. In May 2014, 145 million eBay passwords were stolen. Mail providers, social networks, retailers and mobile providers have all been breached, resulting in compromised user credentials. If an employee’s credentials to a public site are stolen, it is not that difficult to deduce that employee’s corporate username. From there, the door is open for an attacker to get a foothold into the organizational network.
IBM Security Trusteer’s Apex Advanced Malware Protection™ protects employee endpoints from advanced threats by leveraging a unique, positive behavior model. It does not rely on prior knowledge of specific types of malware, exploits or vulnerabilities, but rather identifies and blocks threats in real time by tracking processes’ behavior and identifying illegitimate flows. This enables Trusteer Apex to address previously unreported malware and zero-day threats. Additionally, Trusteer Apex protects employees from corporate credentials theft through phishing sites and prevents corporate credentials theft from being reused on third-party websites.