Targeted attackers often gain upper hand once inside, says Trend Micro


Targeted attackers often gain upper hand once inside, says Trend Micro

Robert Westervelt

IT security teams are focused on vulnerability and configuration management and monitoring the endpoint for malicious activity, but security pros may be missing the telltale signs that highly skilled attackers may have already set up operations on the corporate network, according to new whitepaper from Trend Micro.

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

To gain an upper hand, firms must be able to spot the unwanted intruder and constantly foil their efforts.

Tom Kellerman, vice president of cybersecurity, Trend Micro Inc.

"Digital insiders" can scout for exploitable vulnerabilities, set up communication channels on the inside to avoid detection and even patch vulnerabilities to prevent hackers to piggy back on their efforts, according to Tom Kellerman, vice president of cybersecurity at Trend Micro Inc. Kellerman said data analytics help forward thinking IT teams spot potential problems before they grow out of control.

"This may require organization to increase their awareness of the activities on their networks and the ability to correlate events to thwart the digital insider’s malicious activities," Kellerman wrote in a blog entry about the insider threat and Trend's network analysis tools."To gain an upper hand, firms must be able to spot the unwanted intruder and constantly foil their efforts."

Trend issued a white paper on the topic,"How to Thwart the Digital Insider – an Advanced Persistent Response to Targeted Attacks," (.pdf) outlining steps organizations can take to spot attackers who may have already infiltrated the company network. It involves the use of threat intelligence and network analysis, correlating the data to spot potentially malicious activity.

"These guys are past masters at lying hidden for years on end so we need to up our own game to achieve advanced situational awareness," Kellerman wrote. "It will require patience once a digital insider is discovered, however, and more monitoring to ascertain all of the actors behind a particular threat so that law enforcement can take over – this is not a time to go in all guns blazing."

Proactive security

Situational awareness and deep data analysis has been a consistent theme in 2012 as security researchers provided information on targeted attacks and cyberespionage campaigns looking to steal intellectual property.

Big data analytics emerged as a major theme at the 2012 RSA Conference. A number of security firms warned about targeted attackers infiltrating and remaining virtually undetectable on networks for months and even years. Large enterprises such as IBM, HP and RSA, the Security Division of EMC Corp. are touting data collection and correlation. It typically involves a Security Information and Event Management appliance to collect and crunch the data from the various security devices on the network. The firms have been slowly adding threat intelligence feeds in an effort, they say, to improve detection and isolate problems much faster.  

Vulnerability and configuration management can only go so far in reducing the attack surface, said Pete Lindstrom, a research director at Spire Security. Determined attackers can use zero-day vulnerabilities, or find a weak point based on a single configuration error or software component that hasn't been updated.

Threat intelligence data can be used in a variety of ways, Lindstrom said. For example, malicious IP addresses where attacks originate, can be identified and communication to those points can be blocked by enterprise IT teams addressing the threat. While large businesses often have the resources to do it better, organizations on tighter budgets are turning to managed security providers to provide visibility and data correlation. 

Collective Intelligence Framework

Proactive security typically involves threat intelligence gathering and data analytics to help organizations better understand the security threats that matter most to the organization, said Rick Holland, an analyst at Forrester Research Inc. Holland said organizations that are building an intelligence program typically partner with cyberintelligence organizations such as Dallas-based iSight Partners or VeriSign's iDefense security intelligence services to gain actionable data. Cyberintellgience firms have traditionally catered to the defense industrial base and financial services firms, but their customer base is growing, Holland said.  

"Intelligence requires analysis and relevancy and a lot of what vendors provide is just a feed that companies may or may not be able to use to make actionable," Holland said.

Holland advocates the use of the Collective Intelligence Framework (CIF), an open source project that combines multiple threat feeds and data sets together and enables organizations to query against the data to find bad IPs (infected systems) on their network. The CIF is extremely useful, but requires skilled programmers and threat analysts, Holland said. Other firms, such as Baltimore-based LookingGlass Cyber Solutions, can provide similar information in a more user friendly interface, he said.