Modern threats (APT Advanced Persistent Threat) are renowned for their long term clandestine infection processes. Often they are conducted by parties with a vested interest who focus on a specific goal.
APT usually focuses on organizations and/or nations as a result of an economic or political agenda. The use of APT is implemented under a high degree of secrecy over a long period of time. The term “Advanced” represents sophisticated techniques applied by the attacker that take advantage of soft spots in the system, or via social engineering. The term “Persistent” indicates the consistent use of an external control and management system in a bid to retrieve data or harm a specific objective. If an attack has ended in failure, the attacker will make another sophisticated attempt to infiltrate the enterprise network.
These hostile sources are designed to evade popular defense systems, and in some cases, they can evade detection during infection, operation, and exit from the organization.
The Enterprise’s main challenge in identifying these hostile sources, is locating the hostile processes in the station or server, at the time that the operating system is unaware of a hostile source working inside it.
The different anti-virus sources, are based on digital signatures, and therefore do not identify modern hostile sources, only recognized ones. Even when the customer activates a system for managing data security events and receives an alert on a threat affecting the enterprise assets, the customer cannot check the event’s authenticity, due to the lack of tools and knowledge needed to run a check.
We Ankor works with a number of unique solutions that are capable of coping with modern hostilities, such as RSA’s ECAT, Damballa and VxStream Sandbox.
Over the years, We Ankor developed a unique advanced methodology for identifying hostile sources and integrating automatic identification and destruction processes. These processes significantly cut down the time the hostile source takes to advance in the enterprise network, and in many cases, eradicates it before any damage is done.
Expansion – Advanced hostile detection
The RSA ECAT system (Enterprise Compromise Assessment Tool) is a platform for detecting advanced hostile sources such as APT and polymorphs that have not been detected by the AV motors or network anomalies.
The ECAT system performs a comparison between the behavior of recognized processes and irregularities, and the flood of processes that are not compatible with familiar behavior traits. The ECAT system makes it possible to detect irregular processes at the stations where a system agent has been implemented. The system searches for different types of objects in different locations (memory, disc) and different processes, DDL files, drivers, etc.
The system’s agent does not need to see an installation, injury or exploitation to detect and pinpoint a suspicious process. In doing so it provides a reaction even in cases where there is an inactive hostile code (or partially inactive one) during the agent’s work. The system can detect the cause of the root of the irregularity and by doing so significantly minimize the investigation and response time to the event.
The Damballa system is a platform for advanced hostile detection that focuses on the activities of remote stations in the enterprise’s network. The system is based on identifying DNS referrals to the C&C servers, use of DGA mechanisms (Domain Generation Algorithm), referrals to renowned hostile websites, file downloads that are known to be hostile or are suspicious, and referrals to IP addresses that are known to be hostile.
In case a mobile device (mobile phone, tablet, laptop etc.,) is situated beyond Damballa’s monitoring zone and has been infected with a hostile code, upon its return, Damballa will detect the connection with the C&C servers and will display the device as an infected one. That is, the Damballa system does not need to see the infection process to conclude that a hostile code exists on a remote station.
The VxStream system, from Payload Security is a Sandbox that innovatively runs files which cannot work in other Sandboxes. The product conceals all forms of Sandbox characteristics, or virtualization, and in so doing, “fools” the hostile source and makes it think it is a legitimate station in the enterprise network. Additionally, VxStream provides a full static and dynamic analysis of suspicious files, including reverse engineering of commands that are conducted in the memory by the hostile source.