Capturing evasive APTs before they cause serious harm

The alarming rise in shape-shifting threat tactics and zero-day attacks, fueled by an increasingly interconnected business world, is driving strong demand for comprehensive protection against cyber threats.

Early this year, cyber criminals breached Bangladesh Bank’s system and tried to transfer some US$1 billion out of the bank’s account at the Federal Reserve Bank of New York (FRBNY). Most of these transfer requests were stopped because of FRBNY’s suspicion they were fraudulent. Still, four requests to transfer about $81 million to entities in the Philippines passed the FRBNY’s scrutiny. And only a typo error in the hacker’s transfer request enabled officials to stop a $20 million transfer to a Sri Lankan bank account.

The extent and sophistication of the heist illustrate how the advantages of globalization, digitalization and interconnectivity in the business world have benefitted the cyber criminal world in equal measure.

 The alarming rise in shape-shifting threat tactics and zero-day attacks, fueled by an increasingly interconnected business world, is driving strong demand for comprehensive protection against cyber threats.

Early this year, cyber criminals breached Bangladesh Bank’s system and tried to transfer some US$1 billion out of the bank’s account at the Federal Reserve Bank of New York (FRBNY). Most of these transfer requests were stopped because of FRBNY’s suspicion they were fraudulent. Still, four requests to transfer about $81 million to entities in the Philippines passed the FRBNY’s scrutiny. And only a typo error in the hacker’s transfer request enabled officials to stop a $20 million transfer to a Sri Lankan bank account.

The extent and sophistication of the heist illustrate how the advantages of globalization, digitalization and interconnectivity in the business world have benefitted the cyber criminal world in equal measure.

Tools and thieves

Today’s advanced persistent threats (APTs) are stealthy. They evolve, morph and adapt to extract or compromise sensitive data, including identity, access and control information. Even advanced threat detection technologies like network sandboxes, which analyze the behavior of suspicious files in the hopes of uncovering hidden zero-day malware, can fail because they:

  • Analyze potentially dangerous files only after they have infiltrated the network, increasing the risk of malware executing and propagating behind the perimeter

  • Are limited in the range of file types they can analyze, or address only threats targeting a certain operating systems and applications

  • Allow malware to evade detection by slipping through the analytical gaps created by siloed, single-engine, stand-alone sandbox engines

  • Are unable to inspect SSL/TLS encrypted traffic, which is commonly used to hide malware, or their performance is severely degraded when conducting the inspection

  • Lack simple, efficient ways to remediate threats or update firewall signatures via a global network   

 In the case of the Bangladesh Bank heist, malware evaded security systems and the hackers took advantage of stolen credentials to initiate fraudulent fund transfers. Months after the heist, investigations have yet to shed light on the hackers’ identity. The 2016 Dell Security Annual Threat Report echoes this reality when it stated that “breaches typically succeed not because the victims lacked security altogether, but because thieves found and exploited a small hole in their security program”.

For more effective advanced threat protection, organizations need a multi-engine approach to threat analysis that prevents zero-day and APT attacks while detecting evasive techniques as they evolve. This may be a tall order for single-engine sandbox solutions but the SonicWALL Capture Advance Threat Protection Service – a cloud-based service available with SonicWALL firewalls – offers tantalizing potential for quick detection and rapid remediation of evasive advanced threats.

Evasion-proof security

Armed with multi-layer adaptive sandboxing, including full system emulation, virtualization techniques and hypervisor-level analysis technology, the SonicWALL Capture service analyzes suspicious objects in concert with SonicWALL firewall’s detection and blocking of intrusions and known malware. It is not compute-environment specific and analyzes a broad range of files.

Suspicious files are sent to the cloud service where a combination of VMRay Analyzer, Lastline Breach Detection with SonicWALL virtualized sandbox engines not only analyzes the files and reports malicious file behavior, but can also automate security by blocking malware at the gateway until a verdict is determined.

Remediation signatures for unknown or zero-day threats are rapidly deployed through SonicWALL’s Security’s cloud forensics platform to all SonicWALL network security appliances to prevent ensuing attacks. The system leverages real-time analytics from more than one million connected next-generation firewalls worldwide.

Malware is also submitted to the SonicWALL Threat Intelligence Team for further analysis and inclusion with threat information into the Gateway Anti-Virus and IPS signature databases, as well as URL, IP and domain reputation databases within 48 hours.

“Recognizing an attack or malware is only half the story,” says Kent Shuart, director of SonicWALL Product Marketing for APJ at Dell Security. “The other, more important half, is reacting to the threat and creating protection that SonicWALL’s worldwide network can use. The SonicWALL Capture is the only advanced threat protection offering multi-layer sandbox technologies that use both system emulation and virtualization techniques to detect more threats than single sandbox solutions.”

One early beta customer of SonicWALL Capture is Solano Family & Children’s Services, a non-profit organization that, with limited resources, aims to ensure its childcare network is as secure as possible. “Fortunately, the SonicWALL solutions have delivered that level of security and as I can already see the anticipated benefits this new offering will contribute to ensuring that our overall security posture is intact and prepared for unforeseen security threats,” says Bob Randolph, the company’s IT systems administrator. “The multi-engine sandboxing approach gives me peace of mind that our network will remain secure from unforeseen threats.”

This is a QuestexAsia feature commissioned by Dell Security.