How To Handle Zero-Day Attacks

How To Handle Zero-Day Attacks

 

How do you provide defence against the constant presence of zero-day attacks, as well as advanced persistent threats (APT) that steal data over long periods of time? One solution is to use an enterprise-level advanced malware detection solution that offers real-time malware detection.

 

 

Network administrators must constantly monitor the network for signs of malware or behaviours that reveal the presence of an APT. Cisco has an Advanced Malware Protection (AMP) Threat Grid that analyzes millions of files and correlates them against hundreds of millions of other analyzed malware artefacts.

 

This provides a global view of malware attacks, campaigns, and their distribution. AMP is client/server software deployed on host endpoints, as a standalone server, or on other network security devices. The figure shows the benefits of the AMP Threat Grid.

 

Many national and professional organizations have published lists of security best practices. The following is a list of some security best practices:

 

  • Perform Risk Assessment – Knowing the value of what you are protecting will help in justifying security expenditures.
  • Create a Security Policy – Create a policy that clearly outlines company rules, job duties, and expectations.
  • Physical Security Measures – Restrict access to networking closets, server locations, as well as fire suppression.
  • Human Resource Security Measures – Employees should be properly researched with background checks.
  • Perform and Test Backups – Perform regular backups and test data recovery from backups.
  • Maintain Security Patches and Updates – Regularly update server, client, and network device operating systems and programs.
  • Employ Access Controls – Configure user roles and privilege levels as well as strong user authentication.
  • Regularly Test Incident Response – Employ an incident response team and test emergency response scenarios.
  • Implement a Network Monitoring, Analytics and Management Tool – Choose a security monitoring solution that integrates with other technologies.
  • Implement Network Security Devices – Use next generation routers, firewalls, and other security appliances.
  • Implement a Comprehensive Endpoint Security Solution – Use enterprise level antimalware and antivirus software.
  • Educate Users – Educate users and employees in security procedures.
  • Encrypt data – Encrypt all sensitive company data including email.

 

 

Some of the most helpful guidelines are found in organizational repositories such as the National Institute of Standards and Technology (NIST) Computer Security Resource Center, as shown in the figure.

 

 

Botnet

A botnet is a group of bots, connected through the Internet, with the ability to be controlled by a malicious individual or group. A bot computer is typically infected by visiting a website, opening an email attachment, or opening an infected media file.

 

A botnet can have tens of thousands, or even hundreds of thousands of bots. These bots can be activated to distribute malware, launch DDoS attacks, distribute spam email, or execute brute force password attacks. Botnets are typically controlled through a command and control server.

 

Cyber criminals will often rent out Botnets, for a fee, to third parties for nefarious purposes.

 

 

 

The Kill Chain in Cyberdefense

In cybersecurity, the Kill Chain is the stages of an information systems attack. Developed by Lockheed Martin as a security framework for incident detection and response, the Cyber Kill Chain is comprised of the following stages:

Stage 1. Reconnaissance – The attacker gathers information about the target.

Stage 2. Weaponization – The attacker creates an exploit and malicious payload to send to the target.

Stage 3. Delivery – The attacker sends the exploit and malicious payload to the target by email or other methods.

Stage 4. Exploitation – The exploit is executed.

Stage 5 Installation – Malware and backdoors are installed on the target.

Stage 6. Command and Control – Remote control of the target is gained through a command and control channel or server.

Stage 7. Action – The attacker performs malicious actions like information theft, or executes additional attacks on other devices from within the network by working through the Kill Chain stages again.

 

 

To defend against the Kill Chain, network security defences are designed around the stages of the Kill Chain. These are some questions about a company’s security defences, based on the Cyber Kill Chain:

  • What are the attack indicators at each stage of the Kill Chain?
  • Which security tools are needed to detect the attack indicators at each of the stages?
  • Are there gaps in the company’s ability to detect an attack?

According to Lockheed Martin, understanding the stages of Kill Chain allowed them to put up defensive obstacles, slow down the attack, and ultimately prevent the loss of data. The figure shows how each stage of the Kill Chain equates to an increase in the amount of effort and cost to inhibit and remediate attacks.

 

Behaviour-Based Security

Behaviour-based security is a form of threat detection that does not rely on known malicious signatures but instead uses informational context to detect anomalies in the network. Behaviour-based detection involves capturing and analyzing the flow of communication between a user on the local network and a local, or remote destination.

 

These communications, when captured and analyzed, reveal context and patterns of behaviour which can be used to detect anomalies. Behaviour-based detection can discover the presence of an attack by a change from normal behaviour.

 

 

Honeypots

 A Honeypot is a behaviour-based detection tool that first lures the attacker in by appealing to the attacker’s predicted pattern of malicious behaviour, and then when inside the honeypot, the network administrator can capture, log, and analyze the attacker’s behaviour. This allows an administrator to gain more knowledge and build a better defence.

 

Cisco’s Cyber Threat Defense Solution Architecture

This is a security architecture that uses behaviour-based detection and indicators, to provide greater visibility, context, and control. The goal is to know who, what, where, when, and how an attack is taking place. This security architecture uses many security technologies to achieve this goal.

 

Behaviour-based security is a form of threat detection that does not rely on known malicious signatures but instead uses informational context to detect anomalies in the network. Behaviour-based detection involves capturing and analyzing the flow of communication between a user on the local network and a local, or remote destination. These communications, when captured and analyzed, reveal context and patterns of behaviour which can be used to detect anomalies. Behaviour-based detection can discover the presence of an attack by a change from normal behaviour.

 

 

NetFlow technology is used to gather information about data flowing through a network. NetFlow information can be likened to a phone bill for your network traffic. It shows you who and what devices are in your network, as well as when and how users and devices accessed your network. NetFlow is an important component in behaviour-based detection and analysis.

 

Switches, routers, and firewalls equipped with NetFlow can report information about data entering, leaving, and travelling through the network. Information is sent to NetFlow Collectors that collect, store and analyze NetFlow records.

 

 

NetFlow is able to collect information on usage through many different characteristics of how data is moved through the network, as shown in the figure. By collecting information about network data flows, NetFlow is able to establish baseline behaviours on more than 90 different attributes.

 

 

CSIRT

Many large organizations have a Computer Security Incident Response Team (CSIRT) to receive, review, and respond to computer security incident reports, as shown in Figure 1. The primary mission of CSIRT is to help ensure company, system, and data preservation by performing comprehensive investigations into computer security incidents. To prevent security incidents, 

 

 

Cisco’s CSIRT collaborates with Forum of Incident Response and Security Teams (FIRST), the National Safety Information Exchange (NSIE), the Defense Security Information Exchange (DSIE), and the DNS Operations Analysis and Research Center (DNS-OARC).

 

 

There are national and public CSIRT organizations like the CERT Division of the Software Engineering Institute at Carnegie Mellon University, that are available to help organizations, and national CSIRTs, develop, operate, and improve their incident management capabilities.

 

Security Playbook

Technology is constantly changing. That means cyberattacks are evolving too. New vulnerabilities and attack methods are discovered continuously. Security is becoming a significant business concern because of the resulting reputation and financial impact from security breaches. Attacks are targeting critical networks and sensitive data. Organizations should have plans to prepare for, deal with, and recover from a breach.

zero-day attacks

 

One of the best way to prepare for a security breach is to prevent one. There should be guidance on identifying the cybersecurity risk to systems, assets, data, and capabilities, protecting the system by the implementation of safeguards and personnel training, and detecting cybersecurity event as soon as possible.

 

When a security breach is detected, appropriate actions should be taken to minimize its impact and damage. The response plan should be flexible with multiple action options during the breach. After the breach is contained and the compromised systems and services are restored, security measures and processes should be updated to include the lessons learned during the breach.

 

 

All this information should be compiled into a security playbook. A security playbook is a collection of repeatable queries (reports) against security event data sources that lead to incident detection and response. Ideally, security playbook must accomplish the following actions:

 

 

  • Detect malware-infected machines.
  • Detect suspicious network activity.
  • Detect irregular authentication attempts.
  • Describe and understand inbound and outbound traffic.
  • Provide summary information including trends, statistics, and counts.
  • Provide usable and quick access to statistics and metrics.

 

Now your take on this argument.

We would also like to hear what you feel about the topic we discussed today. Your feedback is very important to us. Feel free to drop your comments and recommendations. If you have a contrary opinion, you can drop that too.

You can also join our Facebook Page CRMNigeria for more updates. You can do that by clicking on the link or searching for our page on Facebook.

 

You can also join our WhatsApp Group Here.

 

Enter your email address to get updates when we post our next article. you have to click on the link in the email sent to you to confirm your subscription. If you have been receiving our email updates and it is no longer active, please subscribe again.:

Delivered by FeedBurner