Secure your network: think like the bad guys

Cracking the end point

For a company with global employees, the sheer multitude of endpoints presents a major risk and vulnerability. Attackers are well aware of this wealth of targets and see PCs and laptops as an easy way to break into corporate networks and steal valuable information.

PCs and other "endpoints" are usually relatively easy to breach compared to data centre systems because of the software deployed on them. In addition, by their nature people are susceptible to social engineering – a non-technical way of attacking that relies heavily on human interaction and often involves tricking people to break normal security procedures.

But one way to protect your enterprise might be to turn the tables and start thinking like an attacker.

Businesses need to understand what attackers are looking for and how they spot vulnerable systems. By thinking like the bad guys, new security strategies often emerge.

For example, it's not hard to see that many attackers will be familiar with traditional antivirus solutions. The only way to react is to think outside the box; empathising with attackers has given rise to a new breed of integrated technologies that should provide more effective protection.

Credulous staff are incredibly easy to exploit

A classic example of social engineering is phishing – an email or phone call that appears to be from someone in authority, a member of the IT team or a trusted business – attempting to trick users into revealing their password or other personal information.

Another example is "Click this Link" scams – these links often look legitimate but typically take users to harmful websites designed to steal sensitive information or infect computers.

According to Verizon's 2013 Data Breach Investigations Report, 71 percent of surveyed breach incidents targeted user devices, and 78 percent of breaches were rated as "low difficulty" intrusions, suggesting that attackers didn't need to employ highly technical methods.

It's not that the malware employed by advanced attackers is sophisticated; rather, it's their tactics that make them so effective, and social engineering is almost always at the forefront of attacks.

By thinking like an attacker, enterprise security teams should recognize how credulous people tend to be when targeted by social engineering, no matter how often these people may be "educated" on security procedures. This leaves enterprises with the option of strong host protection.

Antivirus solutions, also known as signature-based blacklisting – where vendors compile lists of known malware – have become technically unfeasible, due to the massive growth in malware.

Time for anti-antivirus thinking?

In a constantly evolving threat environment, a default-deny approach to security, often called whitelisting or application control – which permits only trusted software to run on endpoints and prevents unauthorised software from running – provides a better level of protection than antivirus.

The notion that whitelisting could be challenging to deploy and manage is outdated. Today, whitelisting is policy-based and most organisations only need a few dozen policies to manage which software it trusts to run.

Policies can be changed or deleted and new ones created by the security team quickly and easily as the needs of the organisation evolve.

Detonation explodes onto the security scene

Other emerging techniques combine modern network defence methods with endpoint and server data, helping enterprises to better identify and contain threats found on the network and on endpoints.

Intelligent network devices capture suspicious files and confirm threats via a process known as detonation. The idea behind detonation is that files can be "exploded" by running the code and analysing whether it is making a clear attempt to act maliciously and aggressively, even if it's not known malware.

But what detonation doesn't reflect is if attack code made it to the machines it intended to reach, if it ran or if it was stopped.

Today, detonation results can be immediately correlated with up-to-the-second endpoint monitoring and recording data to confirm the location, scope and severity of threats across enterprise endpoints.

When every second counts, this enables security teams to prioritise and respond to threats faster and more efficiently in real-time.

Give would-be attackers both barrels

Unfortunately, users and endpoints have become the weak link in today's IT security chain, and increasingly stealthy attackers are looking to exploit them to the fullest. By thinking like an attacker, it is easy to see that excellent endpoint security is needed.

Increasingly, enterprises need a new "double-barreled" approach to thwart today's increasingly sophisticated and relentless breed of attacker. The ideal approaches are those that integrate network and endpoint security capabilities, deliver higher levels of actionable intelligence, greater proactivity and better overall protection.

  • Nick Levay is chief security officer at Bit9.