With the IT security industry focusing on the Chinese hack of the New York Times and the inability of standard anti-virus software to detect the threat, network securit specialists at Sourcefire took the time to explain to ProSecurityZone how its latest products take a new approach to eliminating the menace of Advanced Persistent Threats (APT).
When code first arrives on a network, it isn't always evident that it can pose a threat. Malware writers have long since know how to get past firewalls so that malicious activity only begins once the initial defences have been breached. The concept of the Advanced Persistent Threat is that it adapts to the environment to continue (or persist) withits task until it achieves it.
Sourcefire gave the analogy of a burglar. Once the burglar is in the house, he checks the cupboards and storage areas then, having been so far unsuccessful, checks under the bed and starts searching for a safe. The attack on the safe is also unlikely to be immediately successful and may require several attempts to breach the defences. APTs work in a similar way on company networks.
Software from Sourcefire creates a "fingerprint" for every piece of software that passes onto the network. This fingerprint is effectively a hash or a string of metadata that defines the software. The hash is created by a Sourcefire algorithm and is unique for every piece of code, every program and every piece of potential malware.
If some code is subsequently identified as malware after it has breached the network defences, the same algorithm will create a hash that can then be compared to existing code that sits on the network thus identifying any malware that might be present. Given that APT code adapts itself, Sourcefire also performs "fuzzy-hashing" algorithms which can detect similarities between two pieces of code that are not identical but nonetheless share some attributes or heritage.
The retrospective inspection of networks can therefore reveal "zero day threats" that have already broken through the perimeter as well as Advanced Persistent Threats that are working on the inside of the network.
Endpoint software speeds up this process by having the ability to inspect individual workstations.
In terms of how this applies to the recent Chinese hacking of the American newspaper, Martin Roesch, founder and interim CEO of Sourcefire, had this to say. "Sourcefire’s position is that retrospective security capabilities may have mitigated the risk. Retrospective alerting highlights alert on files previously seen and thought to be safe but now, according to the latest threat information and analysis, are identified as malicious."
“This incident is the latest example of how attackers and their tools have advanced to evade traditional defences. The reality is that it’s no longer a matter of if attackers get in, but when. Point-in-time security that only has one shot to determine if a file is malware does not work by itself. A new model that also collects telemetry for continual analysis of what is happening in your environment is needed. This analysis can be used to determine scope, contain and ultimately remediate the malware automatically. This is what is called retrospective security.”