In-browser security specialist Trusteer has published a white paper – Stepping Up the Battle Against Advanced Threats – and which says the endpoint has become the path of least resistance for cybercriminals, allowing hackers to get a firm foothold on enterprise networks.
The firm adds that, against this backdrop, advanced information-stealing malware is now being used as the main tool to enables APTs (Advanced Persistent Threats) and similar targeted attacks on enterprises.
According to Trusteer, in a typical phishing attack, cybercriminals send users a message in an attempt to lure users to perform an action that will result in malware infection, credentials theft – or both.
In a spear-phishing attack, meanwhile, the attacker uses the same tools, only instead of a shotgun approach, the attacker personalises the message and targets specific users.
“This is because a personalised message is often more convincing and trusted by the users,” says the paper, adding that the paper may contain a weaponised attachment and links to phishing and/or exploit-enabled Web sites.
The problem here, ITSP notes, is that user does not need to initiate the drive-by download taking place and in most cases, is blissfully unaware of the download taking place.
Watering hole attacks
In a watering hole attack, meanwhile, Trusteer says that cybercriminals compromise a legitimate Web site that is routinely accessed by a specific type or group of users.
Using this approach means that the compromised site becomes an exploit site and infects its visitors with malware.
Because advanced information-stealing malware have become the main tool that enables APTs and targeted attacks on enterprises, Trusteer says that traditional methods such as user education, vulnerability patching and malware detection are failing to protect enterprises against the current threat landscape.
Attackers, says the paper, are continuously developing sophisticated tactics and evasion techniques to bypass the latest protection methods, requiring the security industry to find a different approach to malware protection.
Application control as a security mechanism
Against this backdrop, Trusteer says a useful application control approach involves isolating application tasks by executing the tasks in a virtual environment.
When an isolated application is compromised, the firm says, the threat remains inside the virtual environment and does not infect the underlying host.
Whilst this can be a very strong security control, but it also introduces many challenges. Primarily, says the security vendor, end-user applications are not designed to run in isolation.
“On the contrary, applications are designed to inter-operate. Think about the simple copy-paste capability which allows users to copy content from one application (like the browser) and paste it into another application, such as a Word document,” says Trusteer’s white paper.
In this context, applications are also designed to interact with the underlying host, such as when saving files to the file system, printing files and so on.
These functions, notes the analysis, require the definition of special policies and the installation of special drivers to enable basic business workflow without impacting user productivity.
This creates a challenging situation in large enterprise environments, says Trusteer, especially those that consist of a variety of users, endpoint platforms and applications, and could potentially harm legacy applications.