The nature of cybercrime is changing. It is no longer the concern of major companies, organizations and governments alone; all businesses are now potential targets. Today, cybercriminals have more and more ready-made and inexpensive tools at their disposal, and companies of all sizes are targeted for a variety of reasons, including financial gain, of course, but also, gaining a competitive advantage, and even pure challenge.
Highly targeted attacks are now commonplace and have led to a fundamental change in the way the war against cybercrime is waged. Advanced Persistent Threats (APTs), which rely on subtle and highly intelligent attack methods, have led to a change in approach by organizations seeking not only to defend themselves, but also to identify when their networks have been compromised. Such is the subtlety and effectiveness of PTAs that will have already compromised many organizations without their knowledge. Today, the use of signature-based technology is no longer sufficient, because on the one hand, cybercriminals use extreme discretion and cunning to circumvent security and on the other hand, their malicious attacks are able to avoid traditional detection.
Modern malware only needs one point of entry into the target system and this can be achieved by simple tactics. Many successful attacks gain access to a company's network by sending a well-developed email, containing a malicious link, to a single employee. As a result, employees may unknowingly make mistakes and use 'exploits' that may be latent, or operate with extreme subtlety to avoid detection.
So, how can organizations defend themselves from such skillful guerrilla warfare, and what are the telltale signs that a network has been compromised?
A 'Reputation and Customer Rating' strategy can help defend against attacks and identify when subversive activity has been successful. Customer Reputation and Rating' is a dynamic technique of aggregating and correlating security information, collected from a network and compared to an existing database. The analogy in the world of insurance and finance would be how risk calculations are applied according to the profiles of customers applying for loans or insurance. This is an approach to 'reputation'.
Why not enjoy unlimited reading of UP'? Subscribe from €1.90 per week.
The main types of behaviours and activities that have an impact on reputation and ratings are as follows :
- Login Attempts
Incorrect connection attempts may indicate that malware is trying to connect to a host that does not exist because the malware's command and control center has changed to avoid detection. Of course, there may be legitimate reasons why a host is unavailable, but repeated unsuccessful attempts to connect to non-existent hosts will generate a bad rating.
- Application Profiles
A host that installs a P2P file sharing application may be considered riskier than a host that installs a game. While both of these actions may be considered problematic, the organization can 'measure' each action and score them accordingly.
- Geographical Location
Travelling to hosts in certain countries can be considered risky, especially if there is a significant amount of traffic involved. For example, employees based in the UK would have little reason to send or receive large files from Iran or North Korea. When preparing notes, a white list can be used to exclude high-profile foreign sites.
- IP Session Information
A typical host logs in but is less likely to log out. Therefore, if a host starts listening on a port to connect from the outside, it may be considered suspicious or risky activity.
- Destination Category
To fight against disinformation and to favour analyses that decipher the news, join the circle of UP' subscribers.
Visiting certain types of websites, such as adult sites, should be considered a risky activity and should be noted accordingly.
By applying a rating system based on the activity of both the network and the people using the network, abnormal or high-risk actions can be identified, investigated or avoided. Customer Rating and Reputation can also be used as a basis for establishing thresholds and alerts for administrators to better defend and control their networks. Fortinet has added advanced Client Rating and Reputation capabilities to its latest security operating system, the FortiOS 5. The ability to analyze huge amounts of information from a variety of sources to look for patterns in the packages, applications, and web sites that users visit now allows administrators to control their networks with advanced analytics and precise monitoring.
