Comment: Cybercrime Goes Back to the Future

Darren Turnbull of Fortinet examines the importance of sandboxing as a key tactic in the fight against advanced persistent threats
Darren Turnbull of Fortinet examines the importance of sandboxing as a key tactic in the fight against advanced persistent threats

The security landscape is changing. Gone are the good old days when cybercrime was random, generally dumb and was all about evading anti-virus signatures. In the era of the advanced persistent threats (APT), malware attacks are a lot more subtle, intelligent, but much more dangerous.

In a way, cybercrime has become somewhat old school in its approach. It’s not always about brute force. Cybercrime today has more in common with the golden era of spying and Philby, Burgess and Maclean – infiltrate, stay hidden, and extract information without detection. In a world where information is increasingly valuable, it’s easy to understand why cybercrime has adopted this approach.

The stakes are extremely high. Knowledge is power, and a well-planned and executed attack that sees the successful embedding and implementation of malicious code can cause havoc for an organization. The goal is increasingly intellectual property as opposed to the blunt theft of more traditional information, such as credit card details. It is here where the biggest risk to an organization lays. Competitive advantage, insider information and sellable IP are all far more valuable to both the private cybercriminal and the emerging (and as yet unproven) state-sponsored attacks. In the 21st century, nation-states fight over commerce, and where better to wage war than in cyberspace?

APTs are aided by the rapid uptake of new ways of working, such as bring your own device (BYOD), where endpoints are also used for non-business use. This is increasingly the front line, and something as simple as a link on Facebook to an infected webpage can prove the entry point into an organization’s network. It appears almost ridiculous that something as seemingly innocent can have such profound and serious consequences, but this is the reality of life in the shadow of APTs.

Nevertheless, there are ways to spot the spy trying to infiltrate a network, even when they’ve gained access and embedded themselves. They will invariably leave tell-tale signs. It’s simply a case of looking for the signs and, in the case of a suspected ‘spy’, fooling them into making mistakes that will allow them to be identified.

Sandboxing is one of the ways in which this is achieved. Malware has always tried to disguise itself, and modern malware is incredibly clever in this regard. Malware developers make their software ‘aware’ of its surroundings, so the trick is to make it think it has reached its destination and then watch and listen to what it does.
The sandbox – which can be local or cloud based – is not a new idea, but it does provide a tightly controlled virtual environment in which only the basic resources are provided to allow suspicious or unknown software to run. Network access and other critical functions are restricted. But how do you choose which software needs to be ushered into a sandbox virtual environment for closer scrutiny?

There are five initial exploit and exfiltration behaviors that, either in isolation or in tandem, can point to malware activity. For example, some APT payloads include code that randomly generates strings of IP addresses intended to aid propagation, or may attempt to make connection with a command-and-control server to exfiltrate data or signal further attack resources via a botnet. If you have the details of the malicious server, it’s the equivalent of a suspected spy that you have under surveillance calling his/her spymaster and giving them away.

Also, documented APT cases have involved numerous techniques for obscuring (obfuscating) the real meaning and intent behind malicious JavaScript code and, of course, the APT will likely mimic the behavior of its host device or application to avoid detection. As such, the trend toward encrypted malware within APT payloads renders all encrypted traffic to elevated risk.

To speed up the process and deliver more control, sandboxing ideally operates as part of a layered strategy. The first line of defense will be the anti-virus engine, which is supported by an inline, real-time onboard sandbox. If the threat proves sufficient, the suspicious files can be submitted to a cloud-based sandbox for further analysis. This layered and unified approach is far more effective – and it needs to be. As cybercrime becomes more advanced and multi-layered, so too must the defense against it, as well as the security stance of any organization.

Yet there persists a belief among many, if not most enterprises and organizations, that none of this really applies to them. In cyberspace, however, there are no boundaries, and every organization, no matter how large or small, is a potential target. If it’s that easy (and cheap) to use social routes to gain access to a network, then what’s to stop competitors or petty cybercriminals from targeting you? This is the message that needs to be understood by enterprises and organizations the world over, and it is the duty of the security industry to get this message across.

Cyberspace is where crime and war takes place today. The days of the masked raider and the foot soldier are coming to an end. Traditional IT security defenses are no longer adequate and there is an increasing urgency for organizations to adopt a more modern and intelligent approach to threat detection and remediation.

Darren Turnbull is vice president for strategic solutions at Fortinet. He has been responsible for ensuring that the development of Fortinet’s solutions align to both the functional and performance requirements across a range of technologies and network environments. Turnbull’s remit extends across aspects of software, hardware and FortiGuard service development. Prior to Fortinet, he spent nearly twenty years with British Telecom in the UK in a variety of senior operational, network and security design roles.

What’s hot on Infosecurity Magazine?