• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Advanced Cyber Attacks and Cyber Defenses

August 30, 2018 By Emil Hozan

Abstract Cyberz

With time and devotion, just about anything that’s conceptually realistic can come to fruition. This is how innovation and advancements take place. Start with an idea, then explore and expand on it – note that creativity is required.  Eventually time and resources invested can pay off. This is true for perspectives from both good and bad stances. Good things tend to yield good and pleasurable outcomes, bad things tend to produce undesirable outcomes (well, at least from the good side’s point of view).

Where does that take us now and what does this have to do with cyber security?

Well, in a previous post I covered the “basic” types of cyber attacks – viruses, malware, network attacks – to which the main takeaways were potentially unwanted programs (PUPs) and the fact that different variances of attacks were uniquely trackable via an attack signature. WatchGuard offers Gateway AntiVirus (GAV) and Intrusion Prevention Service (IPS) to protect against these standard attacks.

Taking those highlights in conjunction with the first part of this post, let’s move forward to more advanced forms of attacks – advanced persistent threats (APTs) and zero day malware. These attacks don’t use traditional signatures, instead they use MD5 hashes which are based on the file itself. Similar to uniquely tracking signatures, hashes offer the ability to track advanced attacks. WatchGuard offers APT Blocker, which incorporates Lastline’s hash database and their emulation lab.

If you’re asking how this is any different than the basic forms of attacks in terms of traceability and blocking, then I’d say that’s a great question to ask! What APT Blocker offers that GAV and IPS doesn’t is the emulation lab. Seeing that GAV and IPS work based on already known exploits, unknown exploits (also known as zero day malware) and targeted, high-profiled attacks (APTs) wouldn’t get caught by these services. The way these advanced attack forms can be analyzed and tracked is really to just let them loose in a controlled environment. This is where sandboxing and honey pots / nets come into play.

Now bear in mind, completely blocking ALL attacks with 100% accuracy is really tough and not a very feasible expectation. What can be done then? This is where a “layered security” approach comes into play. That is, utilize various layers of security in different forms – GAV, IPS, APT Blocker, host or network firewalls, etc. – for maximum protection against various forms of attacks.

To back that up, there are other services available: Reputation Enabled Defense (RED), Botnet Detection, Geolocation,DNSWatch, as well as Threat Detection and Response (TDR).

Briefly, RED uses intelligence from various anti-malware vendors and cross-checks URLs being requested by users or redirection attempts. This is good in terms of identifying potentially corrupted or malicious websites. Integrated with RED is Botnet Detection, which automatically blocks known botnet IP addresses. Botnets refer to a centralized command and control server that bad threat actors use to communicate with infected hosts in networks around the globe. DNSWatch assesses DNS requests made by local hosts and can deny connection attempts.

Another service offered is TDR. Let’s just say that something somehow has managed to get passed all of the above services and infiltrate your network hosts. TDR offers real-time analysis for hosts and uses heuristics and forensics to determine potential attacks. The installed host sensors collect information related to files, processes, network connections, and registry keys on the host. One last feature to cover is Geolocation. Just as the name implies, you can use this service to restrict communication with IPs in certain countries. This is a great way to block access by country and allow only connections to / from countries that you handle your business with exclusively.

There are other services that WatchGuard offers that allows a tighter rein on network activity. Check this link out for more details about the above services and ones not covered in this post.

In summary, there is no “one size fits all” approach to network security. In fact, if there was and that ONE way was exposed in some fashion, then security overall is not doing much. This is a benefit of the multi-layered approach. If one layer falls through, then another layer should pick up.

Share This:

Related

Filed Under: Editorial Articles Tagged With: Infosec news

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use