There are many different techniques used in network security. Some techniques fit specific situations well and other situations not so well. Some techniques become less effective over time. Often, new and much more effective systems and technologies come in and take their place.
One of these waning technologies is called ‘honeypots’. For years, traditional security companies have used honeypots as the primary method for collecting threat samples. However, an important issue with this approach is that a honeypot does not behave exactly like a real end-user environment because it is generally automated and programmed to behave in a certain way.
Security researchers are likely to miss threats catalysed by user interaction if they are only looking at the subset of data generated by an automated honeypot. The limitations of honeypots also make them only marginally effective in identifying malware threats that target endpoints via the web or email. Any unanticipated user interaction, or attempt to trick the user, may be missed.
Handling today’s threats
The majority of today’s email-borne threats are socially engineered and designed to get around honeypot-based detection systems. These targeted attacks are referred to as ‘spear phishing’. Spear phishing messages are specifically targeted at an organisation, a specific demographic of users, or in some cases, a specific user. These messages are engineered to prompt the user to visit a web page where the user’s machine can be infected through a download or drive-by malware attack.
Spear phishing attacks are often not detected by honeypot-based security tools until a large number of users have been infected. Most spear phishing attacks drive the user to perform an action. Where a honeypot could catch an attachment, or a single malicious link, a machine is ill-equipped to understand the social engineering that goes into most successful attacks.
In some cases it may be as simple as replying with a username and password, but in most cases the attack drives a user to click a web link in the email. In the simplest attacks, the link leads directly to the downloading of a malware file. But with security tools increasing their capabilities, so have attackers. Attackers are using sophisticated socially engineered sites that gain a user’s trust. These sites are then used to get the user to divulge information, or install infected files.
In one example, the spear phishing email looked like an invitation from Human Resources to view a training video. On initial load the site looked like a professional website with training information. Once the user clicked on the video, they were directed to download a browser plug-in to play the video. Instead of a browser plug-in, they received malware designed to infiltrate the system and gather information.
There have been a number of similar attacks using recent news stories as the bait video. A machine-based honeypot lacks the ability interact in the way a human user would, leaving many potential threats undetected until it is too late. In addition, many honeypot detection systems are built in virtual machine environments. The cybercriminals developing today’s malware know this and will often scan for the use of virtual machines. If a virtual environment is detected, the malware will not run there, thus rendering the honeypot ineffective.
New technologies reduce the problems
New technologies are now available that avoid the limitations of honeypots. At many data centres around the world, cloud-based security tools are scanning all potential threats in the cloud in real-time. Our security labs team uses a console that consolidates information from these data centres into a single view. At any given moment our lab researchers could be identifying a zero-day Trojan that originated in Ukraine and a new ransomware variant that first appeared in Canada. This unique approach to collecting global data in real time allows us to identify threats early, usually on day zero.
Cloud security can provide protection for email, web and endpoints. This means that the data analysed by our team is coming directly from the three main malware threat vectors. Best of all, the data being analysed comes from live users. The data analysed contains the clues, traces, and evidence needed to identify an attack, without including information that can identify individual users.
Once a threat is identified, protection measures can be established for all threat vectors. For example, if a spear phishing attack is detected, not only is the email service updated to protect against the threat, but the web and endpoint services are also updated so that the user is protected, even if they receive a fraudulent message, and click or download infected links. Many spear phishing email attacks contain no malware but encourage the end user to click on a link that will load a web page running nefarious code. Threats are largely encountered via a combination of web or email, so the interconnectedness of detection and remediation across vectors and endpoints is extremely important.
Get your head in the clouds
We all know we can’t just sit around and wait for the rats to get stuck in our sticky traps. Constant, multi-layered, proactive monitoring throughout the corporate network and beyond is the order of the day. Traditional security vendors are often not equipped to rapidly assess, identify, and protect against the intricacies of sophisticated multi-vector attacks. Cloud-based security technologies provide constant threat identification and threat protection to deliver real-time, zero day protection.
This article was brought to you be Enex TestLab, content directors for CSO Australia.
Mark D. Parker, Senior Product Manager, iSheriff
Mark Parker has a unique knack for taking very technical concepts and presenting them in a manner that is understandable to a novice. Prior to his role of Senior Product Manager at iSheriff, Parker held senior product strategy and engineering roles at ContentKeeper Technologies, Trustwave and M86 Security.