Advancements in attack evasion techniques are making new threats extremely difficult to detect. The recent Duqu 2.0 malware, which was used to hack the Iranian nuclear pact discussions, Kaspersky Lab, and an ICS/SCADA hardware vendor, is a prime example. To keep up, a new security model that uses a different approach to the traditional “evidence of compromise” process is needed.
This next generation endpoint protection (NGEPP) model needs to address six core pillars that, when taken together, can detect the most advanced attack methods at every stage of their lifecycle:
Prevention. NGEPP must leverage proven techniques to stop known threats in-the-wild. A layer of preemptive protection can block existing threats before they can execute on endpoints. Instead of relying only on one vendor’s intelligence, it’s now possible to collectively tap more than 40 reputation services via cloud services to proactively block threats. This approach also uses a lightweight method to index files for passive scanning or selective scanning, instead of performing resource-intensive system scans.
Dynamic exploit detection. Using exploits to take advantage of code level vulnerabilities is a sophisticated technique used by attackers to breach systems and execute malware. Drive-by downloads are a common threat vector for carrying out exploit attacks. NGEPP should provide anti-exploit capabilities to protect against both application and memory-based attacks. This should be achieved by detecting the actual techniques used by exploit attacks – for example: heap spraying, stack pivots, ROP attacks and memory permission modifications – not by using methods that are dependent on static measures, like shellcode scanning. This approach is much more reliable, since the exploitation techniques themselves are not as easy to change.
Dynamic malware detection. Detecting and blocking zero-day and targeted attacks is a core NGEPP requirement. This involves real-time monitoring and analysis of application and process behaviour based on low-level instrumentation of OS activities and operations, including memory, disk, registry, network and more. Since many attacks hook into system processes and benign applications to mask their activity, the ability to inspect execution and assemble its true execution context is key. To protect against a variety of attacks and scenarios this detection capability is most effective when performed on the device.
While many vendors now offer endpoint visibility, which is a leap forward, it cannot detect zero day attacks which do not exhibit any static indicators of compromise.
Mitigation. Detecting threats is necessary, but insufficient. The ability to perform mitigation must be an integral part of NGEPP. Mitigation options should be policy-based and flexible enough to cover a wide range of use cases, such as quarantining a file, killing a specific process, disconnecting the infected machine from the network, or even completely shutting it down. In addition, mitigation should be automated and timely. Quick mitigation during inception stages of the malware lifecycle will minimise damage and speed remediation.
Remediation. During execution, malware often creates, modifies, or deletes system file and registry settings and changes configuration settings. These changes, or remnants that are left behind, can cause system malfunction or instability. NGEPP must be able to restore an endpoint to its pre-malware, trusted state, while logging what changed and what was successfully remediated.
Forensics. Since no security technology will ever be 100 percent effective, the ability to provide real-time endpoint forensics and visibility is a must for NGEPP. Clear and timely visibility into malicious activity that has taken place on endpoints across an organisation is essential to quickly assess the scope of an attack and take appropriate responses. This requires a clear, real-time audit trail of what happened on an endpoint during an attack and the ability to search for indicators of compromise across all endpoints.
To completely replace the protection capabilities of existing legacy, static-based endpoint protection technologies, NGEEP needs to be able to stand on its own to secure endpoints against both legacy and advanced threats throughout various stages of the malware lifecycle.
