Today's Cyber Attacks: Targeted, stealthy, personalized and zero-day
Cyber criminals have figured out how to evade detection by bypassing traditional defenses. Using toolkits to design polymorphic threats that change with every use, move slowly, and exploit zero-day vulnerabilities, the criminals have broken in through the hole left by traditional and next-generation firewalls, IPS, anti-virus and Web gateways. This new generation of organized cybercrime is persistent, capitalizing on organizational data available on social networking sites to create very targeted ‘phishing’ emails and malware targeted at the types of applications and operating systems (with all their vulnerabilities) typical in particular industries.
Once inside, advanced malware, zero-day and targeted APT attacks will hide, replicate, and disable host protections. After it installs, it phones home to its command and control (CnC) server for instructions, which could be to steal data, infect other endpoints, allow reconnaissance, or lie dormant until the attacker is ready to strike. Attacks succeed in this second communication stage because few technologies monitor outbound malware transmissions. Administrators remain unaware of the hole in their networks until the damage is done.
APTs can be characterized by the attackers’ quest to gain long-term control of compromised computer systems. Whether attackers use viruses, Trojans, spyware, rootkits, spear phishing, malicious email attachments or drive-by downloads; their malware enables the simple disruption or long-term control of compromised machines. APTs can be nation-state or rogue actors using completely unknown malware or buying access to systems previously compromised with known malware installed through social engineering, spear phishing, or drive-by downloads.
See What You’ve Been Missing
In the past, it was easy for firewalls to control applications because traffic could easily be classified based on ports and protocols using stateful inspection technology. But today’s modern Internet applications are no longer tied to specific ports or protocols, and often use encrypted SSL tunnels or other tactics to avoid detection. These applications bypass traditional firewalls with ease, resulting in increased business risks.
The Application Visibility and Risk Report
Palo Alto Networks can show you exactly what your firewall has been missing with the Application Visibility and Risk Report (AVR Report). The AVR Report provides a business risk assessment based on the analysis of the application traffic traversing the network, taking into account the different types of applications, how they are being used and the relative security risk. By looking at the associated risks along with how the applications are being used, administrators can make more informed decisions on how to treat the applications via a security policy.
How the AVR Report Service Works
Generating an Application Visibility and Risk Report involves deploying a Palo Alto Networks next-generation firewall within the network where it monitors the application traffic traversing the Internet gateway. At the end of the data collection period, an AVR Report is generated that provides an analysis of the application traffic, the overall security risk rating, and the related business risk. The report closes with a detailed look at how effective the existing technologies are at supporting and enforcing the customer application usage control policies.