Are You Prepared for the Nation State Attack?

Are You Prepared for the Nation State Attack?

New information about the Advanced Persistent Threat (APT) is hitting media headlines every day. In just the last few months alone, we have read horror stories of sophisticated malware like Duqu2 (which uses a kernel mode exploit to load its kernel mode component), targeted attacks against NATO members and the White House termed Operation Pawn Storm (which attracted massive media attention in April), and Equation Group, the well-known, possibly government-sponsored advanced threat group, that gained mass attention in February.

What looked like a nation-state-only threat, no longer is. Breaches, like the one on the Hacking-Team reported earlier this week, place a massive amount of resources into the hands of malware authors that were limited to well-funded, typically state-sponsored attack groups. A breach of this extent could be a game-changer, providing attackers with an arsenal of powerful weapons that traditional security solutions have difficulty fighting, if they stand a chance at all!

Fighting Zero-Day Exploits in Malware

With malware authors arming up, companies have to ask themselves if they are prepared for this next wave of advanced malware. It is no secret that traditional antivirus solutions cannot keep up, and that many sandbox-based systems are being bypassed by evasive malware. But at least some solutions – until now – were able to find traces of the known exploits used in the wild today.

Can these solutions really defend against this new wave of malware that uses evasive code to launch zero-day exploits against your systems? As we’ve stated before, most solutions have a fundamental flaw in their visibility into malware execution, and are thus limited in what they can defend against.

Full System Emulation (FUSE™) for Full Visibility

Clearly, having full visibility becomes the key requirement for an effective security solution. Having just any sandbox is no longer enough – organizations need a solution that cracks down on evasion, is able to track malicious code running in user- as well as kernel-mode, is able to detect previously-unseen, zero-day exploits against hosts, and is able to adapt and evolve with the ever-changing threat landscape.

The Lastline solution performs automated analysis using a full-system emulation (FUSE) approach. This provides our solution with a complete picture of the malicious behavior exhibited by malware, and allows it to analyze and detect even the latest zero-day attacks.

This ability is highlighted in a Lastline Labs post on kernel-exploitation released earlier this week. It shows how FUSE allows the Lastline solution to track malicious code injected into the Microsoft Windows operating system (OS), and subsequently see behaviors exhibited by malware in the context of the OS kernel, well-hidden below most layers of protection provided by traditional security solutions.

Winning the Fight

The sophistication of attackers’ tools is growing at a pace most security solutions cannot match. We, as an industry, need to provide customers with best-of-breed solutions that are capable of adapting to a constantly evolving threat. With attackers gaining tools at the level of nation-states, these solutions must defend at the same level of sophistication. They must integrate with every technology available in a customer network and fight these attacks with the entire spectrum of arms available!

Clemens Kolbitsch

Clemens Kolbitsch

Clemens is a Security Researcher and engine developer at Lastline. As a lead-developer of Anubis, he has gained profound expertise in analyzing current, malicious code found in the wild. He has observed various trends in the malware community and successfully published peer-reviewed research papers. In the past, he also investigated offensive technologies presenting results at conferences such as BlackHat.
Clemens Kolbitsch