Cybercrime is rising due to the appearance of a new generation of attacks, APT and AET, and the reactionary aspect of the protection systems implemented in the IP networks. In this chapter, the authors analyze the gap between the innovative aspect of those attacks and the reactive aspect of the security measures put in place inside victim networks. The challenge is to shift this security aspect from reactive to proactive by adopting a collaborative approach based on NAC technology as a multi-level protection and IF-MAP as a security standard exchange protocol. First, a brief overview of NAC and IF-MAP is given. Then, the authors analyze the anatomy of these chained exploits and their escape techniques in order to propose an approach able to counter such attacks through the convergence towards a security ecosystem having the correlative intelligence to respond to challenges in real time and in a proactive way.
TopIntroduction
Each day, the digital world discovers new types of attacks that exploit zero-day vulnerabilities. The recent and famous examples are the new “Ransomeware” storm attacks (Wannacry in May 2017 and Petya in June 2017) that have affected many countries and many organizations around the world.
As a matter of fact, attacks on the Internet are constantly taking place and they are mostly automatically launched from other infected machines or from automated botnets. These attacks, based on the type of the targeted resource, fall into three categories:
- 1.
Infrastructure attacks: That aim to compromise a vulnerable networked equipment or launch a sniffing attack on the network or a DoS (Denial of Service) attack.
- 2.
Operating system attacks: Some operating systems, such as Windows and Linux, are a favorite target of hackers, because they are widely used in business and on the Internet.
- 3.
Advanced attacks targeting client/server applications vulnerabilities.
These types of attacks show clearly that the cybercrime is increasing while the readiness of the protection systems is far behind, in the way that the reactionary aspect of theses protection systems implemented in IP (like firewalls, IDPS (Intrusion Detection and Prevention Systems), antivirus) is not fast and efficient enough to contain a security incident or an attack in quasi real time, and mainly before damaging the targeted asset. Furthermore, application security is more complex than just pure network security. Typically, applications offer services for an uncontrolled access area and therefore are exposed to unknown and potentially dangerous access; Web applications are a good example.
Furthermore, many companies and organizations around the world are facing what is called Advanced Persistent Threats (APT) which are sophisticated malicious attacks that use and combine different Advanced Evasion Techniques (AET) to escape the control of different security solutions and devices that are implemented in the targeted network.
These Persistent Advanced Threats, as the name suggests, are quite advanced and have the necessary access to allow malwares and exploits to infiltrate organizations, normally protected by the best current protection and prevention solutions. For years, these attacks have been used for obscure purposes of cyber-espionage. Indeed, over the past seven years, there is a history of several infiltrations of important organizations such as western governments and affiliated organizations such as government ministries and agencies, think tanks (laboratories of political ideas) or subcontractors linked to governments. There are targeted attacks that appear to be backed and supported by states or other powerful groups and agencies because of their complexity and the investments needed to support such attacks (Sullivan, 2015). The Black Energy toolkit is a perfect example, it was used by many criminal groups which “recycles” malware from the Carberp family or Metasploit. Beyond the trivialization of these tools creating power chains and large and informal command structures, it is expected that these maneuvers will be industrialized.
The maturity of the “marketplace” for APTs has contributed greatly in creating an environment where the question moved from “Have we been compromised? “ to “ how much data we have lost ?”. This attack is the exploitation of a vulnerability in the computer system (whether in the operating system, in a software/application or even following a bad manipulation of the user) for generally harmful purposes.
Through this chapter, the authors will analyze the anatomy of these new chained exploits and their escape techniques in order to propose an approach able to stop such attacks in quasi real time.
First, the authors will analyze and bring to light the gap between the innovative and vanguard aspect of these new attacks, and the reactive aspect of the security measures put in place inside victim networks. In fact, it is very difficult to respond in real time to these attacks by keeping security solutions compartmentalized and not integrated. In addition, each security solution produces a considerable number of security events, heterogeneous and difficult to correlate. Moreover, sensors usually work independently and make it hard to extract security information that might help detecting multi-step attacks. Therefore, correlation and sharing mechanism becomes the key to deal with such challenging IT security threats.