evolution of terminal security products: terminal security detection and response

Posted by tzul at 2020-04-01

Evolution of terminal threat

Nowadays, the complexity and diversity of malicious threats to terminals have significantly changed and improved. In just a few years, malicious threats have been replaced by blind, direct and crude malicious attacks to targeted, accurate and persistent hidden high-level threats.

At the same time, advanced threats are not the same as the original single threat event. They will be carried out in an orderly manner in accordance with the arranged multiple stages, and each step will be estimated. Through detection, weaponization, transmission, vulnerability utilization, implantation, penetration, C2, stealing steps, the ultimate goal can be achieved, and users can suffer heavy losses in a short time, but to be found and solved It will take weeks or months, and more and more traditional security solutions are unable to effectively solve the problem of high-level threats.

At the same time, the terminal defined by us is no longer just the computer of Windows operating system. When referring to the terminal again, it may refer to any type of machine, including laptop, desktop, server, mobile device, embedded device, SCADA system, and even IOT device. Facing the colorful and disordered terminals, it is difficult to protect them in a unified way Miscellaneous attacks.

Terminal defense technology: from static to dynamic

Terminal static defense technology basically relies on known samples to identify malicious files, URLs and other related information, mainly for the comparative analysis of the static code features of samples, while relying on the update of feature library to find new malicious threats. However, with the evolution of attacks, attackers use different technologies to escape from traditional detection and defense, and at the same time, they capture large malicious samples every day, which has exceeded the million level. This detection method seems to be inadequate.

Terminal dynamic defense technology uses the power of machine to fight against malicious samples and a large number of variants, and uses dynamic sandbox and other technologies to fight. At present, Sandbox executes unknown files in virtual simulation environment, and judges threat by its behavior.

However, the attacker soon realized that although malicious samples can not avoid sandbox, they can actively detect whether the current running environment is a virtual environment, rather than their real target terminal, and use the simulation time limited, lack of user interaction, and only the image of specific operating system to judge. Attackers use these techniques to help ensure that their malicious code does not run in a simulated environment until it reaches its ultimate goal.

New generation terminal security model

The core of the new generation terminal security is to use the existing experience and technology to prevent the known threats, through the cloud threat intelligence capabilities, attack and defense capabilities, machine learning and other ways, to quickly find and prevent advanced malware and zero day vulnerabilities and other threats. At the same time, based on the background data of the terminal, the behavior of malware, and the whole life cycle of high-level threat, we carry out comprehensive detection and response. To prevent, remedy and obtain evidence quickly and automatically, so as to effectively protect the terminal.

But most security teams focus on the first half, hoping to prevent attacks through preset security policies and known technologies. But many security teams have realized that this scheme can block against known threats, but no technology can guarantee 100% security against advanced threats without being broken by attackers.

Therefore, the focus of defense against advanced threats should be placed on the second half of (Figure 1), the real-time detection and automatic response capability of advanced threat events, and the automatic prevention mechanism should be implemented to ensure that the correct response can be made in the first time after the occurrence of security events.

Fig. 1. terminal

For the second half of the terminal security model, advanced threats need to be actively detected in a better way, relying on automated intelligent response rather than human intervention.  

Through static technology, dynamic technology (upper dimension), and behavior-based detection and response (lower dimension), comparative analysis is carried out:

Characteristics of terminal detection and response

For high-level threat events, the corresponding security detection and response actions are carried out before, during and after the occurrence.

Before the occurrence of security events, terminal security data needs to be collected in real time, so that the collected terminal context information can be used to track the root cause of the detected threat in the future.

When security incidents occur, combined with threat intelligence, form the perception of terminal security, find potential security threats and give early warning of security risks. Assess the impact scope of security incidents, automate the rapid disposal, and reduce the loss of the incident to the enterprise.

After the occurrence of security events, through the stored terminal data, trace and trace the events to the terminal, restore the event occurrence process, and repair and obtain evidence for the insufficient part of the terminal defense system.

Terminal security check and response capability

Data collection: in the solution for advanced threat, the core is to prevent the targeted attack of advanced threat. Since attackers can cover their malicious behavior by many means, they must install lightweight agents on the terminal to record the behavior data, static samples, software and hardware assets and other information (such as network activity, disk and memory) on the endpoint in real time Access, registry information, etc.) for centralized storage, convenient for real-time detection and security assessment.

Dynamic behavior analysis: dynamic behavior analysis does not need to detect through a specific threat index, but for the real-time dynamic monitoring and analysis of the related behavior operation of the terminal, to detect the real situation of each terminal operation behavior to determine whether it is malicious behavior.

Cloud Threat Intelligence: big data Threat Intelligence in the cloud is a major source of threat detection. After the real-time analysis of Threat Intelligence and terminal behavior, confirm whether there are already occupied terminals in the enterprise. In order to protect other terminals from this kind of attack, the terminal threat information is shared among the endpoints.

Automated response: automated response is the most important part of the whole. It requires flexible strategic means to automatically deal with the corresponding response actions of advanced threats in different stages of the kill chain, such as ending the process, isolating files, updating patches, etc., to provide immediate stop loss means.

Repair and Forensics: malware will create, modify or delete system files and registry settings, and change terminal configuration. These changes may cause system failure or instability. It is necessary to have the ability to recover the state of the terminal before executing the malware, and carry out a comprehensive security remedy. At the same time, the malicious activities occurred in the whole organization are clearly visible, so that the security personnel can quickly determine the scope and impact of the problem, provide more data for the superior units, and obtain evidence for the threat events.

Cross platform support: the definition of terminal has been extended to not only computers running Windows operating system, but also multiple platforms that need to be supported, and uniform control can be carried out for heterogeneous mixed endpoints. You can manage windows and non windows terminals, including OS X, Linux, and mobile operating systems from a general console.

Data storage capacity: thousands of terminals and distributed deployment environments are involved in large enterprises, so terminal security inspection and response require that the data storage platform itself can be expanded to support the rapid growth of terminal points, and at the same time, it needs to have massive data storage and fast computing capacity.

Intelligence sharing: generate terminal Threat Intelligence for threat events, share and acquire more knowledge and attack behavior patterns, and enrich threat intelligence sources. Support and use other standard formats (CEF, Stix, openioc), and can interface and integrate with leading network security products and solutions.

Adaptive security architecture: an adaptive architecture defined by Gartner consists of four phases (prevention, inspection, prediction and review). Future continuous monitoring and analysis must be the core of the architecture. A complete terminal security solution should be aligned with the four phases of the architecture to provide comprehensive adaptive protection from advanced threats.

Sum up

In the era of IOT, terminal security protection is facing more severe security challenges than before. The ever-changing business types and highly complex threat attacks cause various security vulnerabilities, reduce the visibility and controllability of security, and bring challenges to security management.

Therefore, the ability of terminal security check and response can provide continuous visibility and controllability for advanced threats, and reduce the complexity of discovering and disposing advanced threats. This mode makes the security team to deal with various threats more quickly and intelligently is imperative.

Recommended reading

▎ the return of security technology -- the revival of terminal security