Defending your network against APTs

August 3rd, 2015 | by Techgoondu
Defending your network against APTs

Brought to you by WatchGuard

With cybersecurity on the agendas of corporate boardrooms today, the importance of securing critical data assets is now a strategic issue that is no longer just a matter for IT departments.

That is because sophisticated and persistent attackers today are more capable than ever in breaking down the defences of even the most well-guarded organisations, using methods that are often difficult to predict.

Take advanced persistent threats (APTs), for example. These threats take advantage of advanced techniques such as encrypted communications, kernel-level rootkits, and sophisticated evasion capabilities to get past a network’s defences.

More importantly, they often leverage zero day vulnerabilities – flaws for which no patch is available yet and no signature has been written.

In 2012, WatchGuard Technologies Inc. discovered four zero day vulnerabilities that were being exploited in the wild. In 2013, the number of alerts for such threats rose to over a dozen.

As the APT moniker suggests, such threats remain persistent and threaten not only nation states, but also the livelihoods of organisations large and small by stealing valuable information such as credit card numbers of customers and proprietary corporate information.

The most high-profile APT reported in recent memory was the 2013 breach at US retail giant Target. The perpetrators first stole the credentials of a contractor to access Target’s computer systems, before installing a malware in the retailer’s point-of-sale registers to harvest some 40 million credit card numbers of Target customers across the United States.

The consequences of such a breach can be enormous. Sales at Target were down almost 50 per cent during the fourth quarter of 2013, largely due to the bad press around the security breach. Its stock price also fell by 9 per cent in the aftermath of the incident.

In the months following the Target breach, other large retailers revealed episodes of data loss. By the end of July 2014, the US Department of Homeland Security issued a warning that the malware used in Target’s data breach and its variants had compromised over 1,000 networks.

Detecting such malware, which usually employs advanced techniques such as encryption and other sophisticated capabilities to avoid detection by signature-based antivirus software, is not easy.

According to a study by security specialist Lastline, just over 50 per cent of anti-virus software were able detect new malware samples. This increased to 60 per cent after two weeks, indicating a time lag before new malware gets noticed. Worse still, some malware fell through the cracks for months, while others could not be detected at all.

Part of this is due to a key problem of using virtual machines, or sandboxes, to monitor malware activity, which could appear to be normal. In addition, sandboxes are often unable to detect communications – or system calls – between various components of an operating system. This “blind spot” can be exploited by malware writers.

Instead of using virtualisation techniques, an approach known as “full system emulation” is more effective in combating APT attacks. By emulating physical hardware such as a processor and memory, full system emulation is able to replicate every system call, thus providing the deepest level of visibility into malware behaviour while staying undetected.

Defending Against Advanced Persistent Threats With WatchGuard’s APT Blocker

WatchGuard’s APT Blocker, which has been recently named a recipient of Frost & Sullivan’s 2015 New Product Innovation Award, is a good example of how full system emulation can protect organisations against APTs. It’s a security service that can be added to any of WatchGuard’s Unified Threat Management (UTM) and Next Generation Firewall (NGFW) appliances.

Leveraging technology from global breach detection provider Lastline, the company behind the Anubis tool used by researchers to analyse files for potential malware, APT Blocker works by fingerprinting computer files and checking them against an existing database on a WatchGuard appliance.

If it encounters an unknown file, it will analyse the file using a system emulator on the cloud that looks out for malicious activities and evasion techniques that other sandboxes may miss.

While malware programmes are immediately blocked at the firewall, a file that poses a zero day threat may pass through while analysis is taking place in the cloud. In such cases, the WatchGuard system can immediately alert IT managers that a suspected piece of malware is lurking somewhere on the network.

WatchGuard APT Blocker was developed together with Lastline, the company behind the Anubis tool used by researchers to analyse files for potential malware.

WatchGuard’s APT Blocker not only excels in detection capabilities, it also sends out useful alerts, complete with detailed activity reports for each file that has been identified as malware.

This addresses a key pain point faced by IT managers each day: being inundated with heaps of log data that they find suspicious and hard to make sense of – and thus brushed off.

Target, for example, ignored the log files gathered a couple of days after the first breach, while US retailer Neiman Marcus, which fell victim to a similar data breach, missed over 60,000 log incidents that indicated the presence of malware on their network.

With WatchGuard’s range of appliances, IT managers will receive e-mail alerts, real-time log analysis and the ability to drill deeper to find more information, going beyond a simple alert indicating that a file is suspicious. A detailed malicious activity report is also provided for each piece of potential malware.

You can get a free 30-day APT Blocker trial on all WatchGuard UTM and NGFW appliances. The service is fully integrated with WatchGuard Dimension, the award-winning security intelligence and visibility solution that comes free with all WatchGuard security appliances.

To learn more about WatchGuard appliances and other best-of-breed security services WatchGuard delivers on its UTM and NGFW platforms, visit

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.