Virtualization Technology News and Information
VMblog's Expert Interviews: Check Point Defines Five Generations of CyberAttacks, Mobile vs. Cloud Attacks, and Detection and Prevention


Cyber attacks have been going on since the 1980s.  They may not have been as grandiose back then compared to today, but it did give rise to the anti-virus market.  Modern attacks are driving a need for advanced threat type "prevention" - no longer just threat "detection."  Many businesses continue to work at a "reactive" level instead of staying "proactive" to prevent such attacks.   Researchers at the cybersecurity company Check Point recently discussed these generations of cyber attacks, and believe most businesses today are built to deal with what they call "Gen II or Gen III" level attacks.  To find out more, I spoke with Don Meyer, the company's head of product marketing for cloud and data center.

VMblog:  To kick things off, can you first walk us through what exactly the five generations of cyber-attacks are?

Don Meyer:  The first generation of cyber-attacks began in the late 1980s, coinciding with the mass adoption and use of personal computers by the general public and enterprises. At the time, employees were using PCs as their primary technology, sharing files and information via floppy disks, which also provided a handy way to spread malicious files too. Thus, viruses started to take shape and quickly become more wide spread. In turn, in the late 80s-early 1990s, the first anti-virus applications were created.  

The mid 1990's saw the advent of the Internet, and as a result the start of Gen II cyber-attacks. As networks became more interconnected, it created a need for more policing and more inspecting of the things that were coming in and out of the network. Hackers began to see the network as a good attack vector. So they began looking for ways of exploiting areas within the infrastructure, allowing them to extract data for profit, not just notoriety. Thus it became apparent that we couldn't just blatantly open things up and allow unregulated connections and communication within our networks. We had to close and filter different communication ports and protocols, thereby policing network traffic based on rulesets to allow connections and communication that was needed and prevent things that aren't needed or desired. That's when we saw the advent of the firewall.

When it came to Gen III (early 2000s), the IT industry is burgeoning with new products, tools, applications and services. At the same time, the explosion of technology also provides more advanced technologies to develop a new breed of threat; signature-based attacks (i.e. more malicious) designed to exploit known and published vulnerabilities or weaknesses in computer-based systems. Vulnerabilities unfortunately were found in applications, operating systems and all across our IT infrastructure and could be easily exploitable. Exploits were successful at by-passing anti-virus and firewall technologies and thus we see the emergence of intrusion prevention systems (IPS) controls to not only detect but also prevent attacks from targeting vulnerabilities.

At Gen IV (approx. 2010), we started to see a dramatic shift in the way organizations were leveraging web-based applications and traffic. Here is where we see the emergence of application controls being added to the firewall ... and to IPS to allow for controlling and protecting allowed "apps" instead of merely allowing all "web" traffic. At the same time, we also see attackers begin to get better organized, funded and sophisticated. Engineered attacks based on new tools that were made available quickly allowed attackers to evade signature only detection and prevention capabilities to sneak into a vulnerable system and siphon off data. Here we see the emergence of sandboxing technologies to address these "zero-day" or unknown attacks along with the emergence of anti-bot technologies to look for telltale signs of command and control (C&C) activities. 

This brings us to where we are now: Gen V. Now, attacks are large scale, multi-vector and very stealth. A common threat vector for delivering malware we're now seeing is targeted phishing attacks - or spear phishing attacks - happening across many organizations. Once an endpoint is infiltrated, the attack now looks for other areas in the network where it can load up malware and continue to spread. These multi-dimensional, multi-faceted attacks propagate in a different ways and spread more rapidly than prior generation attacks. Thus, it's no longer a 1-to-1 relationship between the attack and the protection. Now, we clearly see the need to have different approach to security - leveraging an architecture approach where all security technologies start working together to effectively block todays sophisticated threats. Preventing advanced malware attacks requires moving beyond strictly using signature-based detection mechanisms to something that looks for unknown or malicious payloads. Some of that is behavior-based or analytics-based. Either way, it's a matter of finding and understanding what it is as well as what it does before it can infect the network and preventing it from reaching its intended target. And this is what our Next-Generation Threat Prevention technology can do at Check Point.

The challenge is that more enterprises are stuck in Gen III protection. They have firewalls in place and they may have implemented IPS or additional application controls, but they're not making that next great step in terms of looking at how the attackers are using far more sophisticated and automated techniques, and putting in place an architectural approach that allows them to address this multi-faceted way that attacks are propagating themselves. Consequently, we're not only seeing more attacks, but the severity of the attacks has grown quite exponentially. Because people are still stuck looking at signature types of attacks instead of looking at the multi-faceted way that attacks are propagating themselves now.

That's where Gen V comes into play. It's not just installing the technology and off you go. It's a matter of how all the technologies can work together and how they're looking at the infrastructure as a whole. This means looking at all the different end points within the infrastructure, including the network, cloud and mobile. It's also a matter of leveraging things like threat intelligence to be able to be more responsive when they see something going on, sharing that information with a variety of different tools to keep them up to date and keep them focused on mitigating different risks and other things that can potentially cause harm.

VMblog:  What are some examples of Gen V attacks that we might be familiar with?

Meyer:  You can go back to last year, when the two biggest hacks occurred - One of them was WannaCry, which affected organizations all over the map. The other was NotPetya, where initially it looked like it focused on the Ukraine, but it actually affected dozens of organizations globally. These two attacks were very different but managed to inflict a great deal of damage in a relatively short time span - about 24 hours. They infected hundreds, if not thousands of different hosts in different organizations, spreading like wildfire. The telltale sign of these attacks was subtle enough to be missed by a lot of organizations point-product security devices, allowing the attacks to propagate rapidly. Those are great examples of the challenges we face when it comes to Gen V attacks. As we move forward and continue to build our security arsenal, we always have to think about how we address something as sophisticated as WannaCry or NotPetya. Ultimately, there are tools available. Turning them on, implementing them, getting them all to work is a big challenge.

Over the years, we've brought the best technologies in play to help us mitigate these risks. But the majority of these technologies aren't talking to each other. This means the technologies are siloed. One technology could be detecting an unknown file or code, while another is seeing some unusual activity somewhere else. These two events could be related but there is nothing correlating that information together to say that this is all one single event affecting these two areas. There's nothing that says this is where it's starting from, and this is how we can stop it.

At Check Point, we've been focused on building an architecture to break down these silos and get organizations ready to combat Gen V attacks, which is what our Infinity solution is all about. It's an architecture of tools that, at its core, have threat intelligence shared among each other through our threat cloud. All of this is coordinated via a single management portal, so when we see things, we're alerted to it instantly and more efficiently. At the same token, wherever our data networks are, we've had the right enforcement points in those particular domains to be able to stop these multi-faceted attacks in their tracks, before they have a chance to go widespread.

Case in point, WannaCry and NotPetya infected many organizations. The organizations that were Check Point customers that had these Gen V capabilities enabled unaffected by those attacks.

VMblog:  Given the consequences, why aren't more enterprises at Gen V when it comes to cybersecurity protection?

Meyer:  What we see is most organizations are stuck somewhere between Gen II and Gen III. A few factors come into play here as to why that is. First, upgrading technologies can be very disruptive and updating cybersecurity solutions is no exception. Businesses tend to be held back by up-time requirements, change control, compliance controls, staffing shortages, budget restrictions and a host of other issues. Complexity is another key challenge, as the "best-of-breed" point solution approach to cyber security we've been taking over the years has led to massive device sprawl - bringing in one more "thing" can be seen as adding to a situation that's already too complex. Security is a tough, ongoing challenge that requires manpower to think about how to implement it properly. At the same token, it can be an inhibitor to some things if it's not in alignment with the organizations overall objectives and goals. The security teams must be aligned with the IT teams, the cloud teams, etc. Of course, that's a challenge that's fundamental to any organization. So it's crucial to break down these silos and get everyone sitting at the same table. It starts with being aligned toward one overall goal.

This is precisely why most companies are stuck at Gen II or III when it comes to protection. They feel it's too complicated and they don't think it will align with the other needs of the organization. So education will also be key to helping organizations move to Gen V security capabilities.

VMblog:  Are there differences when it comes to mobile attacks vs. cloud attacks, etc.?

Meyer:  There's definitely a difference when it comes to mobile attacks. Mobile is still a relatively new threat vector for a lot of the threat actors out there. Part of the reason is because mobile devices are consumer grade and are not enterprise driven. So they have some challenges when it comes to the applications, operating systems (OSs), and the chipsets that they're using. It's almost like the Wild West out there with respect to the level of new mobile technologies being introduced and our ability to identify and/or stay on top of their vulnerabilities and threats. The challenge moving forward will be how much is mobile looked upon by the organization as a critical threat vector. Right now, we're not seeing organizations being bitten hard by the mobile threat bug. Yes, there's a ton of malware targeting mobile devices (most of it focused on Android devices), but we're not seeing that as a critical entry point or a vector that is being heavily utilized to target enterprises... yet. As a result, organizations don't put a lot of focus on mobile protection. We recently surveyed our customers, and nearly all of them said they had mobile malware discovered in the devices they allow in the office. So right now, mobile threat prevention isn't a topic that will raise too many eyebrows because they haven't felt the sting yet. But if they aren't proactively protecting their architecture, they will inevitably feel it. It's just a matter of when.

The cloud, on the other hand, seems to be a popular target for attack. It seems that not a week goes by where we hear about another cloud service that was breached, exposed or hacked. The cloud is a new environment that organizations are embracing in droves because of all the great benefits and cost savings of agile computing - but like anything IT related, you need to do your homework and understand your exposures / vulnerabilities then put in place all the right security to plug those gaps, stay in compliance and maintain control. But security in the cloud is different than on a customer's premises; security is now a shared responsibility between the cloud service provider (AWS, Google Cloud, Microsoft Azure, etc) and the customer, and the customer is responsible for bringing in the necessary protections to keep their environment secure. It seems there's still some confusion with respect to the customers role in the shared responsibility model which is causing cloud environments to be unnecessarily exposed, and the bad guys know about it and are taking advantage of it.

VMblog:  What solutions are available from Check Point to help prevent/detect Gen V attacks?

Meyer:  There are a number of things that Check Point provides to help customers prevent Gen V attacks. First and foremost, we're laser focused on security and being software-based company. That's an important distinction because our focus has always been about building software and integrating different capabilities into our software. Bringing new security capabilities to market and consolidating them into a single, unified system as well as extending them to new areas - such as mobile or the cloud - becomes easier for us since we're not tied to a particular platform. So from a customer's perspective, having an integrated solution that has all these things and allows you to extend the protections and enforcement points wherever you need them, that's huge. Couple that with ability to share, in real-time, actionable threat intelligence across the entire system and you have a well-tuned, hyper-responsive security architecture that easily goes wherever your network, data or apps go.

The other side of the coin is making it manageable. By doing so, that means bringing in efficiencies into how you're effectively rolling things out, updating things or maintaining your day-to-day. How quickly you're able to get access to the most relevant information, and doing something with that information. That's what we've been focusing on the management side.

The last thing we're doing is providing a unique consumption model. We offer Infinity Total Protect, which is a revolutionary packaging model that allows us to package all our capabilities in a much more palatable format for our customers. This will allow customers to leverage all of Check Point's capabilities seamlessly to their networks, without being impacted by cumbersome licenses and cost structures or burdened by complex integrations or management.

So there are three facets that we're focused on 1) we're laser-focused on our security technologies, 2) integrating them all into a comprehensive architecture with a common management and shared intelligence and 3) seeing this Infinity total consumption model that we developed put into action.


Published Friday, March 30, 2018 7:40 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2018>