Double jeopardy: Security not immune
by: Paul McCormack
U.S. criminal law prohibits trying a defendant on the same or similar charges to which they were previous acquitted or convicted. In a way, the same concept used to apply in the security world. Security professionals used to have just one opportunity to “try” a file and determine its “guilt” or “innocence.” If the file was determined to be guilty, or malicious, they blocked its access to the company’s environment. An innocent or harmless file, on the other hand, received safe passage.
While this point-in-time approach worked well, modern attackers have evolved their tactics. They learned that they must “appear in court” only once to convince the company of the file’s guilt or innocence.
Now, in an effort to pass undetected through an organization’s point-in-time defenses, attackers use tools and tactics designed to ensure that a malicious file appears harmless.
Once a file enters the network, security professionals often lack the tools to monitor the file’s behavior. In essence, using the point-in-time model, the security professional cannot retry the file for guilt or innocence.
Sophisticated Attackers Know How Your Technology Works
To mount its attack, a file must morph from seemingly harmless to malicious when no one is watching. Unfortunately, once a file receives permission to enter the network, often no one is watching, which is exactly what the attacker wants.
continue reading »