Fighting Advanced Persistent Threats with Emulation

It’s no secret that threats are growing in persistence, increasing in stealth and evading the latest malware technologies. Simply put, advances in persistent threats are now able to break through the gauntlet of firewalls, intrusion prevention systems, anti-virus applications and anomaly detection systems in use by most enterprises today.

The IT industry calls these latest attacks advanced persistent threats (or APTs), while analysts at research giant Gartner refer to the assaults as advanced targeted attacks (or ATAs).  Corey Nachreiner, director of Research and Security Strategy for firewall vendor WatchGuard, offers a definitive explanation of an APT: “APTs combine persistence with advanced zero day techniques to target a certain individual, organization or government agency.” Such attacks “are designed with a criminal activity in mind, either to disrupt business operations or gain access to financial information,” he added.

With those nefarious goals in mind, it is easy to see why cybercriminals are turning to APTs to leverage what should be protected information. APT-based attacks have been behind some of the largest compromises of late, such as the theft of millions of credit card accounts via the Target breach to the Gauss attack, which targeted banks in Lebanon to steal bank account information. Other examples of successfully deployed APT attacks include Stuxnet and Flame, which both leveraged zero day exploits and created millions of dollars of damage to the targeted organizations.

The rise in APT-based attacks creates a major conundrum for those responsible for IT security, effectively creating a troublesome question: “Can APT attacks be stopped?”

Evolving Approach to APTs

While there is no easy answer to that question, protection technology is quickly evolving to limit the success of a carefully executed APT attack. That technology comes in the form of APT prevention systems, which are layered upon other security technologies. Case in point is WatchGuard’s latest addition to their family of security appliances, APT Blocker, which was recently reviewed on Enterprise Networking Planet.

The typical APT attack combines elements such as spear phishing, watering holes and chains-of-trust compromised to deliver a payload specifically designed to be hard to detect and to employ evasion techniques, such as time-delayed execution.

APTs are often successful because there are no known signatures or other identifiers, which make it impossible for signature-based solutions to detect the payload or defined activity. That said, vendors are now turning to sandbox system emulation to try to identify the threats. WatchGuard, for example, uses a cloud-based virtualization system to create an emulated environment that can analyze suspicious files to detect APT activity.

Those emulated environments trick the payload into thinking it is running on an actual system, allowing the payload’s activity to be identified without putting an actual system at risk.

For administrators seeking to limit the impact of APTs, a layered security approach that culminates in sandbox-based emulation and detection will become a must-have.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with over 25 years of experience in the technology arena. He has written for several leading technology publications, including ComputerWorld, TechTarget, PCWorld, ExtremeTech, Tom’s Hardware and business publications, including Entrepreneur, Forbes and BNET. Ohlhorst was also the Executive Technology Editor for Ziff Davis Enterprise’s eWeek and formerly the director of the CRN Test Center.


Frank Ohlhorst
Enterprise Technology Analyst and Author. Frequent Contributor to eWeek, PCMag, The-Tech-Prophet.Com, ENP and several other online publications.

Top Products

Related articles