Trend Micro's Tom Kellerman has released an interesting opinion piece on the matter
Individuals and companies responsible for IT security unwittingly play a game of chess with cybercriminals every day. In an opinion piece entitled “The Knight Fork: Defining Defense in 2013,” Tom Kellermann, VP of Cyber Security at Trend Micro explains the similarities between a game of chess and preparing a cyber-security strategy.In chess, the concept of “knight’s fork” is defined as a move in which success is ensured by attacking two pieces at once. The same principle can and should be applied in cyber security as well.
One of the main aspects one must consider when planning a cyber-security strategy for 2013 is the fact that cybercriminals have started deploying various tactics to cover their tracks in order to ensure that they can remain hidden for as long as possible in the attacked organization’s networks.
This task is achieved with the aid on internal compromised systems used as command and control (C&C) nodes, dynamic DNS services, and random connections utilized to contact outside C&C servers.
The advanced capabilities of malware combined with carefully selected bulletproof hosts are often leveraged by cybercriminals in their campaigns.
In order to improve defense mechanisms, those in charge of cyber security must first understand that advanced persistent threats (APTs) are “consistent and part of ongoing campaigns.” Furthermore, they must consider the fact that targeted attacks don’t always rely on zero-day exploits.
Another important factor to consider is that targeted attacks are actually a series of attempts – some of which successful and some of which failed – whose main goal is to “establish a covert presence.”
“Advanced detection techniques can be used to identify the adversary once we appreciate the challenges of maintaining a persistent presence within a network. We must spin the chess board and value the nuance of becoming overextended,” Kellerman explained.
“From a hacker’s perspective, changing C&C protocols requires considerable effort. Thus, network traffic can be correlated with other indicators to provide proactive detection. Unknown threats may be detected by extrapolating methods and characteristics from known threat communication behaviors,” he added.
In order to customize defense mechanisms and adapt them to current threats, those responsible for security must ensure that a log inspection program and file integrity monitoring solutions are present.
In addition, custom sandbox analysis must exist, multi-level rule-based even correlation must be maintained, and data loss prevention systems (DLP) must be set in place.