2023年1月3日

Brett Raybould EMEA解决方案架构师，Menlo安全检测一直是网络安全战略的关键组成部分。通常，组织采用分层方法进行检测，使用各种解决方案，包括防病毒软件、沙盒引擎、大数据分析、异常检测等。这些技术用于发现和发现任何恶意软件或恶意代码，可以到达端点并消除它。在检测解决方案的情况下，眼见为实。如果你不能检测到威胁，你怎么知道它是否真的是威胁?这是此类技术构建、搜索和仅对网络上检测到的威胁采取行动的核心原则，并在确认威胁后将其隔离和消除。不幸的是，这种方法产生了几个问题。检测解决方案侧重于确定哪些是恶意的，哪些是良性的，这导致它们受到类似的限制。事实上，它们很容易产生假阳性和假阴性，而且将这些技术叠加在一起的成本很高。不仅如此，仅仅依靠检测还会使您处于不利地位，迫使您在威胁行为者已经进入网络时做出反应——到那时，往往为时已晚，损害已经造成。 Attackers Are Overcoming Legacy Security Solutions With the continued belief that an array of detection solutions is adequate, many firms have failed to add capabilities to their network security technology stack, relying on the same solutions and strategies that are simply no longer fit for purpose. While many organizations have stood still, threat actors have continued to tweak and adapt their methods, now leveraging attack techniques capable of bypassing legacy network security defenses. The use of Highly Evasive Adaptive Threats (HEAT) is becoming increasingly common, for example, with criminals leveraging one of four evasive techniques to deliver malicious payloads to endpoints: HTML smuggling and/or JavaScript trickery within browser environments. Sending malicious links to users through communication mediums outside of email, such as social media SMS and shared documents. Tampering with benign websites to create ‘Good2Bad’ websites for brief periods to dodge web categorization. Using malicious content, such as images impersonating known brand logos that can be generated using JavaScript in the browser by its rendering engine to avoid detection from static signatures that examine web page source code and HTTP traffic. Indeed, the success of these methods has been proven in several notorious attacks that have taken place in recent years. The Astaroth banking Trojan that has been an issue since 2017 uses HTML smuggling to sneak malicious payloads past network-based detection solutions, for example. Meanwhile, the Gootloader campaign that the Menlo Labs team tracked in the early phase of 2022 leveraged SEO poisoning to generate high-level page rankings for compromised websites. Embracing a Multi-Faceted Approach to Security From file inspections performed by SWGs and sandboxes to network and HTTP-level inspections, indicator of compromise (IOC) feeds and malicious link analysis, many typical defense mechanisms that form central pillars of many organizations’ security strategies are rendered almost useless when confronted with HEAT. To be properly protected against modern threats, organizations must shift to a multi-faceted approach to security that moves beyond a sole reliance upon detection solutions. While these solutions still serve a purpose, they must be combined with an emphasis on prevention to ensure that attackers are blocked from reaching networks in the first instance. Unlike detection solutions, prevention solutions do not work to determine whether traffic is good or bad. Instead, they take a zero trust approach in assuming that all traffic has at least some risk attached to it and therefore treat all traffic as guilty until proven innocent. This is the case with remote browser isolation (RBI) – an innovative method focused on preventing code from reaching the users without determining whether that code is infected or not. With RBI, the point of execution for active content is moved to a disposable, cloud-based container, preventing any malicious content from successfully reaching its target, creating something of a digital air gap that allows users to browse the internet safely. When all traffic is executed in the cloud, it doesn’t come anywhere near the endpoint, drastically reducing the issues in dealing with costly and time-consuming alerts hitting your SOC which need to constantly be analyzed and remediated. Simply put, it doesn’t matter if there is a vulnerability on the endpoint for attackers to exploit or bypass with HEAT techniques. By ensuring no content can reach the network, no payloads can execute. Related to This Story