024
ENTERPRISE SECURITY BLUEPRINT
CONTROL LAYER
02
Threat indicators are especially effective when they identify aspects of threat behavior that
are relatively expensive to mutate from attack to attack. For example, there is no benefit to
blocking the source address of an attack if that address is spoofed by the attacker and may
be randomized from connection to connection. However, a bot’s connection to its C&C
server is harder to mutate because the attacker needs to set up a new C&C server every time
the previous one is blocked.
Advanced attacks require more complex threat indicator matching. For example, modern
malware might generate C&C server URLs randomly, allowing it to access a large number
of potential servers. Analysis of this algorithm can yield a corresponding complex indicator
that can identify all URLs that are used in the attack.
Threat Indicator Generation
Through the detection of anomalous and malicious sources, threat indicators can also be
generated within the enterprise. Sources for such internal indicators may include:
Enforcement Layer security control logic executed in a sandboxed environment.
Documents or applications potentially containing malware would generate
threat indicators for any detected misbehavior
Analysis of security events received from the Enforcement Layer that helps
to identify anomalies and attacks. Once these threats are recognized, threat
indicators are generated to block further attacks and to provide containment for
compromised entities
Forensic analysis of network and hosts by security analysts that can generate
threat indicators and feed them to the Control Layer for distribution to
enforcement points
Honeypots that can be used to trap attackers into thinking that they’ve
penetrated the internal network, buying time for defenders to analyze their
TTPs and generate appropriate threat indicators to block the attack
Zero-day Protections
Threat players target corporate assets by exploiting vulnerabilities (i.e., potential security
flaws in the system). As explained earlier, threat prevention controls counter threats
by detecting and preventing their behavior. However, system vulnerabilities can be
discovered by attackers before the security flaws are made known to system owners. These
are called ‘zero-day’ vulnerabilities. By definition, zero-day attacks cannot be directly
countered because no prior threat intelligence is available. The following protection
strategies can be used to mitigate zero-day attacks:
Sandboxing – documents and applications can be executed in a contained
environment that emulates the targeted system. If unexpected behavior is
detected, execution is terminated and malicious documents and applications
are blocked from entering the network or reaching the targeted host
Protection
strategies can
be used to
mitigate zero-
day attacks