I have my intrusion prevention system (IPS), antivirus, antispam solution, WEB Filtering, content filtering solutions, the best firewall device, and the precautions I can’t count, but they still leaked. Is that possible, how?
Let’s give the answer immediately; Yes it is possible. Probably, from a site whose IP reputation is not bad, there happened a simple phishing attack and the attackers were succeeded in penetrating to your network; but first, let’s look at the scenario and then let’s consider what needs to be done to prevent this happening.
The attacker has chosen his victim, preparing his e-mail that includes a malicious link or file and sending it to his destination. At this point, your Anti-Spam or Anti-Phishing solution comes in and blocks the email, but if it doesn’t, it reaches its destination and waits for the victim to click on the malicious link.
If the victim clicks the link, the website is contacted with malicious software (which can be anything you can think of). At this point your WEB Filter is activated and blocks the traffic; but if it fails, the malicious website will start attacking your business.
Malicious websites often select the weakest links to reach the system, ie users who are over the top of the business whose technology knowledge is relatively weak. In order to reach the system, this user is used without even knowing himself, and all traffic is done through this user. This is precisely where your intrusion prevention system (IPS) comes in or should; but if it cannot enter or prevent the attack, the attack occurs.
In fact, at this stage, the malware that is expected to come from the malicious site should be eliminated and quarantined by your Anti-Malware solution; but if it doesn’t, the software leaves the .exe extension code on your system.
As soon as the malicious code runs, the attacker attempts to access account information and collects sensitive data. For this purpose, he tries to reach the main source of data, which is the storage system or server. At this point, your application control solution, your IP reputation, your botnet solution and other security measures are expected to be activated; but if none of these measures is sufficient, the attack has succeeded.
We can try to summarize all this as follows;
Don’t say that we have paid a pot of my money, so I am in safe zone and my solutions prevent attacks, because there are certain ways to get through all of them. In addition, with the feedback from each obstacle he encounters, the attacker can either put in place another plan to overcome the obstacle or, if he has crossed the obstacle, gathers his back so that it cannot be noticed. The main point here is that the attacker has really set his sights on your business. Therefore, he chooses a sacrifice; the best source for this is Linkedin.
If we examine the situation in the following risk band, the green area is a clean area and includes white listed domain names, applications, electronically signed and approved files. In principle, e-mails from domain names with clean IP history do not encounter any blocking and can be forwarded to the user.
The red zone is a dangerous zone. Here, applications that contain dangerous files or links in the blacklist are quarantined and blocked by the solutions listed above.
The real problem is the yellow zone, which means that the source of applications, incoming emails or files is not fully understood, and it is not clear whether it is good or bad.
So what is the solution?
And let’s answer; We recommend the Anti-APT solution with Sandbox Technology for the probable attacks occur within yellow band. The name Sandbox comes from isolation. The main operating principle of the system is based on the fact that suspicious software that may infiltrate your computer is run here firstly and automatically and if it is really harmful, it should be destroyed and reported. When writing a rule, the IT Administrator can request that all e-mails with links or files be scanned before they reach the user. Sandbox technology is mainly used to examine e-mails of files whose source is not clear, which are not understood to be good or bad. The vast majority of such files or e-mails are targeted and certain software. Attacks can take place by sending e-mail as well as by attaching removable devices such as memory cards or sticks to the computer. In companies, serial ports are usually canceled or a device control system is used to avoid such devices. However, users often make these ports available to them in accordance with their needs or temporarily open them to the IT administrator and remain. In 2010, the attack that led to the collapse of large power plants in Iran, a simple USB – serial port can be plugged into a memory stick was hidden with malicious software.
Sandbox technology solutions can be deployed on an isolated server, for example, as well as cloud-based solutions that provide common services to all customers, even in another country. Consideration should be given to whether the data going abroad would suit the GDPR, the budget, the sector in which the entity operates, and sector-specific activities that regulate or support such systems.
You may be also interested in
Our Sandbox technology email protection solutions can protect you from all ransomware, spam, cyber threats or targeted cyber attacks.
With our partner Trend Micro’s Deep Discovery solution, we can detect targeted attacks instantly and take action before the attack occurs.
Sophos XG Firewall
Sophos’s new generation sandbox-enabled firewall devices can instantly detect targeted attacks and take action on time.