Classic signature-based security products have failed to meet the expectations in preventing professionally carried target-based attacks. This has led to the emergence of APT products. APT attacks usually target an organization or a user group. For this reason, users’ vulnerable points are taken into account when preparing such attacks.
Domains that are planned to be used in APT attacks can be registered long before the attack and held available for later use when needed. Those domains can be hosted by a highly trusted hosting company with a trusted IP address. Therefore, information gathering techniques such as domain register period, the reputation score of the IP address it serves and reliability of the domain registrar will not provide sufficient information to decide whether the domain is trusted or not.
A lifetime of domains used in an attack lasts only a few hours. After attacker reaches his intentions, all the DNS records and hosting services are completely removed.
During this period, it is almost impossible to analyze the domain; most of the time it is too late for such actions. Researchers show that %98 of malware’s spreading is done in the first 24 hours. Malware Spread Timeline below graph shows that signature-based security products don’t provide an effective protection against malware.
The Internet has become an environment where threats are very dynamic. It requires more effective measures to be taken to fight against threats. However, lack of two important structural capability is preventing APT products from providing the desired outcome.
APT products cannot provide active protection. APT products roughly need five minutes for file analysis. This is a quite long time for a user to wait to download a file from a web page. So, to keep things running, APT products make a copy of the file to Sandbox and let the user access the other copy. In consequence, the analysis carried out is used for reporting purposes more than protection.
Not all the malware can be detected using APT products. In the tests we have performed, we noticed that, from time to time, APT products cannot even detect malware that is created using basic backdoor tools.
Roksit has improved the gray list categories to ensure an effective protection against APT attacks. Gray List is a process where using domain’s active and passive data, a domain is classified as safe or unsafe without a content analysis. For a domain to be in Gray List Safe category (Undecided Safe), it should have enough points from criteria like how long has it been in service, being used by many single users, having a high hit count and not matching with the domain names that are generated with Domain Generation Algorithms.
Roksit can detect and block Gray List, Cryptolocker, and APT attacks even though it comes across the domains used in those attacks for the first time.