A Thief’s Perspective #3: Stealthy Attack Methods

By on Jul 20, 2015

This blog was written by Anne Aarness.

Understanding the attack methods and techniques of bad guys provides valuable insights that can help you refine your security posture. This five-part blog series looks at attacks from a thief’s perspective and shows you how the latest security technologies can block them.

Breaking Bad Code: Exposing the Walter White of Attack Methods

The popular crime drama series Breaking Bad redefined what it meant to hide in plain sight as high-school chemistry teacher Walter White and ex-student Jesse Pinkman built a crystal methamphetamine empire right under the nose of Walt’s DEA brother in-law.

Thieves have perfected this technique of hiding in plain sight. They often exploit employee-owned and managed endpoints to penetrate protected networks from the inside, and lie low as they quietly pilfer or manipulate data while avoiding detection. In many incidences, it may take companies months or even years to realize they’ve been attacked.

Exposing Stealthy Attacks

Given the sophisticated evasive methods in use today, there is no silver bullet that will catch every attack. Using advanced inspection techniques and sharing security insights in real-time is the key to surfacing and stopping stealthy attack and breaches. McAfee achieves this using two unique capabilities:

  • Sandboxing with behavioral monitoring to identify unknown and stealthy malware
  • Real-time intelligence sharing between components for adaptive security

Sandboxing and Behavioral Monitoring

Systems must be able to apply real-time emulation and heuristics of unknown files in a safe environment, such as a sandbox, allowing intelligent behavioral monitoring of suspect files. Heuristic identification uses rules and behavior-pattern analysis to distinguish similarities between a suspect file and groups or families of related known threats. Emulation simulates file execution on a stripped-down host environment and logs the resulting behaviors.

Figure 1. The down-selection process shown here quickly identifies malware, funneling out suspect files as they move through the stack, thereby reducing the number of files requiring more processor-intensive sandbox analysis.

Real-time Intelligence Sharing

It’s a common problem: Two security organizations each have key pieces of the puzzle that would catch and convict bad guys, but they fail to share information that would move both of their efforts forward. Unfortunately, this same dysfunction occurs when security components work in isolation. All the security gear in the world doesn’t matter if you can’t get it working as one integrated system to gather, correlate, distill, and share actionable intelligence in near real time.

Real-time intelligence sharing and true adaptive security requires a new level of system-wide, multi-product integration. This ambitious undertaking must include rethinking the security architecture itself. Iuses two innovative capabilities to achieve this:

  • A central intelligence server must accumulate insight on emerging threats, analyze intelligence, and share security knowledge with every active security control across the enterprise in near real time. The exchange server must track and share historical data on each device and work in lock-step with SIEM solutions and enterprise security consoles. By tearing down security intelligence silos, this foundational server provides a central integration and administrative control point.
  • A real-time communications fabric must provide two core capabilities that are missing in traditional security architectures. First, it must provide a bi-directional security data plane to ensure real-time communications and eliminate bottlenecks that can occur in shared data networks. Secondly, it must bond security controls using a common information model to instantly share security insight between the central intelligence server, endpoints, gateways, firewalls, IPSs and other security devices.

Want to learn more about the techniques thieves use to hide on networks quietly collecting data and timing their attack? Check out the new McAfee Brief: A Thief’s Perspective on Stealthy Attack Methods. It goes into greater detail on these techniques as well as McAfee solution for stopping stealthy attacks.

About the Author


McAfee is the device-to-cloud cybersecurity company. Inspired by the power of working together, McAfee creates business and consumer solutions that make our world a safer place. Take a look at our latest blogs.

Read more posts from McAfee

Subscribe to McAfee Securing Tomorrow Blogs