Threat Detection and Response Through WatchGuard ThreatSync

Posted February 2, 2021

Cybercriminals are designing malware to be more sophisticated than ever. Using techniques such as packing, encryption, and polymorphism, hackers are able to disguise their attacks and avoid detection. Zero-day attacks and advanced malware easily slip by antivirus solutions that are too slow to respond to an unrelenting stream of emerging threats. Today’s security solutions need to leverage a holistic approach for sustained security from the network to the endpoint.

Between March and June of 2020, hackers inserted malware into software updates for SolarWind’s Orion IT infrastructure management software. The breach led to subsequent hackings at the Treasury Department, the National Telecommunications and Information Administration, the Department of Homeland Security, and a number of SolarWinds’ corporate clients including FireEye. SolarWinds in a recent 8K filing submitted to the Securities and Exchange Commission released further insight into the breach. In the filing they stated:

“Analysis suggests that by managing the intrusion through multiple servers based in the United States and mimicking legitimate network traffic, the attackers were able to circumvent threat detection techniques employed by both SolarWinds, other private companies and the federal government,”

As evidenced by the SolarWinds statement, threats continue to evolve in order to circumvent advances in analysis and detection. Every improvement by security vendors is met with a response from cybercriminals. Through these evasion techniques, hackers can avoid threat detection and establish a foothold within the target environment. Cybercriminals constantly look for alternative techniques to improve their attacks’ success rate. Targeted and run-of-the-mill cyber attackers have been continuously modifying and enhancing their tactics, techniques, and procedures to stay under the radar for as long as they can. Many attacks use common ports and protocols that are usually allowed by firewalls (e.g., HTTP and HTTPS). But since these protocols are typically heavily monitored, attackers have to improvise and devise ways to sneak in and out of target networks without arousing suspicion.

Attacks have been known to disguise their payloads as relatively common and benign traffic from messenger apps by spoofing message text markers, transaction ids, and acknowledgment types in message headers. In the case of the SolarWinds attack, the malware was disguised as regular system updates. After being identified in the wild, these attacks can be detected using a combination of network traffic monitoring, behavior, and file structure analyses — commonly referred to as Threat Detection. Despite these attempts to spoof traffic, structure-based detection is still effective when used as part of a larger Threat Detection and Response implementation. However, any single method of analysis alone can fail to detect many of today’s attack strains.

Advanced malware attacks are complex and multi-staged. Endpoints typically become infected when a user falls for a phishing campaign or clicks on a malicious link to begin the infection process. Once the attack is initiated, the malware may attempt to reach out to command and control servers for further instruction. The malware may also attempt to spread to other points in your organization via your network. While the malware itself may look entirely unique, the network behaviors needed to facilitate the attack follow common and predictable patterns. If your security solutions are operating in silos, there would be no way for the network to know what’s happening on the endpoint and vice versa. This lack of visibility can leave you vulnerable to these dangerous threats. For this reason, analyzing network and endpoint behaviors in tandem provides a powerful means of identifying and stopping never-before-seen malware.

Threat Detection and Response makes this possible. In the case of the WatchGuard solution, event data is sent to ThreatSync to be matched with endpoint data collected from the Host Sensor. WatchGuard’s ThreatSync then analyzes this threat data to provide a comprehensive threat score and rank overall severity. Events that are captured on both the network and endpoint automatically receive the most severe threat score of 10. With policies enabled, ThreatSync will automatically instruct the Firebox to block the malware from calling out to the malicious server and will either quarantine the file, kill the process, or delete the registry key persistence on the endpoint. The same actions can also be performed manually through one-click, manual remediation by system administrators.

While threats continue to evolve and employ advanced techniques in order to evade detection, data sharing, and effective threat intelligence through threat detection and response have become critical to cybersecurity. Contact us to see how the latest solutions can help protect your business.

Scott Anderson

Scott Anderson is Partner / CTO of Verus Corp. He works with mid- and large-sized companies to ensure that all of their managed IT service needs are met to their highest standards. Scott knows that giving customers exactly what they need requires flexibility and patience. He works with each department to carry out documentation and the processes of providing managed IT services. Every position that Scott has held has been largely focused on customer service. This expertise and experience means that you’ll be getting a holistic and customer-centered experience from Verus Corp, from installation to troubleshooting. Scott has provided services that have helped Verus Corp be named a Cisco Select Partner and WatchGuard Partner of the Year. Most recently, Verus Corp was named the second best place to work by the Minneapolis/St. Paul Business Journal. Scott has a Bachelor’s in Speech from St. Cloud State University.