Advanced attacks are agile. As soon as you stop one attack, it’s back on your doorstep looking completely different. And you won’t be able to recognize it until it’s too late. Your layered and static defenses don’t stand a chance if they can only detect what they’ve seen before. Signatures? Forget about it. Blacklisting? It can’t keep up.
In fact, any system that relies on prior knowledge of attack characteristics will have limited value. If an attack is successfully blocked, it morphs into something sufficiently new to penetrate your defenses. It’s impossible to stay ahead of an infinite number of threats that are constantly evolving.
CounterTack has a better way.
Instead of focusing on what the attack looks like, we focus on what the attack is trying to do.
In order for any attack to be successful, it needs to take several types of actions:
- Modify files
- Manipulate processes
- Exploit communications sessions
Click to Enlarge
For example, if an attacker needs to manipulate a Windows registry file to advance the attack, the file needs to be changed. The operating system will only allow this to happen in a few different ways. That’s what we are watching. The attack might be dressed up in any number of ways to get past perimeter defenses and malware screens, and when it does, we’ll be there waiting for it.
Our deep knowledge of how operating systems modify files, processes and network sessions, and our ability to monitor activity deep in the operating system enables us to focus on critical behaviors of attacks, and not what the malware tools that enable the attacks look like. We don’t need to keep up with the latest permutations of malware. That’s a losing battle. We need to understand what an attacker needs to manipulate and then monitor for that specific activity. And we have the tools to do just that.