It has been quite a while since I’ve last posted, but I am going to try and make a go of it and be a little more active on here.
The aim of this post is to provide you with an overview of Advanced Threat Protection / Prevention, which seem to be all the rage these days in the security product market. Over the past several months, I’ve had the pleasure of encountering these products on several engagements and even had the opportunity to work with some awesome security engineers who have and were in the process of testing / implementing this technology. This post will serve as an introduction to Advanced Threat Prevention and will be the basis for subsequent posts that will cover: ATP Evasion For Penetration Testers (Part 2), Testing ATP Products (Part 3), ATP Network Implementation and Placement (Part 4).
It was quite difficult to come up with a title for this post, because each vendor has their own nomenclature for (essentially) the same technology, but generally “Advanced Threat Protection” or ATP seems to be accepted across the board. However, “Prevention” is more appropriate being that ATP is a preventative control. Marketing… ehh
Advanced Threat Prevention is a security control that uses a two-fold approach to stop malware from entering into and / or propagating across a network.
Uses signature-based detection to block known threats. I think it is safe to say that we all know the efficacy of signature-based detection, and that it isn’t all that. Signature-based detection is only as good the latest update, and offers weaker protection against polymorphic and metamorphic viruses. Additionally, ATP product vendors obtain these signatures from other vendors that actually develop antivirus software. The better the AV vendor is at identifying new malware and the frequency that they update their definitions all factor into how well this first line of defense will work. Not to mention… there are many evasive measures out there to subvert this type of detection. Enter the unknown…
If the file bypasses signature-based detection, it’s sandboxed. In case you are unfamiliar with sandboxing, all it boils down to is emulating the operating system (with ATP each product typically has several different sandbox profiles, each with a different version of Windows [mostly] [note that] with various service packs installed) on a virtual machine, executing the unknown file, and observing changes to and behavior of the VM after the file has been executed. This activity would include new processes, changes to the file system, registry changes, connection attempts, etc.
Let’s dig a little deeper. These products (from what I’ve seen) have three different sandbox implementations, which are all pretty straightforward.
Every control has its pros and cons. Advanced Threat Prevention is no different. These are some of the limitations that I have noticed:
So, I do want to reiterate that this is just an intro to what ATP is and how it works. Not too deep of a dive, but enough to get us ready for what comes next. In the next post, I am going to discuss my experience with ATP and some of the ways that I have dealt with working around Advanced Threat Prevention from a penetration tester’s perspective.