Active and adaptive cybersecurity is the most effective strategy to proactively combat increasingly complex cyberattacks, as cybersecurity systems are then constantly improved to counter threats and attacks, says Kaspersky Lab senior security researcher Mohammad Amin Hasbini.

Kaspersky Lab’s Anti Targeted Threat platform uses emulation systems, commonly called sandboxing, to determine the information malicious software (malware) is searching for, the systems it targets, the external sites it tries to communicate with and the methods it uses.

The platform also performs advanced network behaviour analysis to monitor abnormal behaviour by collecting data about network-active processesthat are running on the business end points.

This information, in combination with the commonly used cybersecurity tools, enables companies to determine which elements of the network or corporate information the malware is targeting, and to then improve protection of these elements.

Typical cyberattack detection tools use network traffic and data logs, as well as simple malware code-signature recognition and packet-scanning systems, to detect cyberattacks.

However, advanced threats are designed to avoid these types of detection. This is why emulating suspected malicious files and the code in a virtual environment and then collecting data about their behaviour are an effective way of uncovering advanced threats, persistent threats and to discover breaches and find compromised devices, explains Hasbini.

Advanced malware is often designed to detect when it is within an emulation environment and not to carry out any malicious processes while in a sandbox. However, effective sandboxing systems that emulate network elements and end point systems enable the company to determine what the malicious program is trying to connect to, the data it is targeting or trying to gather and the external site it is trying to connect to.

“Determining the key behavioural activities of the malware enables security administrators to determine an effective protection or prevention strategy by identifying which network elements are targets, and what information or which users are vulnerable or targets, and then actively scanning devices and network elements for signs of whether they have been compromised, before isolating and remediating them,” says Hasbini.

Threat intelligence is, thus, key to an adaptive strategy, he emphasises, noting that this encapsulates international, local, industry- specific and a company’s own threat intelligence.

The necessity and importance of threat intelligence means that forensic investigations following a detected breach or attack are very important, as the information can be used to limit further damage, contain the malware, determine what data or devices are compromised and help to refine security defences against that malware and similar malware.

“Especially in mature information technology environments, a security incident does not happen very often, and this is why every incident must be investigated. While the necessity of an investigation does depend on the nature of the incident and the industry in which it occurred, investigations help to ensure that security administrators are aware of what is happening in the industry and help to refine the security strategy and the subsequent security measures to be taken,” concludes Hasbini.