I was on a "road show" in the last months talking to customers about new waves of attacks and how they´re designed to avoid traditional detection capabilities.
What was impressive for me during those events were some concerns raised by customers about their existing network protection technologies.
Some questions raised:
"Why does my IPS doesn´t protect me against these so-called "APTs"?
"I have a web gateway. Tell me why this isn´t enough?"
"I have a SIEM. If something new shows up I will notice it immediately"
and some other similar questions were raised...
Based on that, I tried to explain the differences between "User Side" and "Server Side" attacks and the different aproaches and detection vectors used by some techniques/tools. Later, I decided to post it here as well.
So, let´s start discussing the difference between "User Side" and "Server Side" attacks
In order to understand user-side attacks, let us briefly describe server-side attacks that we can contrast to user-side attacks.
Servers expose services that clients can interact with. These services are accessible to users that would like to make use of these services. As a server exposes services, it exposes potential vulnerabilities that can be attacked.
User-side attacks are quite different. These are attacks that target vulnerabilities in client applications or triggered by a user action that interacts with a malicious server or process malicious data.Here, the user initiates the connection that could result in an attack.
A typical example of a user-side attack is a malicious web page targeting a specific browser vulnerability that, if the attack is successful, would give the malicious server complete control of the client system. User-side attacks are not limited to the web setting, but can occur on any client/server pairs, for example e-mail, FTP, instant messenging, usage of an office aplication, etc.
IPs, UTMs, firewalls and most of the traditional network defenses are targeted to protect services running on a network and not the end user. They must be fast enough to receive traffic, analyze packets, identify a threat and take action over it without introducing latency, so they cannot perform a deep analysis in a object. Not in real time.
They´re mostly based on a set of pre-defined rules that if triggered will generate an action.
Even new ones with behavior capabilities cannot perform deep analysis and how many of you got tired of "false positives" when those behavior analysis were totally enabled? Security teams are usually small ones and deal with false positives is a huge problem. The trade off is not always a good one for those teams.
AntiVirus, Anti-malwares by the other hand are focused on the user side but again they were created with the same premisses that we already discussed. And suffers from the same problems.
Far from me to say that we don´t need them. We definitelly needed all of those technologies, but what must be clear is that they cannot protect networks against 100% of threats. Additional security layers are needed.
Think about "BYOD" for a while...Where´s you network border right now? How do you protect your users if they´re not under your umbrella anymore? Sometimes, even their devices are not under your control.
That´s why user-side attacks currently represent an easy attack vector because most attention in protection technology has been focused on the protection of exposed servers from remote attackers. And most technologies available are based on "the already known. They´re not designed to catch something new/smart like Gauss or Flame.
I hope this helps to clarify things a little.