It’s a statement we make nearly every day. Bit9 detects and stops advanced attacks (advanced persistent threats) long before they are publicly known.
We know it’s true and when it happens in one of our customer deployments, it’s gratifying. This was the case the first week in March when one of our customers shared with us how they stopped an advanced attack – one that leveraged an unpatched “zero-day” vulnerability in a common software package.
On March 8, one of our customers informed us that they saw an attempted attack come through via a targeted email containing an Excel file (a spear phishing attack). The Excel file contained an embedded Flash (swf) file that exploited a zero-day vulnerability in Adobe Flash. Bit9 stopped the malicious file because neither Excel nor Flash is authorized to create new executable content. Our console reported what had been attempted, and our customer worked directly with Adobe to help them identify the flaw. This occurred prior to the public announcement of the RSA breach.
While many of our customers have advanced network forensics tools in order to detect attacks, they do not proactively prevent them. In this case, if the attack had gotten through, the advanced network forensics tool may have detected it, but some damage would have been done. The same goes for antivirus since this attack exploited a previously unknown flaw.
In my view, application whitelisting is the only tool that protects against unknown attacks using unknown vulnerabilities. In addition, the full visibility provided by the technology can play a key role providing behavioral and forensic analysis of early attacks.
Looking at the world practically, there still is a need for added layers of defense, multiple roadblocks if you will, to prevent malicious actors from penetrating networks and hosts. Here is a view on a stacked approach to security.