The main infection vectors of today's advanced information-stealing malware are exploitation of application vulnerabilities and social engineering schemes that result in direct malware installation. This type of malware circumvents blacklisting of signatures and malicious behaviors, while whitelisting approaches (which can minimize malware evasion) are difficult to implement and manage.
Trusteer Apex is an automated solution that prevents exploits and malware from compromising enterprise endpoints and extracting information by providing three layers of security — exploit prevention, data exfiltration prevention, and credentials protection. Apex focuses on the behaviors of a small group of applications responsible for most exploitation events — Java™ technology, Adobe® Reader and Flash®, and Microsoft® Office.
Figure 1 details how these attacks unfold and the points at which Trusteer Apex stops the intrusion.
Figure 1. Where Trusteer Apex stops the attacks
The attacker can use a spear-phishing email to send an employee a weaponized document, one that contains hidden exploit code. When the user opens the document with a viewer, such as Adobe Acrobat or Word, the exploit code runs and attaches to an application vulnerability to silently download malware on the employee computer. The employee is never aware of this download.
Another option is to send a user a link to a malicious site. It can be a malicious website that contains an exploit code or a legitimate website that was compromised (through a watering hole attack). When the employee clicks the link and the browser renders the HTML content, the exploit code runs and latches onto a browser (or browser plug-in) vulnerability to silently download malware on the employee computer.
The link can also direct the user to a phishing site (like a fake web app login page) to convince the user to submit corporate credentials.
After the attacker infects the computer with advanced malware or compromises corporate credentials, he's established a foothold within the corporate network and then can advance the attack.
Trusteer Apex protects organizations against such threats at three junctions:
- Exploit Prevention prevents exploiting attempts from compromising user computers
- Exfiltration Prevention prevents malware from communicating with the attacker and sending out information if the machine is already infected with malware.
- Credentials Protection prevent users from using corporate credentials on non-approved corporate sites (including phishing or and public sites like social networks or e-commerce, for example.).
Trusteer Apex applies a new approach to stop zero-day application exploits and data exfiltration. By analyzing what application operations and state, the software can automatically and accurately determine whether an application action is legitimate or malicious.
A closer look at Trusteer Apex
As mentioned, the key capabilities of Trusteer Apex include the ability to:
- Shield endpoint apps from zero-day exploits.
- Prevent data exfiltration and credentials theft.
- Automate application state updates.
Look at each in a little more detail.
Shield endpoint apps from zero-day exploits
Trusteer Apex protects commonly exploited and widely used applications that process untrusted external content that includes web browsers, Adobe Acrobat, Flash, Java, and Microsoft Office. It monitors application states and validates legitimate operations, such as file system access. It blocks the execution of files that are written to the file system through exploitation of vulnerabilities (such as when the application enters an unknown state), preventing malware from compromising the endpoint.
Apex performs these tasks by using stateful application control. It analyzes the action that occurs (the behavior) and the application memory state when it executes the action. It maps out all the legitimate application states for applications that are targeted and created a whitelist of approved contexts. Trusteer also maps contexts that represent malicious data exfiltration. It compares these records to reality to determine whether an action is legitimate, malicious, or suspicious.
This technology doesn't scan the entire file system, so its impact on system resources and the endpoint is minimal.
Prevent data exfiltration
Information-stealing malware can be directly installed on endpoints by the user without requiring an exploit. To exfiltrate data, the malware must communicate with the Internet directly or through a compromised application process. Advanced malware uses a few evasion techniques to bypass detection. For example, it compromises another legitimate application process and might communicate with the attacker over legitimate websites (like Forums and Google Docs).
Trusteer Apex stops the execution of untrusted code that exhibits data exfiltration states. It validates that only trusted programs are allowed to use data exfiltration techniques to communicate with external networks. The software uses a few different techniques to identify unauthorized exfiltration states and malicious communication channels and blocks them. Because it monitors the activity on the host itself, it has better visibility and can accurately detect and block these exfiltration states.
Prevent credentials theft
Employee credentials are a prime target for cyber criminals. If compromised, a hacker can use these credentials to log in and access sensitive business information. Key loggers are often used for stealing user credentials. They can target VPN clients that are used by remote employees to access the enterprise network or specific enterprise applications.
Trusteer Apex encrypts the keystrokes that are entered by the user. It prevents users from submitting credentials to phishing sites by validating the site to which they connect and blocking attempts to submit corporate credentials to unapproved sites.
In addition, Apex prevents users from reusing enterprise passwords on public sites that are constant targets of hackers who attempt to steal lists of user credentials. Users don't want to remember many passwords, so they tend to reuse passwords.
The Apex admin configures in the Trusteer Management Application a list of approved URLs for enterprise application login. The agent keeps a one-way hash of the passwords locally and compares against it when the users tries to login to a web application. If the login is to an approved URL, it is allowed. If the URL is not on the approved list, the user is not be allowed to use that password. This feature is optional and does not have to be enabled.
Automate application state updates
The Trusteer Apex Stateful Application Control engine is easy to manage and maintain because it is based on validation of legitimate application states that are few and stable. New legitimate application states are automatically detected based on research that is continuously performed on a network of 30 million protected endpoints. Trusteer automatic updates do not require user disruption.
Apex comes with a complete whitelist of legitimate application states that are based on intelligence that is gathered from these 30 million endpoints. Because the software already protects both managed and unmanaged endpoints that belong to customers of financial institutions, Trusteer assembled and tested a full roster of real-world platform/application combinations.
When an unknown application state is detected, the Trusteer software automatically handles the whitelisting process for that state. This level of automation removes much of the management efforts that are associated with application control implementations.
How Trusteer fits into IBM Security Systems
The family of Trusteer cloud-based software provides two layers of protection and a top-level database, arranged in the following way:
- The components in the first layer provide endpoint
- Trusteer Mobile offers an embedded security library for native mobile apps, a dedicated mobile browser, and out-of-band authentication.
- Trusteer Rapport offers prevention and remediation of malware and phishing threats on PCs and Macs.
- Trusteer Apex handles zero-day exploits and data exfiltration prevention for employees' endpoints.
- The components in the second layer deliver clientless fraud
- Trusteer Pinpoint consists of two products:
- Account Takeover (ATO) Detection correlates multiple fraud risk indicators for conclusive account takeover and mobile risk detection.
- Malware Detection performs clientless detection of Man-in-the-Browser malware-infected endpoints.
- Trusteer Mobile Risk Engine is designed to detect mobile and cross-channel fraud.
- Trusteer Pinpoint consists of two products:
- At the top is the Trusteer Cybercrime Intelligence, a global threat intelligence and fraudster database that includes data from tens of millions of Trusteer-protected endpoints.
Figure 2 shows architectural structure of the Trusteer component products.
Figure 2. The Trusteer products hierarchy
The IBM Security Framework (Figure 3) gains from integrating Trusteer component features by:
- Strengthening web-based fraud protections for financial services and web commerce customers.
- Adding to IBM MobileFirst security initiatives by enabling secure transactions from devices to back-office servers.
- Extending ATP capabilities (Advanced Threat Protection) by increasing the ability to identify and stop advanced threats.
- Delivering security-as-a-service and enabling rapid deployment of security-related products and updates.
Figure 3. The IBM Security Framework
Creating a stronger security profile
Together, IBM and Trusteer products can create a strong security profile for your organization by helping you to:
- Enhance your threat intelligence to quickly adapt and respond to malware and emerging threats. Combine the Trusteer Cybercrime Intelligence database with IBM X-Force's Global Threat Intelligence and research and development.
- Increase mobile transaction security. Connect Trusteer Mobile Risk Engine with IBM's MobileFirst platform, the IBM Worklight mobile development environment, and IBM Endpoint Manager software.
- Extend fraud detection to e-commerce and identity and access management. Use Trusteer Pinpoint and Rapport with IBM Security Access Manager and IBM WebSphere Application Server.
- Counter advanced threats (including zero-day exploits). Try Trusteer Apex with IBM QRadar Security Intelligence Platform, IBM Security Network Intrusion Prevention System (IPS), and Endpoint Manager.
- Explore the topics and products in this
- Counter advanced threats (including zero-day exploits) with Trusteer Apex and IBM QRadar Security Intelligence Platform, IBM Security Network IPS, and IBM Endpoint Manager.
- Enhance your threat intelligence to quickly adapt and respond to malware and emerging threats with the Trusteer Cybercrime Intelligence database and IBM X-Force's Global Threat Intelligence and research and development.
- Increase mobile transaction security with Trusteer Mobile Risk Engine and IBM's MobileFirst platform, the IBM Worklight mobile development environment, and IBM Endpoint Manager software.
- Extend fraud detection to e-commerce and identity and access management with Trusteer Pinpoint Malware Detection/ATO Detection and Trusteer Rapport and IBM Security Access Manager and IBM WebSphere Application Server.
- Start your journey to implement IT security through pragmatic, intelligent, and risk-based practices at Security on developerWorks.
- Explore developerWorks IT security from a different perspective: Look at the weekly Security on developerWorks newsletter.
- Dive into mobile application development at Mobile development on developerWorks; an important component to build into mobile appdev is security.
- Attend a free developerWorks Live! briefing to get up-to-speed quickly on IBM products and tools plus IT industry trends.
- Follow developerWorks on Twitter.
- Watch developerWorks on-demand demos that range from product installation and setup demos for beginners, to advanced functionality for experienced developers.
Get products and technologies
- Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.
- Get involved in the developerWorks community. Connect with other developerWorks users while you explore the developer-driven blogs, forums, groups, and wikis.