Protecting your Business Against Attack Vectors and the Evolving Threat Landscape

Understanding Attack Vectors

An attack vector is the way that an adversary can gain unauthorized access to your network or devices. Over the years, there have been dozens of different attack vectors, many of which have adapted and evolved over time to cause harm or hold companies hostage. Today, networks and organizations are interconnected using both private and public clouds leaving the door ajar for attack vectors that are more sophisticated than ever. What should smart businesses look out for, and how can they protect themselves?

The Evolution of Cyber Attack Vectors

Traditionally, having hardened perimeter security was enough to protect data centers. Layers of security to detect and prevent a breach coming in or out of data centers meant that you could ward off attack vectors to your infrastructure and hardware, which was almost exclusively on-premise.

The Cloud and mobile solutions have changed all of this. The reality for data centers today is keeping data private and secure while running an environment that spans public, private and hybrid clouds. Companies now use a mix of compute resources: Containers, Serverless Functions and VMs. However hackers are not just targeting your compute resources, they are sneaking in via routers and switches, or storage controllers, and sensors. From this vantage point, attackers can then scale their attack, compromising an entire network with lateral movements and connected devices. The MITRE ATT&CK Framework is a great resource to dive deeper on the different initial access attempts¹.

As the way we access the internet changes, cyber attack vectors adapt their own designs right alongside. Assuming that we are plugging all the holes on the IT side is not enough. The human factor has always been a key vulnerability in the security scheme. It has become more prevalent with the advance in end-user technology in recent years. Smartphones are a good example of this. Mobile attack vectors are not something that any organization had to be aware of a decade ago, and now they are an ever-present reality providing an easy gateway into many organizations.

While most people know not to click on dangerous links that arrive via SMS from unknown numbers, and no longer fall prey to email phishing campaigns like unexpected warnings of your bank password being changed, new attack vectors come from unexpected places. The recent Man in the Disk attacks on Android devices are something no one could have anticipated. This malware relies on vulnerabilities in third-party application storage protocols that are not regulated by sandbox restrictions through Android². This careless use of external storage can lead to potential malicious code injection, or the silent installation of unrequested apps to the user’s device. From there, the journey of an attacker to leverage this access to a deeper data center one is very short.

As technology evolves, there are more ways than ever for bad actors to launch attacks. Smart devices and Cloud-solutions only serve to increase the number of platforms which can be used for malicious intent.

Which Attack Vectors Are the Biggest Threats Today?

Email and phishing schemes have been the attack vectors of choice for a large amount of malicious attacks over the past few years. However, as simple attacks are becoming more recognizable, more complex threats are increasingly in vogue. Worryingly, the trend in malware is a movement away from reliance on human error, to clever attack vectors that can strike without any conscious act by the user whatsoever³. Man-in-the-Disk was just one example of this.

Take Drive-by-Downloads. A user only has to visit a compromised website, and malicious code can be injected through their web browser. Once done, this can swiftly move laterally across a network. Mouse Hovering hacking is also growing, a technique that launches javascript when a user hovers over a link to see where it goes. This has been seen in familiar applications such as PowerPoint, showing that even what users consider to be ‘safe’ environments can be dangerous. Increasingly sophisticated attack vectors that can spread without a user’s knowledge or their initial action are only going to become more common over time. If these tactics are leveraged against a user with administrator access to your data centers, the results could be catastrophic.

Administrator access could be the weak link when it comes to keeping your data centers safe overall. By accessing admin privileges, adversaries have access to the most valuable information you store, and can therefore cause the most harm. It’s important to think about the way your business works in a crisis when you’re planning preventive security measures. Used in an emergency, local authentication options are often not logged in the same way as your admins usual activity, and the credentials may even be shared across workloads and hosts for the sake of ease of use.

As well as smarter attack vectors, the growth in threats such as file-less attacks show that attackers are getting better at learning how to cover their tracks. 77% of cyber-crime in the US last year used a form of file-less attack⁴. Research shows that this type of malware is ten times as likely to succeed as traditional file based attacks, and helps attackers stay well beneath the radar.

AI is also an area that is likely to be compromised in the near future, with many companies creating chatbots and machine learning tools as the customer-facing representative of their websites and apps. As virtual assistants are built by humans, they are subject to the same gaps that human knowledge has. Studies are beginning to show that AI has problems with hallucinations and recognition⁵. Let loose on customer data and processes, it’s easy to see how advanced malware may slip through the cracks.

More than ever, in preparation for the next stage of intelligent malware, companies need to secure their data centers effectively against the latest attack vectors.

How Can Businesses Protect Themselves from Cyber Attack Vectors?

Keeping your IT environment safe from the latest attack vectors means being able to detect threats faster, and with better intelligence.

This starts with visibility. Being able to identify application flows across your entire infrastructure means that you have granular visibility across your whole IT stack. Dynamic deception tactics automatically trap attackers, even when the end-user isn’t aware of what is going on under the surface. Reputation analysis instantly uncovers anything suspicious or out of the ordinary, from unexpected IP addresses and domain names to file hashes within application flows. Even new attack vectors are isolated in real-time, with mitigation recommendations so that incident response is streamlined.

Ring-fencing, the separation of one specific application from the rest of the IT landscape is one way that companies are limiting the reach of the latest attack vectors from their most sensitive data or valuable assets. This and other kinds of micro-segmentation allow your business to truly limit the attack surface of any potential breach.

There are a number of benefits to this. Regardless of operating system limitations, communication policy can be enforced at the layer 4 transport level as well as the Layer 7 process level. By segmenting your flows by the principle of least privilege, even if a breach occurs, you ensure that it is quickly isolated, and attackers are unable to make lateral moves or scale their intrusion any further. When micro-segmentation is enforced alongside breach detection and threat resolution, even new attack vectors can quickly become a known quantity, and are unable to pose real danger.

Staying Safe Against Future Cyber-Attack Vectors

The way that data is stored and transferred is dynamic in and of itself. Our methods and processes are always changing as the capabilities of the cloud and the hybrid nature of our IT environments continue to grow. In direct response, attack vectors will never stay the same for long, and hackers will always have new tricks up their sleeve to compromise the latest solutions and catch us unaware. As well as current attack vectors that take advantage of IoT devices and no-fault infiltration, predictions for the future include AI-driven malware and an increase in file-less malware attacks, allowing hackers to hide their activities from detection.

The only solution is true visibility of all your applications and workflows. Using this mapping alongside segmentation policy that controls communication flows can restrict attackers in their tracks at the smallest sign of an anomaly. Even against new or unknown attack-vectors, these tools enable true threat resolution that can protect your entire infrastructure in real-time.


1. https://attack.mitre.org/wiki/Main_Page
2. https://research.checkpoint.com/androids-man-in-the-disk/
3. https://churchm.ag/was-it-human-error/
4. https://www.securityweek.com/fileless-attacks-ten-times-more-likely-succeed-report
5. https://www.wired.com/story/ai-has-a-hallucination-problem-thats-proving-tough-to-fix

GuardiCore’s Journey from Vision to Best-in-Class Micro-Segmentation

Micro-segmentation as we know it today has gone through several stages in the last few years, moving from a rising trend for securing software-defined data centers to a full-blown cyber security technology and a top priority on the agenda of nearly every CISO.

Built on the vision of securing the hybrid cloud and software defined data centers, we started our journey in 2013, thinking how to solve what in our opinion was a huge challenge for a market that did not exist at that time. In this post we’ll share how we created the micro-segmentation solution that is considered the best on the market – from vision to execution.

2015: First steps towards segmentation

Throughout the second half of 2015, we started delivering our micro-segmentation methodology after realizing that understanding how applications communicate inside the cloud was the key to success and as such – must be addressed first. “You can’t protect what you can’t see” wasn’t coined by GuardiCore but was immediately embraced by us when we started planning our micro-segmentation solution. We started developing our visibility solution Reveal, a visual map of all the applications running in the data center, all the way down to the process level. Reveal allows you to view applications and the flow they create in real time while also providing historic views. For the first time, admins and security teams were able to easily discover the running applications, one by one, and then review relations between the application tiers. Early releases supported general data center topologies as well as Docker containers.

2016: Gartner names micro-segmentation a top information security technology

We launched our segmentation solution at the RSA conference 2016 with a big splash. Reveal gained a lot of coverage and was well received by security teams who were lacking the proper tools to see the application flows in their data centers. It was one of the hottest security products at RSA 2016 and for a good reason!

Important to note that when micro-segmentation was introduced in Gartner’s Top 10 Technologies for Information Security in 2016 time in June 2016, many security professionals were unaware of the concept. In that report Gartner stated that to prevent attackers from moving “unimpeded laterally to other systems” there was “an emerging requirement for microsegmentation of east/west traffic in enterprise networks”. Enthusiasm was then at its peak, micro-segmentation was widely covered in the media and conferences dealing with the technology abound.

2017: Micro-segmentation for early adopters

Micro-segmentation was gaining traction as one of the most effective ways to secure data centers and clouds, but organizations learned the hard way that the path to meaningful micro-segmentation was full of challenges. Incomplete visibility into east-west traffic flows, inflexible policy engines and lack of multi-cloud support were among the most cited reasons. Throughout 2017 market penetration was around 5% of target audience and micro-segmentation was far from being mainstream. Andrew Lerner, Research Vice President at Gartner, noted in a blog post that “Micro-segmentation is the future of modern data center and cloud security; but not getting the micro-segmentation-supporting technology right can be analogous to building the wrong foundation for a building and trying to adapt afterward”.

That year GuardiCore tackled these challenges head on and based on the feedback we received from our growing customer base, we added flexible policy management and moved on from using only 3rd party integration to add native enforcement at the flow and process levels. Customers were able to move from zero-segmentation to native enforcement in 3 easy steps, based on revealing applications, building policies and natively enforcing policies.

2018: Our solution takes complexity out of micro-segmentation

Today, micro-segmentation serves as a foundational element of data center security in any data center. According to a Citi group’s report, cloud security is the number one priority among CISOs in 2018, with micro-segmentation the top priority in plans to purchase in this category. Concentrated effort on the part of organizations from different industries has resulted in better understanding of the technology. This year we were able to deploy micro-segmentation across all types of environments, from bare metal to virtualized machines, through public cloud instances and recently to containerized environments.

So if you are planning a micro-segmentation project let’s talk. We can show you how to do it in a way that is quick, affordable, secure, and provable across any environment.

Former IBM Executive Joins GuardiCore as Vice President of Corporate Strategy

Security Leader Ola Sergatchov to Drive and Execute Growth Trajectory on a Global Scale

Read more

Lateral Movement Security

While IT security teams often devote significant attention to perimeter protection, east-west traffic is outgrowing north-south traffic in both volume and strategic importance due to changes in data center scaling approaches, new big data analysis needs, and growing use of cloud services with a less defined perimeter. It’s more important than ever for IT security teams to develop their capabilities to prevent lateral movement in these types of environments. Read more about lateral movement security.

Streamlining the Process to Maintain a PCI Compliant Data Center for Your Organization

Compliance with PCI regulations is not a one-time job that you can complete, and then check off your list. According to Verizon, who publish their regular Payment Security Report, “80% of companies that passed their annual assessment failed a subsequent interim assessment, which indicates that they’ve failed to sustain the security controls they put in place.”

Any business that works with payment data recognizes the challenges involved with maintaining a PCI compliant data center. IT environments are becoming increasingly complex, with diverse and dynamic technologies that are constantly changing to best support customer needs and to provide competitive differentiation. Even small companies with relatively simple company structures still may have on-premise data centers, virtual backups, SaaS applications or IaaS in both the public and private Cloud, and payment information on physical machines or devices internally. Many of these go through regular application or organizational changes that disrupt your ability to be compliant, as they shift data and workloads to meet demand.

Additionally, PCI regulations are not static, they change as the industry learns more about security and as wider threats evolve. This obviously has an influence on the security tools your business needs. With all this to consider, how can you bring your organization on board for sustainable compliance?

Streamline a Rolling PCI Compliance Process and Creating a PCI Compliant Data Center With these 4 Phases

  1. Reduce the scope and include fewer elements in your annual assessment
  2. Outsource your PCI strategy, or some specific components of it
  3. Select a comprehensive platform approach
  4. Make PCI compliance an integral part of your company culture, remaining vigilant to keep abreast of changes in regulations to continue prioritization of sustained PCI compliance

Reduce the Scope

According to the PCI Security Standards Council (SSC), the cardholder data environment (CDE) and all connected systems are all considered to be ‘in-scope.’ In fact, a system component can only be ‘out of scope’ if it is unable to communicate with any other component within the compliance environment, and therefore cannot compromise the CDE security. It’s worth remembering that even isolated networks need to be documented in your compliance report. This definition makes reducing scope, and thereby reducing the elements you need to include in your annual assessment difficult.

    • Tokenization: One way to go about the task of reducing scope is to reduce the data itself. Think about truncating or masking PAN (primary account number) data, which is rarely required in full, or consolidating the systems that store cardholder data, whether that’s hardware or software. Some companies replace PAN data with fixed-length message digest or use Tokenization which allows this data to then be removed from scope. Point to Point Encryption is becoming more popular in order to remove the whole of Merchant Services from scope altogether.
    • Segmentation & Micro-segmentation: Another tactic is reducing scope using architecture. Traditionally, firewalls were used to create partitions and enforce network zones, while segmentation gateways were shown to improve access control both internally and externally. Virtual LANs with strong ACLs were shown to have the same effect. Everything changed with the advent of Cloud-based and hybrid solutions, and today – there is no such thing as a simple IT environment. While segregation can help reduce scope using a combination of methods such as IP address restriction, communication protocol restriction, port restriction and application level restriction, micro-segmentation is garnering the most attention.

Micro-segmentation supports your staff to work at a process or identity level, setting the rules you need to keep your network secure. As you control the flow of data from process to process, the idea of a breach is no longer catastrophic, as even in the worst-case scenario it is automatically isolated and easily resolved.The benefits are clear. As well as gaining deep visibility and wide coverage of your architecture, micro-segmentation limits its complexity, making continued compliance that much easier.

Learn more about the benefits of Micro-Segmentation

Outsourcing for Compliance

Most enterprises have identified that while their environments continue to grow in complexity, their staffing size and skill sets remain somewhat static. There is a growing demand for qualified IT staff, and the growth in the workforce hasn’t kept up with the pace. Executives continue to complain about a shortage of skilled employees. In fact, a January 2018 research study by ESG showed 51 percent of respondents claimed their organization had a problematic shortage of cybersecurity skills.

Many enterprises have found that outsourcing specific components of their PCI strategy to Managed Security Services Providers is the right solution. In the right situations, outsourcing might help you reduce scope, or add tools that help maintain a compliant data center.

  • Security Outsourcing to MSSPs: PCI regulations include ensuring you have an up-to-date Antivirus solution, Think about SIEM/logging capabilities, File Integrity Monitoring, vulnerability and patch management solutions. These are great examples of things that can be outsourced to competent MSSPs, effectively outsourcing compliance, in an affordable and smart way of taking advantage of third-party expertise. Of course, Antivirus solutions are not all created equal. Some options will provide an added layer of vulnerability management, helping you achieve compliance without you lifting a finger on your side. Look for MSSPs who have solutions that check as many of the boxes as possible for you when it comes to technical requirements.
  • Other options for outsourcing include Storage, Processing and Handling, all of which can partially or completely remove cardholder data from your CDE, supporting your company in reducing scope.

Selecting Comprehensive Platform Solution over Multiple Point Products

Comprehensive Platform Approach: Since multiple tool sets often lend themselves to confusion and complexity, we’ve seen a shift from enterprises selecting multiple point solutions to unifying, comprehensive platforms. A solution may provide adequate threat detection for example, but do they have a distributed firewall, or response to breaches from the same platform? Dynamic environments need a lot of attention, so using one platform/solution instead of multiple to manage a whole area of compliance is invaluable when it comes to policy management and proof process.

Continued Compliance Enhances Enterprise Security as a Whole

It’s important to facilitate an environment where compliance isn’t viewed as a hassle or even a hindrance but instead a part of having a healthy, vibrant, safe and secure enterprise. While it’s true that PCI compliance is not a be-all and end-all, these continued compliance checks when done correctly lend themselves to the improvement of the organization as a whole. Here are some examples where continued PCI compliance lends itself to overall enterprise comprehensive health:

  • Flow Visualization: If you can access a visual map of all application workloads in granular detail, you can use working towards PCI compliance to uncover underlying security issues. Proper visualization could catch ineffective oversight mechanisms, organizational silos, wasted resources, or poor architecture design. Lack of data compromises security integrity. In addition to sustaining compliance, maintaining process-level visibility keeps an accurate tab on the state of your overall security.
  • Set Policies and Rules for Cardholder Data: Intelligent rule design can protect you in case of a breach, but also helps you refine and strengthen your compliance policies. Setting and enforcing strict compliance rules using a flexible policy engine is essential. These can be higher-level best practices for security when considering larger segments, and then more specific rules for micro-segments. Of course, these need to work across your entire Network, including in hybrid environments.
  • Reduce Complexity and Maintain Control: Simplify your IT architecture with business process corrections and investment in new hardware or software, reducing costs for the business. Using a single platform for visualization, micro-segmentation, and breach detection means you don’t have to fear becoming more vulnerable to attacks or less compliant to regulations.
  • Detailed Forensics: The immediate benefits of compliance may not always be clear. Continuous monitoring and sharing of detailed actionable analytics of breach detection or resolution can improve security posture and increase awareness and appreciation of these efforts among your staff. This creates an environment where data protection and compliance are shown to have true value.

Sustainable Compliance Needs Dedication

Ensuring that your security supports continued compliance doesn’t happen without work. All areas of the business need to be on board, from business strategists to customer call representatives. Simplifying your business process through reducing scope, outsourcing, selecting comprehensive platforms over multiple point solutions and understanding how continuous PCI compliance positively affects the health of your enterprise security overall will help make it an integral part of your company culture.

What is Micro-Segmentation?

Micro-segmentation is an emerging security best practice that offers a number of advantages over more established approaches like network segmentation and application segmentation. The added granularity that micro-segmentation offers is essential at a time when many organizations are adopting cloud services and new deployment options like containers that make traditional perimeter security less relevant.

Micro-Segmentation Methods

The best way for organizations to get started with micro-segmentation is to identify the methods that best align with their security and policy objectives, start with focused policies, and gradually layer additional micro-segmentation techniques over time through step-by-step iteration.

Harness the Benefits of Micro-Segmentation

One of the major benefits of micro-segmentation is that it provides shared visibility into the assets and activities in an environment without slowing development and innovation. Implementing micro-segmentation greatly reduces the attack surface in environments with a diverse set of deployment models and a high rate of change.

The hidden costs of VLAN segmentation

Network segmentation is a simple-to-understand and effective tool for reducing the attack surface and, as a result, the risk to applications, groups of servers, and other critical IT assets. The idea is simple – instead of having a flat anyone-can-talk-to-anyone-on-any-port environment where an infected server has unlimited access to all other servers, with network segmentation you can limit the connection possibilities.

Read more

Reflections from Gartner Security Summit 2018

Last week, the GuardiCore team participated at the 2018 Gartner Security and Risk Management Summit in National Harbor, MD. This year we were honored to be named as a Cool Vendor in the June 2018 Gartner, “Cool Vendors in Security for Midsize Enterprises” report. It is always great to get industry recognition and validation. According to Gartner, a Midsize Enterprise needs most, if not all, of the IT capabilities a large enterprise needs, just at a lesser scale. Our solution, GuardiCore Centra enables organizations to easily micro-segment their environments while continuously monitoring critical systems for breaches using deception and threat intelligence-based reputation feeds, and it does it on any kind of data center environment. Protecting the core’s most critical application FTW!

Read more