Protecting the crown jewels: the dawn of deep learning and server-specific security

Protecting the crown jewels: the dawn of deep learning and server-specific security

This is a contributed piece from Matt Boddy, security specialist, Sophos

Servers are often the crown jewels in the IT estate of any business. They typically hold more sensitive material such as personally-identifiable information (PII), banking, tax, payroll and other financial records, proprietary intellectual properties and shared applications.  And of course, servers offer wide access, often at sysadmin level, throughout the network, if compromised.

As a result, they are a bigger target with a richer pay off, so cybercriminals have different motivations when attacking servers compared to more ‘traditional’ endpoints. They can be considered the bullseye for the successful cybercriminal.


The server threat landscape

The threat landscape continues to change on a daily basis. Threats are getting more sophisticated as cybercriminals perfect what they are doing: they are refining and reusing techniques and then going for bigger targets. Which means servers are under increased attack. Active adversaries armed with persistent attack techniques move laterally – but methodically - through systems to reach data and applications on targeted servers.

According to SophosLabs, two main server attack scenarios are:

Data theft – Servers are often the final destination of an attack hoping to steal sensitive company information.  This may be put to use in later spear-phishing attacks, or simply for exposure or resale on the Dark Web.  All three can cause extensive damage to an organization.

 Exponential damage - Because servers so often contain mission critical data and are the daily “workhorse” of businesses, a ransomware attack or malware infection could devastate an organization far more than say, a laptop in the field.

To these threats we can add the new challenge of large, industrial scale cryptojacking. Attackers use breached servers as proxies to redirect traffic to malicious websites and install cryptominers on server farms and cloud accounts.  These then generate crypto-currencies at scale by stealing a company’s CPU, RAM, electricity, and other resources.

But perhaps most worrying is that we have seen access to compromised servers for sale on the Dark Web, in addition to the poached data itself. Imagine a permanently open door to a room containing your most important business information and you can start to see the scope of the threat.

The fact that cybercriminals assess how servers are used, what’s stored there and what can be leveraged for multiple crimes, demonstrates the critical need for server-specific security.


Server-specific security

It is often a mistake to believe that because servers are a bigger target, they are better protected.  Servers are susceptible to advanced ransomware, credentials theft, never-before-seen malicious code, and hacker techniques that allow an adversary to remain persistent within their networks. 

However, the biggest threat to servers is not an absence of any security, but the suitability of the security that is put in place.  It’s not enough to simply install endpoint protection on servers because they demand additional sets of tools and features that are not available on typical endpoint security solutions. Assuming endpoint security works for servers is a bad idea.

Nowhere is this server-specific demand more important than when it comes to zero-day attacks i.e. attacks that have never been seen before.  SophosLabs research indicates that 75 percent of malware found in an organization is unique to that organization, indicating the majority of malware is previously unknown. Furthermore a recent Sophos survey reveals that two-thirds of IT managers worldwide don’t understand what anti-exploit technology is. Therefore, the combination of a previously unknown threat hitting a server can be lethal to a business.

So how can businesses look to defend themselves against smarter crooks launching unknown attacks at a more exposed and greater value target? 


Deploying deep learning

Deep learning neural networks are trained on hundreds of millions of samples to look for suspicious attributes of malicious code and prevent never-before-seen malware attacks.  This provides not only a constantly evolving protection but can be made specific to servers, even protecting workloads in the cloud. 

Other server-specific points include:

Recognizing the active state of your adversary:  The technology must work to block determined cybercriminals, using refined and persistent techniques that can evade traditional anti-virus protection.  This goes all the way up to protecting against credential theft that could see the loss or compromise of passwords from memory, registries and local storage.  At the very top end, businesses may need to detect the presence of malicious code deployed into legitimate applications.

Upgrade your exploit protection:  Obviously a business must begin by preventing an attacker from leveraging known vulnerabilities, but browser, plugin or java-based exploit kits can be defended against, even if servers are not fully patched.


Learn from the past attacks

Following the refined nature of the SamSam ransomware attacks, we’ve seen targeted attacks exploiting vulnerabilities and guessing weak passwords wreak havoc in organizations across the world. In one instance, even with a fast response time of 50 minutes from the initial source of infection, over 6,000 machines were encrypted, with 1,200 of those being servers. The lessons to be learnt from these recent targeted attacks are:

  • Lock down RDP from outside of your organization; scan your external facing IP address for TCP & UDP port 3389 being open. If it is, find out which machine has RDP available to the world and lock it down
  • Use advanced security to prevent unwanted applications running on your server
  • Use security solutions that can talk to each other to automate incident response. This could bring your incident response times down from minutes to seconds

And if the worse does happen, businesses need detection and incident response technology that provides forensic detail of how the attack got in, where it went, and what it touched.  Intelligent security then provides recommendations on what to do next after an analysis of the attack.


In an age of headlines of lost laptops, misplaced mobiles and the occasional desktop compromise, it is all too easy for businesses to forget the crown jewels sitting in the data centre.  But crooks will not make such an oversight and they will exploit any weakness to secure such prized data and access.  IT security must address server-specific issues and quickly…


« News roundup: Apple beats Google, Amazon, and Microsoft to $1 trillion


6 global blockchain use cases »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?