With the prevalence of Software Defined Data Centers (SDDCs) cyber-attackers have expanded the attack scope from a single target device in a SDDC (e.g., a host, virtual machine, storage array, or hypervisor) to all devices in the SDDC. The expanded attack scope may cause many enterprise and even national security issues. One of the more prevalent expanded-attack-scope strategies is Advanced Persistent Threat (APT).
Compared to traditional simple attack strategies that typically involve specific, one-shot malicious tasks, APT is more sophisticated and more difficult to combat. Attackers behind APT have a full spectrum of intelligence-gathering techniques at their disposal such as, for example, using social engineering to deliver malware to vulnerable SDDC assets. Once the malware has been delivered to vulnerable SDDCs, attackers stay “low and slow” to avoid detection, but continuously monitor and interact with the system to achieve malicious objectives. When faced with APT, traditional security approaches may not be sufficient to protect an SDDC.
One approach to combating APT attacks is Blacklisting. Blacklisting involves comparing every application execution request to a database of signatures describing the binary of “bad” applications or their runtime behaviors in memory and, if the application to be executed matches an entry in the database, preventing the application from being executed. However, the effectiveness of blacklisting solutions, such as anti-malware solutions, in combating APT attacks is limited by the rapid growth of the “bad” software population. For example, by one account, during the 10 years from 2002 to 2012, the volume of “known-good” executable code has roughly doubled from 17 million to 40 million, while the amount of “known-bad” malware has increased 40 times from 2 million to over 80 million.
The rapid growth of APT and the inefficiency of traditional blacklisting solutions have prompted security administrators to shift focus from denying the known-bad applications (i.e., traditional blacklisting) to allowing only the known good applications (i.e., application whitelisting). Application whitelisting prevents an application from executing unless it matches an entry in the whitelist and has been found to be effective in combatting APT. However, it can be difficult to maintain per-virtual machine whitelists in large SDDCs.
Throughout the description, similar reference numbers may be used to identify similar elements.