The perpetrators of Advance Persistent Threats (APTs) use unexpected, multiple, time limited and diverse attack vectors to target nation states, industries, specific organisations and individuals. They seek to gain long-term access and control of your IT infrastructure to reach their political, criminal and monetary goals.
These are sophisticated targeted threats, not just in terms of the technology and techniques utilised but also in the ongoing, focused and determined nature of the human controlling the APT. Their initial attack vectors are easy to alter and dynamic, making them difficult to detect. Their command and control (C&C) methodologies are often more consistent, as they are more difficult to change, and C&C traffic can be an effective identification point of APTs.
Rather than the extremely difficult task of blocking all APTs without impacting the organisation’s performance, it is generally more pragmatic to accept that exposure to APT is always there and seek to quickly identify and remediate once they are identified on your network.
When trying to identify, defend and protect against such threats, our experience, knowledge and skills all play a powerful role in shaping effective security intervention decisions. Without robust understanding of your context, actual network traffic and content, you are left relying on making an informed guess, which may or may not prove to be correct. When APT security issues occur, network security operations professionals are instantly under pressure from their organisation to explain and resolve the problems swiftly.
So, how fast can you react to a suspected APT security anomaly as it traverses your network? And even more importantly, are you giving yourself the best chance of success when you act by ensuring that your actions are informed, appropriate and effective?
First, let’s consider the human requirements we need from the security analyst. Those responding to events need the skills to use the tools that are in place to come up with accurate and speedy interpretations of the data. They must have an understanding of the network topology and experience of background events of that network to provide a solid baseline from which to work. Thorough testing and documentation of the way in which applications use a network is ideally with a transaction-by-transaction understanding of how an application works across the production network.
For those with the resources, these baselines are often generated from live monitoring of a reference or staging network. For those where such an approach is not practical, then live data from the production network is the next best thing, although recognising that it is a less predictable environment.
Armed with such real-time statistical analysis of the nature of connections on any given network link variations from the norm are now easier to spot. Automated monitoring tools can help identify changes from the norm.
The final piece of the human puzzle is to ensure that you have effective workflow and processes in place for the security team. This becomes an important step to reduce human latency and miscommunication between team members during collaboration and task hand overs.
Next, we need to collect evidence around the suspected network event. Captured packet data provides you the irrefutable evidence of what has occurred. The examination of your network traffic before, during, and after an event of interest can provide you the clarity to gain an absolute understanding of what has just happened, enable you to make a truly informed intervention and increase your likelihood of an effective outcome.
Depending on the size of your network and available resources, approaches to capture, index, search and recall captured traffic can vary in cost and complexity. They can range from simple open source software installed on a PC and deployed on an ad-hoc basis to high performance, dedicated high fidelity Intelligent Network Recording fabrics distributed across the network band, capable of operating at sustained link bandwidths up to 100 Gb Ethernet per second.
But the human capabilities and solid data alone will not provide the understanding and insight required for a response. To be able to decode packets and gain actionable insight, you’re going to need an appropriate analysis tool. Some analysis and alerting tools operate autonomously and are invaluable for automation of certain processes, but are limited to a single way of interpreting data, often relying on signatures and profiling, which cannot reasonably be expected to capture all security threats. At the same time, they may alert with false positives against non-security-related events and traffic.
They do, however, play an important role in the overall security posture of organisations and provide broad coverage for the more voluminous and “easy to understand” threats. When considering APT, however, by their very nature, they are tailored, often unique threats and automated analysis alone cannot be completely effective. Therefore, there is also a need for post-event tools to enable security analysts to manipulate through iterative interpretation of captured packet data, allowing more confident decision-making.
Security teams should always begin by reviewing whether they are appropriately equipped and able to execute their roles. In terms of using packet data to gain an understanding and inform interventions, the following questions can be useful to check your current capability level:
- How long would it take to get to the packets that relate to an event on your network?
- Do I have the skills to analyse those packets?
- How would I make a comparison between a potentially malicious connection and a known good one?
The answers to these will help highlight any skills, training and technical capability gaps you may have.
Automated detection, alerting and defence against APT threat through the deployment of dedicated in-line APT security appliances has have a constructive role to play in your security posture and there are good selection available in the market place.
However, it is dangerous to be lulled into a false sense of security when faced with such insidious and dynamic threats. Reliance alone on automated analysis and response can leave you vulnerable. APT security appliances in isolation are not enough. Only having the evidence of exactly what has traversed your network, where and when and right down to the make-up of each and every single packet will you be able to have a truly pervasive and entirely accurate picture of what’s occurring.
Network packet capture enables you to derive actionable insight and certainty of what’s occurring by using network packet inspection and visualization techniques. And when you’re hunting down APTs, the peace of mind of knowing exactly what you’re dealing with will be invaluable.
Matt Walmsley is senior marketing manager, EMEA, Endace division of Emulex.