Know your 'advance persistent threats unknowns'

The perpetrators of Advance Persistent Threats (APTs) use unexpected, multiple, time limited and diverse attack vectors to target nation states, industries, specific organisations and individuals. They seek to gain long-term access and control of your IT infrastructure to reach their political, criminal and monetary goals.

These are sophisticated targeted threats, not just in terms of the technology and techniques utilised but also in the ongoing, focused and determined nature of the human controlling the APT. Their initial attack vectors are easy to alter and dynamic, making them difficult to detect. Their command and control (C&C) methodologies are often more consistent, as they are more difficult to change, and C&C traffic can be an effective identification point of APTs.

Rather than the extremely difficult task of blocking all APTs without impacting the organisation’s performance, it is generally more pragmatic to accept that exposure to APT is always there and seek to quickly identify and remediate once they are identified on your network.

When trying to identify, defend and protect against such threats, our experience, knowledge and skills all play a powerful role in shaping effective security intervention decisions. Without robust understanding of your context, actual network traffic and content, you are left relying on making an informed guess, which may or may not prove to be correct. When APT security issues occur, network security operations professionals are instantly under pressure from their organisation to explain and resolve the problems swiftly.

So, how fast can you react to a suspected APT security anomaly as it traverses your network? And even more importantly, are you giving yourself the best chance of success when you act by ensuring that your actions are informed, appropriate and effective?

First, let’s consider the human requirements we need from the security analyst. Those responding to events need the skills to use the tools that are in place to come up with accurate and speedy interpretations of the data. They must have an understanding of the network topology and experience of background events of that network to provide a solid baseline from which to work. Thorough testing and documentation of the way in which applications use a network is ideally with a transaction-by-transaction understanding of how an application works across the production network.

For those with the resources, these baselines are often generated from live monitoring of a reference or staging network. For those where such an approach is not practical, then live data from the production network is the next best thing, although recognising that it is a less predictable environment.

Armed with such real-time statistical analysis of the nature of connections on any given network link variations from the norm are now easier to spot. Automated monitoring tools can help identify changes from the norm.

The final piece of the human puzzle is to ensure that you have effective workflow and processes in place for the security team. This becomes an important step to reduce human latency and miscommunication between team members during collaboration and task hand overs.

Next, we need to collect evidence around the suspected network event. Captured packet data provides you the irrefutable evidence of what has occurred. The examination of your network traffic before, during, and after an event of interest can provide you the clarity to gain an absolute understanding of what has just happened, enable you to make a truly informed intervention and increase your likelihood of an effective outcome.

Depending on the size of your network and available resources, approaches to capture, index, search and recall captured traffic can vary in cost and complexity. They can range from simple open source software installed on a PC and deployed on an ad-hoc basis to high performance, dedicated high fidelity Intelligent Network Recording fabrics distributed across the network band, capable of operating at sustained link bandwidths up to 100 Gb Ethernet per second.

But the human capabilities and solid data alone will not provide the understanding and insight required for a response. To be able to decode packets and gain actionable insight, you’re going to need an appropriate analysis tool. Some analysis and alerting tools operate autonomously and are invaluable for automation of certain processes, but are limited to a single way of interpreting data, often relying on signatures and profiling, which cannot reasonably be expected to capture all security threats. At the same time, they may alert with false positives against non-security-related events and traffic.

They do, however, play an important role in the overall security posture of organisations and provide broad coverage for the more voluminous and “easy to understand” threats. When considering APT, however, by their very nature, they are tailored, often unique threats and automated analysis alone cannot be completely effective. Therefore, there is also a need for post-event tools to enable security analysts to manipulate through iterative interpretation of captured packet data, allowing more confident decision-making.

Security teams should always begin by reviewing whether they are appropriately equipped and able to execute their roles. In terms of using packet data to gain an understanding and inform interventions, the following questions can be useful to check your current capability level:

  • How long would it take to get to the packets that relate to an event on your network?
  • Do I have the skills to analyse those packets?
  • How would I make a comparison between a potentially malicious connection and a known good one?

The answers to these will help highlight any skills, training and technical capability gaps you may have.

Automated detection, alerting and defence against APT threat through the deployment of dedicated in-line APT security appliances has have a constructive role to play in your security posture and there are good selection available in the market place.

However, it is dangerous to be lulled into a false sense of security when faced with such insidious and dynamic threats. Reliance alone on automated analysis and response can leave you vulnerable. APT security appliances in isolation are not enough. Only having the evidence of exactly what has traversed your network, where and when and right down to the make-up of each and every single packet will you be able to have a truly pervasive and entirely accurate picture of what’s occurring.

Network packet capture enables you to derive actionable insight and certainty of what’s occurring by using network packet inspection and visualization techniques. And when you’re hunting down APTs, the peace of mind of knowing exactly what you’re dealing with will be invaluable.

Matt Walmsley is senior marketing manager, EMEA, Endace division of Emulex.

Join the CSO newsletter!

Error: Please check your email address.

More about APTEmulexEndace

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matt Walmsley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts