Bayshore Networks founder and CEO Francis Cianfrocca continues his series on APT, with contributions and edits from M. E. Kabay, at Kabay’s Infosec Perception website. The latest publication is titled “Fighting Advanced Persistent Threat: Detection & Remediation”, and can be found here.
Where the primary focus of the first article centered around understanding Advanced Persistent Threats and identifying potential options that might be considered for use in defense against them, part two focuses on detecting and mitigating these types of attacks. Three key strategies are offered that should be part of any plan:
In order to reliably detect APT behaviour as it happens, it is necessary to analyse network traffic at the stream level. The most effective approach to accomplishing this is to perform continuous inline analysis of all traffic on network links which access critical servers and information resources. This approach would be equally suitable for both enterprise networks and industrial supervisory control and data acquisition (SCADA) system networks.
The Bayshore Networks white paper “Advanced Persistent Threat: From Detection to Remediation” (available with simple registration) discusses three essential elements to consider for mounting an effective APT defence:
1- Establish a pervasive network presence (sometimes called a “secure network fabric”) which requires that a protocol-inspection capability be present on all links in a complex application structure.
2- Conduct deep protocol analysis, which requires a Layer-7 analysis of protocol streams, not just packet analysis. The stream inspectors must be able to isolate all elements of a data protocol, especially those containing data inputs from clients.
3- Incorporate heuristic baselining. The application inspection system must construct a rich and multidimensional baseline of the behavioural patterns of each application, and store the baseline in a database that can be continuously added to. The database is then used to detect anomalous behaviour in real time. The detected anomalies are often indicative of APT attacks in progress.
Read the whole article HERE.