Where the primary focus of the first article centered around understanding Advanced Persistent Threats and identifying potential options that might be considered for use in defense against them, part two focuses on detecting and mitigating these types of attacks. Three key strategies are offered that should be part of any plan:
In order to reliably detect APT behaviour as it happens, it is necessary to analyse network traffic at the stream level. The most effective approach to accomplishing this is to perform continuous inline analysis of all traffic on network links which access critical servers and information resources. This approach would be equally suitable for both enterprise networks and industrial supervisory control and data acquisition (SCADA) system networks.
The Bayshore Networks white paper “Advanced Persistent Threat: From Detection to Remediation” (available with simple registration) discusses three essential elements to consider for mounting an effective APT defence:
1- Establish a pervasive network presence (sometimes called a “secure network fabric”) which requires that a protocol-inspection capability be present on all links in a complex application structure.
2- Conduct deep protocol analysis, which requires a Layer-7 analysis of protocol streams, not just packet analysis. The stream inspectors must be able to isolate all elements of a data protocol, especially those containing data inputs from clients.
3- Incorporate heuristic baselining. The application inspection system must construct a rich and multidimensional baseline of the behavioural patterns of each application, and store the baseline in a database that can be continuously added to. The database is then used to detect anomalous behaviour in real time. The detected anomalies are often indicative of APT attacks in progress.
The paper takes a much-needed closer look at Advanced Persistent Threat, or APT, which “has received a great deal of attention in recent months”. The reason(s) for this, according to the paper, is “due, in large part, to a spate of highly-publicized successful attacks against the information assets of major enterprises and corporations. Much of the recent focus on APT has come as a result of the RSA breach, believed to be an APT-style attack, which led directly to a handful of serious attacks “down-line” within several of RSA’s major enterprise customers”:
“Most approaches to firewalling (selective blocking and/or modification of traffic at the network level) are aimed at detecting and blocking unauthorized traffic. The strategy for APT firewalling is necessarily different, however, because it aims to detect threats that use legitimate traffic.
The current approach is to detect a breach and shut down compromised endpoints or inhibit the foot-printing and attack activities against the applications themselves. Remediation through endpoint clean-up is favoured by most of the relatively few organizations that are seriously addressing this problem because it’s simple and straightforward; periodic sweeps of the endpoints in a network seek to identify computers in which critical system files have been modified or rogue processes are running and, if found, these hosts are taken offline and rebuilt or replaced.
Although straightforward, this approach is fundamentally reactive; it relies on static analysis, and operates out of band. A better approach is to combine endpoint analysis with a proactive approach that can detect APT behaviour in real time and selectively report, obfuscate, or even block the behaviour.”