SUBSCRIBE NOW
IN THIS ISSUE
PIPELINE RESOURCES

Behavior Analysis for Discovery and Countering Advanced Persistent Threats

By: Antonio Nucci

Advanced persistent threats (APTs) continue to be a major concern for network operators. In fact, last November, Enterprise Strategies Group released a study that indicated 59 percent of enterprises with at least 1,000 employees had been hit by an APT; 72 percent believe they'll be hit again. They are indeed insidious, and spark fear in network operators charged with protecting our most critical networks. This is because they are designed to spy on their target for long periods of time, blending in with a network's day-to-day traffic and appearing unremarkable, therefore being dismissed by security solutions and network operators alike as innocuous. Given this, as well as the fact that the integrity of our critical networks hangs in the balance, the sense of urgency to understand APTs and learn how best to mitigate them is palpable.

APTs 101: A Primer

Abraham Lincoln once said, "I don't like that man. I must get to know him better." Such is the case with APTs, for while mitigating them is of great importance, understanding them is equally critical if we are to stay one step ahead of cyber criminals. With that in mind, this section is dedicated to a brief education on the stages and nature of an APT attack.


A single piece of malware often has multiple characteristics. Its digital signatures can morph to evade detection. It can develop decoys to make it appear as if an attack has been thwarted. APT attacks are sometimes waged by teams of hackers who try to infiltrate different levels of the infrastructure (i.e. network level or host level). They use “designer” code (malware) to circumvent most common defenses, and focus their tools and techniques on a specific target. In essence, the shotgun attacks of the past have migrated to ones that are purposeful and targeted to specific people, companies and even servers.

Understanding the stages of an APT enables an organization to address, thwart and potentially mitigate the attack. The first objective of an APT is to determine a target. The end target could be a person, a company, a government organization, or a specific server or application. Attackers will often target specific people (could be anyone, from administrative assistants to executives) to gain entry to an organization’s network. Attackers will use public search or other methods to obtain their targets’ email addresses or instant messaging handles, thereby building a profile on their targets. Next, a "seed" is planted, infecting machines and networks. Common channels are emails from eBay, PayPal or a bank, indicating a purchase, a problem with a purchase, or just a verification of identity. A bot is then exploited, and maintains tenacity and persistence. This is the crafty part of the APT as the attacker uses a variety of methods, including morphing their malware, to prevent detection. They then can establish additional footholds in the network and on the endpoints.



FEATURED SPONSOR:

Latest Updates





Subscribe to our YouTube Channel