A high degree of stealthiness over a prolonged duration of operation in order to complete a successful cyber attack can be defined as an Advanced Persistent Threat. The attack objectives therefore typically extend beyond immediate financial gain, and compromised systems continue to be of service even after key systems have been breached and initial goals reached.
Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities. Nart Villeneuve and James Bennett (Senior Threat Researcher) from Trend Mirco provide an ultimate guide for Detecting (APT) Advanced Persistent Threat activities with Network Traffic Analysis, that can be used to identify malware command-and-control (C&C) communications related to these attacks, illustrating how even the most high-profile and successful attacks of the past few years could have been discovered.
|Advanced Traffic Analysis|
Their documents covers detecting Remote Access Trojans like the GhostNet, Nitro attack, RSA Breach, Taidoor campaign, Sykipot campaign, and more. Nart also talks about the challenges during Network-Based Detection, specifically that two key factors pose challenges to network-based detection encryption and the cloud. More than 90% of intrusions aren’t even discovered by the victims themselves, but through third-party notification.
In many cases, the APT has been on the victim’s network for months or even years, exfiltrating intellectual property data, plus economic and political information. “The ability to detect APT activity at the network level is heavily dependent on leveraging threat intelligence. A variety of very successful ongoing campaigns can be detected at the network level because their communications remain consistent over time.”
To get rid of such attacks you must know what that information is, where it resides, who has access to it, why they have access, and when they access it. Answering these types of questions should give you a clearer picture of the most critical pieces in your infrastructure that need your attention. Modifications made to the malware’s network communications can, however, disrupt the ability to detect them.
As such, the ongoing development of threat intelligence based on increased visibility and information sharing is critical to developing indicators used to detect such activity at the network level. For advanced detection techniques based upon protocol-aware detection, HTTP headers, compressed archives, timing, and size, you can read the complete paper available here:
Source : The Hacker News