Advanced persistent threats are a complex security problem, but there are two things that all APTs have in common: They are hard to detect and come into your network in unusual (often zero-day) ways. it is difficult to uncover an APT, but, once you do, the hard work really begins: finding the source of the problem, identifying the attacker and figuring out to what extent the attack has affected your organization's systems.
Discovering the actual APT attack code requires a proactive, hands-on approach involving in-depth analysis of log files, network traffic and program code. The goal is to uncover behavior indicative of APT activity: network exploration and data exfiltration. Even the best and brightest security teams may be challenged by the sophistication of some of the attacks we have seen lately, but security professionals should at least have an understanding of the methods used to carry out an APT.
The Achilles’ heel of any APT is that it has to send the data that it has collected back to a command and control server (CCS) to successfully complete its mission. This network activity, as well as the APT’s attempts to explore the network in search of data, will provide the few (if you are lucky) chances you will have to identify and halt the threat. It is therefore essential that you extensively monitor and log network traffic—in particular, outbound traffic.
By collecting and analyzing records of traffic flow, security teams can increase the chances of spotting intrusions and other potentially malicious activity. Unexpected and therefore suspicious behavior might include a desktop scanning ports or a file server sending traffic outside of the network. Activity such as this, carried out without permission, should ring alarm bells and trigger your company’s escalation procedure.
OSSEC isa free, open source host-based intrusion detection system (IDS) that can provide log analysis, file integrity checking and Windows registry monitoring. It works with event logs from a variety of firewalls, IDSes, Web servers, switches and routers to provide real-time correlation and analysis, policy monitoring and alerts. This type of tool is essential for blocking and catching malicious information-gathering processes such as port scans and brute-force attacks.
APTs most often run as a service. This allows a threat to recover from attempts to remove it while maintaining high levels of access and the ability to read the memory of other processes. It is important to perform regular manual reviews of log data to check that access control lists (ACLs) are being correctly enforced and to evaluate trends in network traffic.
An important tool in your log analysis arsenal is a network protocol analyzer tool such as Wireshark, which can either capture packet data from a live network or read packets from a previously saved capture file. Most importantly, though, you can set it up to work with specific types of traffic. This will make it quicker and easier to find what you’re looking for among reams of traffic data.
For a deeper explanation on how to track down the source of an APT -- as well as the tools and processes you need -- download the free APT report.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.