|WHY AREN’T THEY DETECTED?
By design, the malware used in APT campaigns operates at low levels, so it’s deliberately hard to detect and so can ‘persist’ without being stopped. The ‘most significant commonality of APT malware is that it hides in plain sight,’ writes Wendi Rafferty in her blog. ‘It avoids detection by using common network ports, process injection and Windows service persistence. Every piece of APT malware catalogued by MANDIANT initiated only outbound network connections.’
APTs are a new problem for many security systems because, traditionally, they’re focused on external threats using defences built on several point solutions, each selected for a new threat. Mostly they’re based on signatures and rules, perimeter security, access controls, packet filtering and content monitoring, which aren’t particularly good at finding custom-built beaconing Trojans and covert exfiltration channels. Rumour has it that it was RSA’s inability to detect beaconing that prompted it to buy NetWitness, which offered specific tools in this area.
Beaconing is actually a misnomer: it’s more like a short flash than a lighthouse - like a spy dropped into enemy territory who’s using signals sparingly to avoid detection. The Trojan’s masters don’t need a broadcast message, and soon they’re shipping extra instructions and malware tools via the backdoor they established, which is still undetected and open.
Data Loss Prevention (DLP) systems or Content Monitoring and Filtering systems also tend to be rules-based, that is, they need to be told what to look for, so they’re not much use when the malware is disguised as a legitimate user with access rights to the data. And, since APTs either encrypt the data being copied or establish SSL-encrypted channels or covert peer-to-peer tunnels, content filtering isn’t much help either.
WHAT CAN YOU DO?
Most organisations employ ‘defence in depth’ principles using layers of cyber security, but often these security layers and point solutions are independent and don’t relate to one another. This results in silos of security information which can’t be integrated into an overall picture of enterprise security. In this case, effective threat analysis fails because the data needed for full event correlation (particularly outliers) can’t be easily resolved. As a result, only small pieces of the APT are detected, the DLP system sees only part of the full picture, so security staff can easily miss the data that’s being stolen. So theft persists, undetected.
The crucial element in combating APT campaigns is the ability to see the disparate parts of the attack in the context of a single security challenge. That requires an intelligent, proactive Security Information & Event Management (SIEM) system which can bridge information silos and provide security staff with complete vision and threat intelligence.
In practice, this means a system that can:
•Monitor and interpret every network device and connection in real-time, not just some of them;
•Detect events that are unusual or anomalous, even if they are low level, distributed and discrete;
•Provide a single console view of the entire network to see all events in real time;
•Integrate all point solutions and consolidate their data into one addressable repository for immediate analysis of all not just some security events; and
•Analyse continuously so security staff can join the dots between events to see extent, context and severity of the threat, in real time.
This is what our intelligent SIEM technology, Huntsman®, was designed to do.