This is the final of four blogs about advanced persistent threats (APTs). In my first blog, I discussed the APT concept – stealthy threat actors who gain unauthorized access to a computer network and remain undetected for an extended period. In the second blog, I wrote about the first steps used in the kill chain process and discussed the final steps in the third blog. As we wind down to our last installment of this blog series, the next question is, how do you detect an APT in your network? The key is what to look for and how to spot it.
Realize that at some point, the attacker will leave traces or create anomalies to compromise the network perimeter. Look for patterns of behavior that are unusual from a historical standpoint. Some things to look for are out-of-the-ordinary patterns of session activity. Monitoring port scanning and discovery methods are also essential. You should look for unusual TCP connections, particularly lateral or outbound encrypted connections.
Remember that there is a theory to all types of intrusion. An attacker needs to compromise the perimeter. Unless the attacker is very lucky, they will not be where they need or want to be. For this reason, establishing a foothold will require a series of lateral and northbound movements. And there must be an outbound exfiltration channel for any information to leave your organization. The APT must diverge from a normal user approach.
Be diligent and look for these red flags:
Logon activity to new or unusual systems can be a flag. In addition to new or unusual session types and times and locations, new or unusual session types are also worth watching. Watch for jumps in activity or velocity.
Uncommon program executions at unusual times of the day should also be a red flag. Check for program executions at unusual times or locations, or from privileged accounts rather than regular user accounts.
Another sign of trouble is an unusually high volume of access to files servers or unusual file access patterns. You should also monitor cloud-based sharing uploads, since these can be used as a way to hide in plain sight.
A variety of anomalous network activity, such as new IP addresses or secondary addresses, can also be a warning sign. Unusual DNS queries should be investigated, particularly those with a bad or no reputation. Look for the correlation between the above points and new or unusual network connection activity. Many command and control channels are established in this fashion.
Another telltale sign is abnormal database access. Most users do not need access the database directly, so keep an eye out for manipulated application calls that modify or delete sensitive data. The database environment should also be locked down by disabling many of the additional options that most modern databases provide. An application proxy service should also be implemented to prevent direct access.
The goal is to arrive at a risk score based on the aggregate of all the red flags I just mentioned. We humans are woefully inefficient when we are bombarded with data and forced to pick out essential information. How often have you heard the saying, “Another set of eyes”? Never manually analyze data alone. Always have another set of eyes for review.
Mitigating APTs is no easy task, however, an 802.1aq Shortest Path Bridging (SPB) networking fabric offers three basic complimentary security principles to assist you:
Traditional micro-segmentation of networks can be enhanced with a hyper-segmentation approach. First, hyper-segments are extremely dynamic and lend themselves well to automation and dynamic service chaining that is often required with software-defined networks. Second, they do not utilize IP routing and therefore do not require traditional route policies or access control lists to constrict access to the micro-segment. These two traits create a service that is well suited to security automation.
APTs cannot learn about many of the topological aspects of an enterprise network by conventional port scanning and discovery techniques, because 802.1aq is not based on IP. Instead, 802.1aq transparently extends Layer 2 connectivity, regardless of physical topology or location. The lack of IP visibility along with hyper-segmentation holds the user or intruder into a narrow and dark community with little or no communication capability with the outside world except through well-defined security analytic inspection points.
Because SPB’s can establish service paths without relying on IP routing, we can extend and retract certain secure hyper-segments based on authentication and proper authorization. Furthermore, hyper-segments can be retracted in response to security analytics that a suspect system is compromised. Alternatively, they may be redirected into honeypot environments.
You are not alone in this battle. There are a few organizations and groups that can help, free of charge along with communities of support. The first of these Critical Information Security (CIS): www.cisecurity.org This resource provides for a number of control groups that can assist you in establishing and maintaining your security best practice. CIS offers a general guide for IT practices, and just as important, a guide specific to IoT security best practices.
Another organization that I highly recommend is the MITRE ATT&CK framework, and no this is not a typo. Visit https://attack.mitre.org to earn more about this group. The use of this resource may seem daunting to some, and if you approach it the wrong way it certainly can be overwhelming. MITRE ATT&CK, in contrast to CIS, offers a matrix that maps different Advanced Persistent Threat groups to both malware and methods. For example, suppose you are concerned about the Russian/Ukrainian based APT group known as Cozy Bear. You could map their methods and malware, as well as their modus operandi. In an opposite scenario, say that you discover and identify malware in your network. You can map the malware to possible APTs and their methods. MITRE ATT&CK is a highly recommended platform because security operations teams can create incident response plans while recognizing that one single plan can no longer handle all the threats.
The activities that APTs use to cover their tracks constantly change. But one day, you'll catch something suspicious. Maybe it's a spike in CPU activity that no one can explain. Or it could be a file dropping onto a shared network drive. Perhaps there has been more internal traffic to an external server than usual or an unexplained deletion in a database table. Tools like MITRE ATT&CK are crucial
As you have read this APT blog series, I hope you have a better perspective of the challenge we face together. In the meantime, stay tuned for an infographic that will further visualize this topic.