Behavior Analysis for Discovery and Countering Advanced Persistent Threats
Behavior Analysis: Sniffing Out Attacks in Disguise
Many operators rely on traditional defenses like firewalls and intrusion detection system/intrusion prevention (IDS/IPS ) systems to protect critical networks, and, before we go any further, it's worth noting that these solutions are more than adequate for detecting known threats. This is because when operators know what the network signature of a given piece of malware looks like, it’s reasonably straightforward to find.
But cyber criminals are crafty. They evaluate their defenders’ responses and defenses and escalate their attack techniques accordingly. The threats are no longer static and constrained. This is why relying on traditional defenses to protect data from open ports or operating system vulnerabilities is no longer enough. Rather, obtaining real and actionable information is critical: being able to detect continual attempts to infiltrate a network, find infected hosts and enable security operations to execute forensics.
Given these requirements, behavioral analysis emerges as the best approach. Rather than looking for known threats (like traditional systems do), behavior analysis looks at all the traffic, tracking seemingly innocuous patterns (that may not necessarily be a red flag) in a network and pinpointing an APT. For example, tracking the average size of inbound and outbound emails will aid in discovering if an email is potentially infected, thus advising the recipient to not open it. Accuracy is improved by looking at a large number of sessions over a long period of time. By tracking and trending common L7 elements, the anomalies essentially "jump" out. These behavior analysis tactics, along with being familiar with your network and its patterns, will mean a higher chance at uncovering an APT.
A Group Effort
While behavioral analysis is a good start, there is no single solution on its own that is adequate to protect against APTs. Forensic analysis vendors and security and event management (SEM) vendors can provide part of the solution, but there is no one company that can provide a singular technical solution. Moreover, technology alone is inadequate. Computer security, systems integrator and consulting firms provide services, products and education to commercial and federal clients, and can provide
