Advanced Persistent Threat Detection

Minimize Damage from Advanced Persistent Threats

Data breaches attributed to Advanced Persistent Threats (APTs) continue to make headlines when they involve large, well-known entities (large corporations, governments, etc.) and/or result in the exfiltration of sensitive data. However, APTs also frequently target the valuable data found in smaller networks. Often this is because smaller organizations tend to lack the technologies and security expertise to detect these types of attacks.

You Can’t Prevent a Breach

It’s impossible to prevent a dedicated, patient attacker from breaching your network, regardless of the amount you invest in preventive technologies like UTM, Next Gen Firewalls or Sandboxing technologies.

You can, however, arm yourself with the best-in-breed technologies of AspireTss Unified Security Management™ (USM) to detect APTs at every stage of the attack. This, coupled with an intuitive platform, provides you with the security expertise needed to minimize the damage to your environment.

AspireTss gives you essential APT detection capabilities for each stage of an APT attack:

Identify Vulnerable Systems Being Targeted by APTs

  • Asset discovery will identify all systems on your network
  • Vulnerability assessment will prioritize the vulnerabilities that APTs exploit
  • Network IDS detects malicious traffic targeting vulnerable systems for initial compromise

Detect Communication with C&C Servers and Monitor Systems & Applications for Privilege Escalation and File Changes

  • OTX data alerts on inbound or outbound communication used for initial compromise of systems in your network, expansion to other systems, and exfiltration of data
  • Host IDS will detect privilege escalation on systems
  • Close monitoring will identify any malicious processes that are running or any critical services that have been disabled
  • File Integrity Monitoring (FIM) will detect changes to critical files

Get Alerted to Compromised Systems Before Exfiltration of Data

  • SIEM correlates alerts from all data sources to tell you who, what, where, when, and how you’re being attacked
  • Threat Intelligence from AlienVault Labs presents alarms in Kill Chain Taxonomy to tell you of the highest priority threats
  • Integrated response guidance tells you how to respond to APTs before data harvesting and exfiltration

Identify Vulnerable Systems Being Targeted by APTs

A patient, determined attacker can compromise any network. The first step in any defense against APTs is to know what systems are on your network, and what vulnerabilities exist on those systems. Attackers target unpatched and misconfigured systems to gain the foothold necessary to eventually exfiltrate regulated or confidential data.

AspireTss USM scans your network for devices and determines what vulnerabilities exist through both passive and active scanning techniques, depending on your policies and preferences. It then prioritizes the vulnerability data, telling you what are the highest priority vulnerabilities to address

USM’s built-in network IDS technology also detects malicious traffic attempting to exploit vulnerabilities on the targeted systems. Common malware delivery methods include email attachments disguised as everyday documents (word files, pictures, PDFs), links to websites hosting malware or code designed to exploit common vulnerabilities.

Preventive tools like antimalware, antispam, and web content filters can’t keep up with every new malware variant associated with today’s APT campaigns. This means that you need the ability to detect the attacker’s initial compromise of your network. AspireTss USM provides this level of insight with cross correlation of contextual data, driven by our Labs Threat Intelligence.

Detect Communication with C&C Servers and Monitor Systems & Applications for Privilege Escalation and File Changes

During an advanced persistent threat attack, a common first move is to compromise one of your systems to use as a base of operations for deeper infiltration into your network. Following that, increased access to additional systems will be attempted by gaining root or administrative privileges through exploits, social engineering, or brute-force password cracking.

With threat data from OTX (Open Threat Exchange) integrated into AlienVault USM, you’ll get alerted to a wide range of Indicators of Compromise (IoCs) in any inbound or outbound communication. Due to their previous association with known threats, these IoCs are evidence of potentially malicious activity in your network (ranging from initial compromise to expansion to other systems, and ultimately exfiltration of your sensitive data).

In addition, Host IDS agents deployed on critical systems that store valuable data will detect the privilege escalation attempts as the attacker attempts to gain root or admin privileges. Once the attacker has admin access, he will stop security-related services running on the compromised systems, or start unwanted services in order to facilitate his malicious activities.

AlienVault USM’s built-in File Integrity Monitoring (FIM) capability will monitor essential files to detect changes to critical application configurations, or data files. It will also detect the modification of log files, which is a common technique attackers use to cover their tracks and evade detection.

Get Alerted to Compromised Systems Before Exfiltration of Data

One challenge IT teams of all sizes face is how to sift through their mountains of log data to detect signs of an APT campaign before data exfiltration occurs. AlienVault USM’s built-in SIEM capability aggregates and correlates event data from all of the platform’s data sources, as well as third party tools, into one management console.

The integrated Threat Intelligence from AlienVault Labs correlates the events from disparate sources to alert you to the highest priority threats facing your network today, including those related to Advanced Persistent Threats. With over 2,000 correlation rules pre-built into the AlienVault USM platform, you can spend your time responding to specific threats, instead of trying to research the significance of a particular event. Additionally, the Kill Chain Taxonomy makes it very easy for you to focus your response efforts on the most critical threats, showing you who, what, where, when, and how you’re being attacked, as well as the attacker’s intent to help you combat APTs at every stage.

Advanced Persistent Threats

If you know how they work, you can learn how to stop them

From cyber criminals who seek personal financial information and intellectual property to state-sponsored cyber attacks designed to steal data and compromise infrastructure, today’s advanced persistent threats (APTs) can sidestep cyber security efforts and cause serious damage to your organization. A skilled and determined cyber criminal can use multiple vectors and entry points to navigate around defenses, breach your network in minutes and evade detection for months. APTs present a challenge for organizational cyber security efforts.

The six steps of an APT attack

To improve your cyber security and successfully prevent, detect, and resolve advanced persistent threats, you need to understand how APTs work:

  1. The cyber criminal, or threat actor, gains entry through an email, network, file, or application vulnerability and inserts malware into an organization's network. The network is considered compromised, but not breached.
  2. The advanced malware probes for additional network access and vulnerabilities or communicates with command-and-control (CnC) servers to receive additional instructions and/or malicious code.
  3. The malware typically establishes additional points of compromise to ensure that the cyber attack can continue if one point is closed.
  4. Once a threat actor determines that they have established reliable network access, they gather target data, such as account names and passwords. Even though passwords are often encrypted, encryption can be cracked. Once that happens, the threat actor can identify and access data.
  5. The malware collects data on a staging server, then exfiltrates the data off the network and under the full control of the threat actor. At this point, the network is considered breached.
  6. Evidence of the APT attack is removed, but the network remains compromised. The cyber criminal can return at any time to continue the data breach. Traditional cyber security measures such as defense-in-depth, firewalls and antivirus cannot protect against an APT attack, and leave organizations vulnerable to data breaches. The Adaptive Defense approach from FireEye is the best strategy to intercept possible APTs at any point in your network, analyze them with the latest available information on threat actors and methodology, and support your security professionals with extensive knowledge of industry and threat groups they may encounter.

Copyright © 2022 Aspire Tech, All rights reserved.