Advanced Persistent Threats and Real-Time Threat Management

The Essentials Series

sponsored by

Dan Sullivan

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

IntroductiontoRealtimePublishers
by Don Jones, Series Editor

Forseveralyearsnow,Realtimehasproduceddozensanddozensofhighqualitybooks thatjusthappentobedeliveredinelectronicformatatnocosttoyou,thereader.Weve madethisuniquepublishingmodelworkthroughthegeneroussupportandcooperationof oursponsors,whoagreetobeareachbooksproductionexpensesforthebenefitofour readers. Althoughwevealwaysofferedourpublicationstoyouforfree,dontthinkforamoment thatqualityisanythinglessthanourtoppriority.Myjobistomakesurethatourbooksare asgoodasandinmostcasesbetterthananyprintedbookthatwouldcostyou$40or more.Ourelectronicpublishingmodeloffersseveraladvantagesoverprintedbooks:You receivechaptersliterallyasfastasourauthorsproducethem(hencetherealtimeaspect ofourmodel),andwecanupdatechapterstoreflectthelatestchangesintechnology. Iwanttopointoutthatourbooksarebynomeanspaidadvertisementsorwhitepapers. Wereanindependentpublishingcompany,andanimportantaspectofmyjobistomake surethatourauthorsarefreetovoicetheirexpertiseandopinionswithoutreservationor restriction.Wemaintaincompleteeditorialcontrolofourpublications,andImproudthat weveproducedsomanyqualitybooksoverthepastyears. Iwanttoextendaninvitationtovisitusathttp://nexus.realtimepublishers.com,especially ifyouvereceivedthispublicationfromafriendorcolleague.Wehaveawidevarietyof additionalbooksonarangeoftopics,andyouresuretofindsomethingthatsofinterestto youanditwontcostyouathing.WehopeyoullcontinuetocometoRealtimeforyour educationalneedsfarintothefuture. Untilthen,enjoy. DonJones

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

IntroductiontoRealtimePublishers.................................................................................................................i Article1:BeyondtheHype:AdvancedPersistentThreats....................................................................1 APTsToday............................................................................................................................................................1 TheEvolvingThreatLandscape....................................................................................................................2 ElementsofAPTs.................................................................................................................................................3 ChangingBusinessPracticesthatCompoundtheProblem..............................................................3 PragmaticAssessmentofthePotentialtoControlAPTs....................................................................4 Summary.................................................................................................................................................................5 Article2:NeedforRealtimeManagementandResponding................................................................6 LimitsofStandardEndpointandPerimeterSecurityControls.......................................................6 StagesofResponsetoaBreach.....................................................................................................................8 IdealandRealisticAssessmentofPreventingaBreach.....................................................................9 Summary..............................................................................................................................................................10 Article3:PlanningforRealtimeAPTCountermeasures.....................................................................11 BusinessCaseforRealTimeThreatManagement............................................................................12 AssessingtheCurrentStateofReadinessforRealtimeThreatManagement......................12 PlanningtheDeploymentofaRealTimeThreatManagementSystem...................................13 ControlsforBlocking.................................................................................................................................14 ControlsforMonitoring............................................................................................................................14 ContainmentMechanisms.......................................................................................................................15 . Summary..............................................................................................................................................................15

ii

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

Copyright Statement
2011 Realtime Publishers. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers (the Materials) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtime Publishers its web site sponsors. In no event shall Realtime Publishers or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtime Publishers and the Realtime Publishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtime Publishers, please contact us via e-mail at info@realtimepublishers.com.

iii

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

Article1:BeyondtheHype:Advanced PersistentThreats
Businessesfaceaconstantlyevolvingthreatlandscape.Oneofthegreatestchallengesis presentedbyadvancedpersistentthreats(APTs),whicharesophisticated,multifaceted attackstargetingaparticularorganization.MitigatingtheriskofAPTsrequiresadvances beyondtraditionallayeredsecuritytoincluderealtimethreatmanagement.This EssentialsSeriesdescribesthenatureofAPTs,theriskstheyposetobusinesses,and techniquesforblocking,detecting,andcontainingAPTsandotheremergingthreats.We beginwithapragmaticassessmentofthenatureofAPTs,specifically: ThenatureofAPTstoday Thecontinuouslyevolvingthreatlandscape ElementsofAPTs Changingbusinesspracticesthatcompoundtheproblem AssessmentofpotentialtocontrolandmitigatetheriskfromAPTs

Clearly,thethreatlandscapecontinuestobecomemorechallenging.Themotivationand meansforcarryingoutattacksoninformationsystemsischanging.Determined,committed attackersareemployingmultiplemeanstobreachsecuritycontrols.Businessesneedto respondinkindwithmultiplesecuritycontrols,includingrealtimemonitoringandrapid containmentmeasures.

APTsToday
APTsaresophisticated,multifacetedcyberattackstargetedataparticularorganization. Suchattacksareadvancedintermsofthetechniquesthatareappliedandtheinsider knowledgetheattackershaveabouttheirtargets.APTsmayusemultiplevectors,suchas malware,vulnerabilityscanning,targetedhacking,andmaliciousinsiderstocompromise securitymeasures.APTsarelongterm,multiphaseattacks.EarlystagesofanAPTattack mayfocusongatheringinformationaboutnetworkconfigurationandserveroperating system(OS)details;later,effortsmayfocusoninstallingrootkitsorothermalwaretogain controlorestablishcommunicationwithacommandandcontrolserver.Laterstagesofan attackmayfocusonstealingintellectualpropertybycopyingconfidentialorsensitivedata.

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

ItisimportanttounderstandthatAPTsarenotanewmeansofconductinganattackand arenotsomethingthatcanbeblockedordisruptedonceandtheproblemgoesaway.APTs arebetterunderstoodtobemorelikeacyberattackcampaignthanasingletypeofthreat; thinkongoingprocesses.AnantivirusprogrammayblockmalwareusedinanAPTattack butthatdoesnotmeantheattackisstopped.Byitsverynature,anAPTisanongoing attack.Ifonetacticdoesnotwork,anotherwillbeattempted.Realistically,weshouldnot bethinkingintermsofasinglecountermeasureorevenaddingmorelayerstoalayered securitystrategy;rather,weshouldbethinkingofprocessesthattogethercanblockwhen possibleanddetectandcontainbreachesinothercases.Itsreasonableatthispointtoask, Howdidwegethere?

TheEvolvingThreatLandscape
Businessesandgovernmentsfaceanevolvingthreatlandscape.Whatbeganwithattempts togainbraggingrightsaboutdefacingamajornewspapersWebsiteorblockingserviceto apopularsitewithaDenialofService(DoS)attackhasshiftedtoattackingforfinancial gain.Attackerscanrealizedirectfinancialgainsbyfraudandintellectualpropertytheftor indirectlybydisruptingacompetitorsabilitytodeliverservicesorconductingawidely publicizeddatabreachthatcompromisescustomerprivatefinancialinformation.Besides thechangesinmotivations,therearechangesinthemeansofimplementingattacks. Changesinapplicationarchitecturesandthedecentralizationofcoreoperationscreate opportunitiesforattackers.Inthepast,banktellersandATMmachinesweretheonlyways toconducttransactionswithyourbankaccountsnowyoucandoitwithyourphone.It wasnotthatlongagothattalkaboutretailersinvokedimagesofbrickandmortarstores andmalls;nowitisjustaslikelytobringtomindWebsitesthatselleverythingfrombooks toappliances.TheWebapplicationsthatprovidemanyoftheservicesbusinessesoffer implementworkflowsthatultimatelyleadtobackofficesystemslikeinventory managementandaccountsreceivables.Thesecanreadilybecomethetargetfor vulnerabilityscans,injectionattacks,andotherprobesthatrevealinformationaboutthe applicationarchitectureandpotentialvulnerabilities. Anotherfactorintheevolvingthreatlandscapeisthecombinationoftechniquesthatmay beused.Malwarecanbeusedtoperformaspecifictask,suchascapturekeystrokes,orit mayincludeacommunicationsmodulethatworkswithacommandandcontrolserverto downloadinstructionsallowingattackerstoprobe,makediscoveries,andadapttheir tacticstotheirfindings. SomeofthetechniquesweseeinAPTswehaveseeninthepastwithblendedthreatsthat usedasingleattackvectortodelivermultipleformsofmalicioussoftware.Wealsosee attackswillchangeinresponsetocountermeasures.Whenantivirussoftwaresuccessfully detectedvirusesusingpatternmatchingtechniques,malwaredevelopersemployed encryptionandpolymorphictechniquestoscrambletheircodeenoughtoavoiddetection. Similarly,ifonerouteofentryinasystemisblocked,anAPTwilllookforanother.The dynamicnatureofAPTsisacommoncharacteristicofsecuritythreats,butthereare characteristicsthatdistinguishAPTsfromothertypesofattacks.

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

ElementsofAPTs
Atthemostbasiclevel,therearethreecharacteristicsofanattackthatmakeitanAPT: Motivatedbyfinancialgainorcompetitiveadvantage Alongterm,sustainedattack Targetedataspecificcompany,organization,orplatform

BusinessesandgovernmentsarethetargetsofAPTsforobviousreasons.Businesseshave bothfinancialassetsandintellectualpropertythatarehighlyvalued.Governmentshave facedoutsideaggressionprobablyforaslongastherehavebeengovernmentsthus,the conceptofAPTsisinmanywaysnothingnew.Whatisnewisthatthemeansofexecuting suchthreatshavemovedintotherealmofnetworksandapplications. Longtermattacksmaycontinuefordays,weeks,months,orevenlonger.APTattackscan beginwithintelligencegathering,whichmaycontinueforsometime.Itmayinvolveboth technicalandhumanintelligencegathering.Theintelligencegatheringeffortscanshape laterstagesofattack,whichcanbeeitherquickorprolonged.Forexample,anattemptto stealtradesecretsmaytakemonthsofintelligencegatheringaboutsecurityprotocols, applicationvulnerabilities,andfilelocationsbuttakeonlyminutestoexecuteonceaplan hasbeenestablished.Inothercases,attacksmaycontinueoverlongerperiodsoftime.For example,aftersuccessfullydeployingarootkitonaserver,anattackermayregularlysend copiesofpotentiallyvaluablefilestoacommandandcontrolserverforreview. AnumberofwidelypublicizedAPTattacksdemonstratethebreadthofmeansand motivationsdrivingthedeploymentofAPTs: TheZeusbotnet,forexample,startedasaplatformforattackingfinancial institutionsbutwaschangedtobecomeaframeworkforothertypesofAPTs. TheAuroraAPTattackedGoogleandothertechnologycompaniesseeminglyin anattempttogainaccesstoandpossiblymodifyapplicationcode. Stuxnetishighlyspecializedindustrialmalwarethatincludesarootkitfora programmablelogiccontrollerusedinindustrialequipment.Therehasbeen speculationinthepressthatStuxnetwasdevelopedbyoneormore governments.

APTssuchasthesecantakeadvantageofchangesinthewaywedeliverservices.

ChangingBusinessPracticesthatCompoundtheProblem
ChangesintechnologyandmotivationsforattackareonlypartofthereasonAPTshave becomesuchasignificantthreat.Thewaywearchitectsystemsandallowaccessto businessapplicationsisalsopartofthepuzzle.

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

Considerdeperimeterization.Inthepast,firewallswouldhaveblockedtrafficthatwasnot specificallyallowed.Asapplicationsadvanced,therewasmoreneedformoreflexible movementofnetworktraffic.Outsidersneededaccesstointernalresources.Developers wroteapplicationstotunnelblockedtrafficoverprotocolsthatwereallowedthrough(that is,HTTP).Ratherthanhavingasingleboundaryaroundallnetworkassets,businesses openedaccesstomoreserversanddependedondevicebasedcontrolsandnetworktraffic monitoring. AnotherfactorthatcanbeexploitedbyAPTsistheincreaseduseofmobileandother unmanageddevices.ITdepartmentsdonotalwaysdictatethekindsofantimalware softwareoraccesscontrolsthatmustbeinplacebeforeadevicecanbeusedwithinternal services.ThesedevicescanbeusedbyAPTstostagepartofanattackonabusinessor governmentnetwork. Similarly,theincreaseduseofpublicallyavailableWebapplicationsprovidesanother potentialmethodofattack.Forexample,aninjectionattackonaWebapplicationcouldbe usedtocollectintelligenceaboutthecontentsofdatabasesaswellasthestructureofthe application. Byexpandingemployeeaccesstocriticalinformationinfrastructure,businessescanmake iteasierandmoreefficientforemployeestoperformnecessarytasks.However,doingso alsoincreasesthepotentialpointsofentryforattackers. Technicalandorganizationalfactorsareatworkwithregardstothepotentialforexecuting anAPTattack.Manyofthesefactors,suchasempoweringemployeesandaccessing applicationsfrommobiledevices,aresobeneficialthatitisdifficulttoimaginecurtailing them.WecanmitigatetheriskofAPTswithoutnecessarilysacrificingtheseandother advances.

PragmaticAssessmentofthePotentialtoControlAPTs
Fromapragmaticperspective,itisreasonabletoassumethatAPTswillbewithusforthe foreseeablefuture.Thehistoryofcybersecurityisfilledwithexamplesofnewformsof attacksemerginginresponsetonewtypesofcontrols.APTsarelongtermprocess orientedattacksthatareaproductofchangesinthemotivationsofattackersandthe meansavailabletothemtoconducttheirattacks.GiventhatAPTsareheretostay,whatis theappropriatestrategytomitigatetherisksassociatedwiththem? Weshouldcontinuetodeployblockingcountermeasures.Antimalware,encryption, vulnerabilityscanning,andpatchingareallgoodpractices.Theyarenotenough,though,to counterAPTs,soweshouldassumetherewillbeabreach.Thisisnottosaythereare problemswiththosecountermeasures;thisperspectiveonlyrecognizesthefactthata determined,persistentattackermayfindawaytobypassblockingmeasures.

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

Workingwiththeassumptionthattherewillbeabreachatsomepoint,wemustmonitor networktrafficandhostactivitiesinrealtime.Onceabreachoccurs,itisimperativeto detectthatbreachassoonaspossibleandtocontaintheimpact.Containmentcaninclude isolatingcompromiseddevices,shuttingdownservices,andcollectingdataforforensic analysis.

Summary
APTsareaclassofsecuritythreatsthatposeparticularchallengestoITandsecurity professionals.Motivatedbyfinancialorotherlongtermgainandarmedwithawidearray ofmalwareandhackingtechniques,theseattackersarewillingtospendthetimeandeffort requiredtobreachanorganizationsdefenses.Manyofthebestpracticesusedinthepast arestillrequiredtoday,butasweshallseeinthenextarticle,weneedtoaddrealtime monitoringandcontainmenttechniquestooursetofcountermeasures.

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

Article2:NeedforRealtimeManagement andResponding
Ideally,wecandeploysecuritycontrolsthatwouldpreventasuccessfulattackbyan advancedpersistentthreat(APT),butweshouldbepragmaticinourassessment.APTsare multifacetedandalthoughonecountermeasure,suchasanantivirussystem,mayblockone partofanAPT,therecanbeotherelementsoftheattackthatdonotdependondetectable malware.Justconsideramaliciousinsiderwhousessocialengineeringtodiscoverthe passwordtoanadministrationaccountofadocumentmanagementsysteminorderto copythecontentsoftherepositoryandminethemforintellectualproperty.Whenplanning aresponsetothethreatofAPTs,weshouldassumetherewillbeabreachatsometime. Theoverallgoalofriskmanagementinthiscaseistominimizetheimpactofthreatsby blockingwhenpossibleanddetectingandcontainingwhennottodothat,weneedreal timemonitoringandremediationmechanisms. Thisarticleconsiderstheneedforrealtimethreatmanagementandresponse,specifically: Thelimitsofconventionalendpointandperimetersecuritycontrols ThestagesofaresponsetoabreachbyanAPT Idealandrealisticassessmentsofpreventingabreach

Asinthefirstarticleinthisseries,adominantthemeistheassumptionthatweshouldtake thethreatofAPTsseriouslyandplanforabreach.Thisisnottosayallbusinesseswillbe thevictimsofanAPTattackorthatallAPTattackswillbesuccessful.Fromapurely pragmaticperspective,itisbettertobepreparedforabreachandnotsufferonethanbeing unpreparedifabreachdoesoccur.

LimitsofStandardEndpointandPerimeterSecurityControls
Standardendpointandperimetercontrolscanworkwelltoblockopportunisticand unsophisticatedattacks,butAPTsaredesignedtocircumventthesecountermeasures.For example,anattackcanbeginwiththeidentificationofemployeeswithaccesstokey informationsystemsfollowedbyspearphishingandothersocialengineeringtechniques. Thegoalatthisstageoftheattackistolurethevictimintoinstallingmalicioussoftware undertheguiseofsomelegitimateoperation,suchasclickingonalinkinanemailtoaccess aformorretrievecontent.

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

1. Direct attacks aimed at placing malware on a device can be blocked.

Malware

ATP ATP ATtacker Attacker

Firewall/Perimeter Defenses

AV Personal Firewall

Organizational role

Phising Victim

2. Phishing lures sent by email

3. Victim clicks link to malicious site Malware

Attacker Controlled Server

Figure1:APTattacksusephishingtocircumventperimeterandlocaldevicesecurity measures. Onceanattackerhasavictimusinganattackercontrolledserver,theattackercan downloadmalware.Attackerscanuseencryptionandothertechniquestoavoiddetection bypatternmatchingbasedsystems,makingitdifficulttodeterminewhetherthecontenta userisdownloadingcontainsmalicioussoftware. GettingmalwareintoavictimsdeviceisjustthefirststepinanAPTattack.Thesooner suchabreachisdetected,thebetterthechanceofcontainingthedamage.Thisiswhywe needrealtimethreatmanagement.

3. Victim clicks link to malicious site where malicious software is downloaded

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

StagesofResponsetoaBreach
TherearefourstagestorespondingtoabreachbyanAPT: Theinitialpointofentry Compromiseofsystemsandinformation Discoveryofabreach Containmentofabreach

Thekeystagefromariskmanagementperspectiveisdiscovery.AssuminganAPTattack hassuccessfullyavoidedorbypassedperimeter,network,andlocaldefenses,itisthena questionofhowlongtheattackcontinuesbeforeitisdetected.

Figure2:Withinminutes,asignificantproportionofattacksmovefrombreaching securitycontrolstocompromisingsystemsorinformation.Manyoftheseattacksare notdiscoveredforweeksormonths(Source:Verizon2011DataBreach InvestigationsReport). TwofactsabouttheVerizondatabreachstudystatisticsareworthhighlighting.First,a significantpercentageofattacksleadtoacompromisewithinminutesofabreach.The speedatwhichAPTsoperatemeansthatresponsesthatrequiremanualinterventionwill betoolateinmanycases.Thisiswhyrealtimemanagementisrequired.Oftenthereisno timetowasteininitiatingaresponse.

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

Thesecondfactthatweshouldpayparticularattentiontoisthesignificantnumberof attacksthatrequireweeksormonthstodiscover.Untilanattackisdiscovered,itcannotbe contained.Someattacksmaybepointintimeattacksinwhichdataisstolenorsomeother maliciousactisperformedandthentheattackterminates.Otherattackscouldgoonas longastheyarenotdetected,forexample,streamingcustomercreditcarddatatoa commandandcontrolserver24hoursaday.Active,constantmonitoringandanalysisis requiredtodiscoverbreachesassoonaspossible.

IdealandRealisticAssessmentofPreventingaBreach
Asnotedearlier,ideally,securitycontrolssuchasantivirusandperimetercontrolswould besufficienttomitigatetheriskofasecuritybreach,butitissimplynotthecase.Attackers understandhowperimetercontrolsandantivirussystemswork;andtheyworkwellin manycases.Theproofofthisisthefactthatattackerschoosetoavoidconfrontingantivirus andperimetercontrolsbygoingaroundthem.Afterall,whybothertryingtodevise sophisticatedmalwarethatcanavoiddetectionwhenyoucanusesocialengineeringto trickalegitimateuser.Phishingattacksexploitthefactthatsomeusershavesufficient accessprivilegestotargetedsystemsanddata.Withasufficientlywellcraftedphishing lure,attackerscangettheseuserstounintentionallyactasaconduittoreachtheirtarget. Ashumansaresometimestheweakestlinkinasecuritystrategy,wehavetodevelop strategiesthataccommodatethoseweaknessesandmitigatetheriskstheypose. Apragmaticapproachseekstopreventabreachandreducetheimpactofabreachshould oneoccur.Thisrequiresathreepartapproach. First,keepsecuritycontrolsinplaceanduptodate.Theseincludeantivirus,encryption, accesscontrols,andvulnerabilityscanning.Zerodaythreatswillnotbedetectedby vulnerabilityscanners,soadvancednetworkmonitoringisrequiredtodetectandblock intrusions.Thisleadstothesecondrequirement. Networksandserversshouldbecontinuouslymonitoredforsignsofabreach.Thisshould include: Networktrafficanalysis Serverloganalysis Hostintrusionprevention Fileintegritymonitoring

Comprehensivemonitoringcanhelpdetectfootprintsofanattack,suchasanunusual amountoftrafficbetweenaserverandanexternalIPaddressinthemiddleofthenightor thecreationofaserveraccountwithelevatedprivileges.

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

Thethirdrequirementistocontaintheimpactofabreach.Techniquessuchasvirtual patchingandautomatedremediationcandisruptanattackandpreventthevulnerability thatenabledtheattackfrombeingexploitedagain.Thespecificstepsthatshouldbe executedinordertocontainabreachshouldbedefinedinasetofriskmanagement procedures. Theoverallobjectivehereistoreducethetimebetweenthepointofentryofanattackand thepointofcontainment.Realtimethreatmanagement,whichincludesbothmonitoring andresponsemechanisms,isrequiredtoaddressthethreatsposedbyAPTs.Thevalueof realtimethreatmanagementliesinthevalueofdatanotlostorcompromisedbecause containmentoccursfasterthanitwouldhaveifmanualprocedureswererequiredto discoverandcontaintheattack.

Summary
CommonlyusedendpointandperimetersecuritycontrolsareinsufficienttoblockAPT attacks.Phishingandotherformsofsocialengineeringallowattackerstocircumventthose controlsbyluringuserswithsufficientaccesscontrolsintoinadvertentlybeingusedinthe attack.APTscanrapidlymovefromthepointofbreachtothepointofcompromise,often withinminutes.ManualinterventiontodetectandcontainAPTattacksisoftentooslowto beeffective.RealtimethreatmanagementisneededtorespondasrapidlyastheAPT attackprogresses.

10

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

Article3:PlanningforRealtimeAPT Countermeasures
Advancedpersistentthreats(APTs)haveemergedasasignificantthreattobusinesses, governments,andotherorganizations.Theprevioustwoarticlesinthisserieshave examinedtechnicalaspectsofAPTsandthechallengestomitigatingtheriskofanAPT attack.APTsarenotjustmalwareandtheycannotbestoppedwithjustantivirusor perimetercontrols.APTsemploysocialengineeringtechniquesdesignedtocircumvent conventionalblockingdefenses.Ratherthantrytooutsmartanantivirusprogram,an attackergetsaroundtheantivirussystem.Whenanemployeewillinglyfollowsalinkina phishinglureemailanddownloadswhatappearstobealegitimateprogrambutisinfact encryptedmalware,thereislittlechanceofblockingit.Usershaveaccesscontrolrightsto downloadandsaveapplications.Patternbaseddetectiontechniquesdonotdetect encryptedmalware.Insummary,conventionalperimeterandendpointdefenseswillnot stopanAPT. Tobeclear,perimeterdefensesandendpointsecurityarenecessarytoaddresstherisks posedbyAPTs,buttheyarenotenough.Weneedrealtimethreatmanagement.Before deployingsuchcontrols,itisadvisabletoassessthecurrentstateofhardware,software, andsecuritycontrols,prioritizeassets,andperformagapanalysis.Theresultsofthese effortswillhelptoplanwhatproactivecontrolsshouldbedeployed. Thisarticleisorganizedaroundbasicstepstoplanforthedeploymentofrealtimethreat managementtomitigatetheriskofAPTs: Developingabusinesscaseforrealtimethreatmanagement Assessingthecurrentstateofreadinessforrealtimethreatmanagement Developingadeploymentplan

Notsurprisingly,someoftherecommendationsthatfollowwouldfitequallywellwhen describingothertypesofcountermeasures.APTsareacollectionofwellestablished techniquesusedformaliciouspurposesappliedinmethodicalandcomprehensiveways. Countermeasuresusedinthepastcanstillbeusefulhere.Thekeydistinguishing characteristicofAPTsisthespeedatwhichtheycanprogress.This,inturn,drivestheneed forrealtimethreatmanagementtocomplementperimeterandendpointdefenses.

11

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

BusinessCaseforRealTimeThreatManagement
ExecutivesandITmanagershavenoshortageofcompetingdemandsforresources.Why whenabusinesshasinvestedsomuchinantivirus,networkfiltering,identitymanagement, andothersecuritycontrolsshouldtheyfocusadditionalresourcesonrealtimethreat management?Theshortanswerisbecausethosecountermeasuresarenotenough. TheriskfromAPTsiswelldocumented.Wellpublicizedcases,suchasStuxnet,Zeus,and AurorashowthatAPTscanthreatenfinancialtoindustrialcontrolsystemsaswellas businessesandgovernments.Thesuccessoftheseattacksalsospeakstothelimitationsof widelyusedlayeredsecuritymechanisms.Again,thesemechanismsareessential,butthey arenotsufficienttomitigatetheriskfromAPTs.APTsaredesignedtousehumanand technicalresourcestocollectintelligence,probeforvulnerabilities,andplanmultiplestep coordinatedactionsagainstatarget.ThetechniquesusedinAPTsarechosenprecisely becausetheycaneithercompromiseoravoidsuchsecuritymeasures. Thebusinesscasejustificationforrealtimethreatmanagementisapragmaticone:APTs exist,organizationswithinformation,financialresources,orintellectualpropertyof sufficientvaluearepotentialtargets,andcommonlyusedlayerssecuritydefensesare insufficienttoblockasophisticatedattack.Inaddition,onceabreachoccurs,damagingacts cantakeplacewithinminutesinmanyattacks.Awellplannedandexecutedresponsethat requireshoursordaystoimplementmaybeaseffectiveasnoresponseatall.APTscan operatesufficientlyfastenoughthatautomatedresponsestriggeredbyconstant monitoringisrequired.

AssessingtheCurrentStateofReadinessforRealtimeThreat Management
Oncethebusinesscasefordeployingrealtimethreatmanagementhasbeenmade,thenext stepistoassessthecurrentstateofreadiness.Thisinvolvesthreesteps: InventoryITinfrastructure Prioritizeassets Performagapanalysis

Thefinalproductofthisstageisadescriptionofthepotentialweakspotsincurrent securitycontrols.Realtimethreatmanagementdoesnotreplaceperimeterorendpoint defenses,itcomplementsthem.Whenendpointandperimeterdefensesareuptodateand deployedthroughoutanetwork,theattackershavetogotogreaterlengthstosuccessfully breachtheinfrastructure.

12

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

AninventoryofITinfrastructureincludes: Hardwareandnetworkinfrastructure Software,especiallyenterpriseapplications Database,contentmanagementsystems,andotherrepositories Securitycontrols

Thepurposeoftheinventoryistounderstandwhatcanbeatargetofanattackorexploited inanattack.Networkmanagementandassetmanagementtoolsareavailablethatcan discoverassetsonanetworkandproduceaninventoryofbothhardwareandsoftwareon thosesystems. Withaninventoryinhand,thenextstepistoprioritizeassets.Notallapplications,servers, orotherinfrastructurearecreatedequal.Theobjectistogroupassetsaccordingtotheir relativeimportancesothatresourcescanbeallocatedtothemostimportantassetsfirst. Weshouldalsounderstandwheretherearegapsinthecurrentconfigurationoflayered securitycontrols.Inparticular,whatsecuritycontrolsaremissingwithrespecttoblocking, detecting,andcontainingattacks?Doanyofthecontrolsinplacesupportrealtimethreat management?Forexample,areloganalysistoolscapableofoperatinginarealtime manner?Whatisthedelaybetweenaneventbeingloggedandanalertbeingtriggered? Alsoconsiderwhethergoverningpoliciesandproceduresareadequateforrealtimethreat management.Theyshouldincludespecificationsforhowtorespondtoasuspiciousevent aswellaswho(andwhatautomatedcontrols)shouldbeinvolvedwitharesponse.Atthe conclusionofthesesteps,youwillbeinapositiontoplanthedeploymentofarealtime threatmanagementsystem.

PlanningtheDeploymentofaRealTimeThreatManagementSystem
Asyouplanyourrealtimethreatmanagementsystemandevaluatecandidatesystems, considerthreekeyrequirementareas: Controlsforblocking Controlsformonitoring Containmentmechanisms

13

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

ControlsforBlocking
Blockingnetworkattacksisacomplexoperationandrequiresanumberoftypesof controls.Networklevelmalwaredetectionshouldbedeployedevenwhenantivirusis deployedonendpoints.Thistypeofredundancyishelpfulwhenoneoftheinstancesofthe controlisbypassedorcompromised.Vulnerabilityscanningwillhelptodetectweaknessin applications.Therearedifferenttypesofvulnerabilityscanning.Forcommercialoropen sourceapplications,vulnerabilityscanningcanhelptomaintainappropriatepatchlevels andmitigatetheriskofattacksusingknownvulnerabilities.Forcustomapplications, vulnerabilityscanningcanhelpidentifypotentialpointsofinjectionattacks,especiallySQL injectionattacks.Ashelpfulasvulnerabilityscanningcanbe,itdoesnotaddressthe problemofzerodayattacks,whichexploitasyetpublicallyunknownvulnerabilitiesin applications. Complianceverificationproceduresshouldalsobeimplemented.Suchprocedurescanhelp detectconfigurationsthatdonotmeetminimalsecuritycontrolstandards.

ControlsforMonitoring
Realtimethreatmanagementrequiresanumberoftypesofmonitoringmechanisms: Networklevelanalysis Loganalysis Hostintrusionprevention Blacklistingofknowncommandandcontrolservers

Networklevelanalysisdemandsadvancedtechniquestoadequatelyidentifyanomalous patternswithoutgeneratingtoomanyfalsealarms.Acombinationofheuristicrulesand statisticalpatternrecognitiontechniquesmayimproveoverallperformancebyleveraging thestrengthsofbothwhilecompensatingforeachtechniquesweaknesses. Likenetworkanalysis,loganalysismustbesufficientlyaccurateandprecisetominimize bothfalsepositivesandfalsenegatives.Itmustalsoscaletomeetthevolumeoflogsthat aregeneratedinyoursite,soconsiderperformanceandthroughputwhenevaluatingthis andotheranalysistools. Inadditiontomonitoringnetworktrafficandlogs,criticalserversshouldbemonitored.By establishingabaselineofactivityonaserver,hostintrusionpreventioncanhelpdetect anomalousactivityonaserver,suchasunusuallyhighvolumesofI/Oorchangesto applicationlibraries.Fileintegritychecksshouldalsobeincludedinthistypeof monitoring. Donotforgettomonitorhigherlevelsofnetworktrafficand,inparticular,blockaccessto knownmaliciousservers.Arealtimethreatmanagementapplicationshouldideally provideaccesstouptodateblacklistsonknowncommandandcontrolserversthatcould beusedtodirectpartsofanadvancedattackonyournetwork.

14

TheEssentialsSeries:AdvancedPersistentThreatsandRealTimeThreatManagement

ContainmentMechanisms
Intheeventofabreach,arealtimethreatmanagementsystemshouldbeableto automaticallyremedythesituation.Thiscanincludeisolatingcompromiseddevicesonthe networkandpatchingknownvulnerabilities.Containmentmechanismsshouldalso supportriskmanagementprocedures,suchasgeneratingalertsandescalating notificationsaccordingtotheseverityofevents.

Summary
APTspresentanewsetofchallengesfromasecurityperspective.APTsaredesignedto circumventcommonlydeployedsecuritycontrols.Theyarealsonoteworthyforthetime thatattackersarewillingtoinvestincollectingintelligenceandprobingforvulnerabilities. Conventionalperimeterandendpointsecuritycontrolsarenecessarybutnotsufficientto preventthefullrangeofthreatsposedbyAPTs.Realtimethreatmanagementthatentails blocking,detection,andcontainmentcanhelpmitigatethedamagethatcanbedoneby fastmovingAPTsthatcanprogressfrombreachingcontrolstocompromisingsystemsand datainamatterofminutes.

15