Analyzing Network Traffic to Detect Advanced Persistent Threats

Anthony Freed
By | October 31, 2012

Posted in: Network Security Trends

One of the most basic tenets in infosec is the fact that there is no such thing as absolute security, and the nature of Advanced Persistent Threats (APT) and their successful application by attackers is a constant reminder. While the rate of network penetration from true APTs is nearly 100% and many infiltrations are not discovered for months or even years, robust network security monitoring techniques can provide a means to detect an APT operation and limit the potential exposure for an organization.

"Network security monitoring is one of the best ways to detect many modern threats attacking our networks. Targeted Social Engineering can bypass our best attempts at defense in depth. Monitoring and analyzing network traffic looking for suspicious patterns, communication types, large data transfers and abnormal destinations may be the only clues that anything is amiss," said network security specialist Dan Dieterle.

A recently published report from Trend Micro demonstrates how through the correlation of threat intelligence from analyzing certain network traffic clues, such as traffic known to be specific to certain malware communications, can be used to uncover APTs sooner than later and stop the attackers in their tracks.

"Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities... advanced detection techniques can be used to identify malware command-and control (C&C) communications related to these attacks, illustrating how even the most high-profile and successful attacks of the past few years could have been discovered," the report states.

As an example the researchers cite the continued use of the Enfal malware applied in “Lurid Downloader” attacks since at least 2006, and while several variants of the malicious code are known to be employed by attackers, the presence of the malware can be detected because it uses a specific format that "includes two directories, followed by the hostname and MAC address of the compromised computer. This consistent pattern is still detected despite modifications" to the malware's code, according to the report.

"With the right tools Security Analysts can dissect suspicious traffic to detect these attacks. And when a company keeps a complete packet capture of all the communication coming in and out of their network, analysts can get a good look at when the attack occurred, how it happened and what information was pilfered from their corporate network," Dieterle said of the monitoring technique.

But what about the case where a zero-day is being used as opposed to a known exploit? The researchers note that monitoring for suspicious SSL digital certificates can provide indications of the presence of a zero-day exploit agent on a network.

"Looking for default, random, or empty values in SSL certificate fields and restricting such detections to only certificates supplied by hosts outside an organization’s monitored network provides a great balance of proactive detection with manageable false positives," the researchers said.

The task of traffic analysis can be simplified if organizations also choose to deploy a first line of defense appliance to filter unwanted traffic before it ever reaches the network. This will eliminate the overall volume of data logged by monitoring systems and greatly increase the likelihood of detecting a threat.

"When a company institutes a good method of Network Security Monitoring, security analysts can be alerted within minutes of problems - instead of months or years," Dieterle said.

You May Also Be Interested In: