Advanced Persistent Threats

Watching for 'Unknown Threats' from Advanced Persistent Attackers

Advanced Persistent Threats (APT)--organized attacks from persistent adversaries and the malware they leave behind--is a growing problem for many enterprises in many industry verticals and governmental agencies. A quick review of the headlines from multiple discoveries from the beginning of 2010 when Operation Aurora was made public by Google give us some clues about which industries and companies that are targets:

• Companies involved in highly technical or classified work
• Governmental agencies that have data stores containing information about domestic and foreign policy
• Companies involved with cutting edge consumer product work where innovation times are very short or have proprietary information that allow them to maintain a competitive edge against all competitors
• Communication companies with data stores containing communications of persons of interest to others (can be other governments or other interested parties)

The list above should not be considered a definitive as it is influenced by the motivations and imagination of the attacker.

The inability to prevent these attacks is not the fault of currently available security systems or thinking by security teams. These attacks target individuals in a company that are profiled by the attacker as having the potential to give the attacker highly valuable information that can be used for nefarious purposes. Mandiant, a leading information security company with commercial and Federal clients tell us that there are thousands of companies actively compromised right now.

The malware left behind is meant to be stealthy and persistent often looking like a normal service or application that starts up at boot time to remain persistent. It looks to spread across systems so that if an instance is found and removed, an attacker can perform their own post-mortem, activate another instance of the malware, and change the way the malware works to continue to stay resident in the enterprise continuing to collect data. The question becomes, "How can I efficiently review terabytes of 'normal' data from machines and users looking for patterns that can mean a policy violation or malicious activity?"

Splunk: A big data solution -- finding the 'unknown threat'

Discovery of malware left behind by determined persistent and highly skilled attackers is not a possibility with signature and rule based systems reporting their data to a SIEM. These systems look for abnormal behaviors and covert attacks--not anomalies in normal behavior. Finding malware designed to hide in normal activity requires a system that can ingest massive amounts of seemingly normal system data that when taken together in context through the lens of a robust data analytics can point out the differences between normal machine and human behaviors vs. malware.

Splunk can collect and index any data without regard to format or size and perform automated searches across petabytes of data. Splunk's verbose analytics command language facilitates a Security Intelligence approach allowing the analyst to ask threat scenario based questions of your data aligned with business risk or 'thinking like a criminal'. This approach lets you find 'known threats' as reported into Splunk by signature and rule based systems and 'unknown threats' represented as data patterns in normal activities.