A high degree of stealthiness over a prolonged duration of operation in order to do a successful cyber attack can be defined as Advanced Persistent Threat. The attack objectives therefore typically extend beyond immediate financial gain, and compromised systems continue to be of service even after key systems have been breached and initial goals reached.
Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities. Nart Villeneuve and James Bennett (Senior Threat Researcher) from Trend Mirco provide an ultimate guide for Detecting (APT) Advanced Persistent Threat activities with Network Traffic Analysis, that can be used to identify malware command-and control (C&C) communications related to these attacks, illustrating how even the most high-profile and successful attacks of the past few years could have been discovered.
Paper cover Detecting Remote Access Trojans like The GhostNet, Nitro attack, RSA Breach, Taidoor campaign, Sykipot campaign and more. Nart also talk about the Challenges during Network-Based Detection i.e Two key factors pose challenges to network-based detection encryption and the cloud.
More than 90% of intrusions aren't even discovered by the victims themselves, but through third-party notification. In many cases, the APT has been on the victim network for months or even years, exfiltrating intellectual property data plus economic and political information.
"The ability to detect APT activity at the network level is heavily dependent on leveraging threat intelligence. A variety of very successful ongoing campaigns can be detected at the network level because their communications remain consistent over time."
To get rid of such attacks you much know that what that information is, where it resides, who has access to it, why they have access and when they access it. Answering these types of questions should give you a clearer picture of what are the most critical pieces in your infrastructure that need your attention.
Modifications made to malware’s network communications can, however, disrupt the ability to detect them. As such, the ongoing development of threat intelligence based on increased visibility and information sharing is critical to developing indicators used to detect such activity at the network level.
For advance detection techniques based upon Protocol-aware detection, HTTP headers, Compressed archives, Timing and size you can read complete paper available here.