July 12, 2012

Combating Advanced Persistent Threats with NetFlow

Does your company have a strategy for detecting and combating Advanced Persistent Threats? Victims of APTs include Adobe, Google, Lockheed Martin, Sony, RSA and several others.  Lets start by making sure we answer the question: what is an Advanced Persistent Threat?

Breaking down the APT acronym we find:

  • Advanced -the adversary is conversant with computer intrusion tools and techniques and is capable of developing custom exploits.
  • Persistent -the adversary intends to accomplish a mission. They receive directives and work towards specific goals.
  • Threat -the adversary is organized, funded and motivated.

Understand that Combating APTs means constantly watching for a low and slow zero-day attack.  This type of malware often evades existing security efforts such antivirus, IDS and firewall appliances.  It frequently uses a secure connection such as TCP port 443 and encrypts all communications which makes it difficult to detect with signature based security systems.

I divide the entire set of Fortune Global 2,000 firms into two categories: those that know they’ve been compromised and those that don’t yet know,” Dmitri Alperovitch, former VP of Threat Research at McAfee.

A strategy of “layered defensive tactics can prevent security breaches”  from many forms of APTs. By layered we mean that different types of malware can be detected in different ways. For example, by leveraging NetFlow from existing routers, switches and virtual servers, communicating hosts can be compared to constantly updated host reputation lists.  Hosts found to be communicating with Internet machines known to participate in behaviors indicative of C&C, APTs and other types of nefarious behavior can trigger events that lead to alarms.  With the right NetFlow solution, the security team can gain in-depth visibility which empowers administrators to investigate and take action against these types of low and slow attacks which often evade antivirus, firewalls and IDS deployments.

Leveraging flow data from your existing infrastructure provides IT administrators in-depth, comprehensive network visibility, making it easier to investigate and mitigate anomalous behaviors that could signify APTs or other types of attacks – regardless if the attack was launched externally or internally.

Educate yourself on how Enterasys and flow analysis can:

  • Sniff out advanced attacks
  • Provide forensic evidence
  • Map out end-to-end situational awareness

Download the white paper titled Fighting Advanced Persistent Threats and learn how NetFlow capable switches and routers can be used to detect and remove APTs from the network.  And just as importantly, find out how to setup an Incident Response Guide that can help you deal with an APT should your company need to take action.

About The Contributor:
Mike PattersonCEO, Plixer

As one of the founders of the company, Michael has been involved in the development of Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics at Plixer. He enjoys writing and blogging about all things NetFlow, IPFIX and sFlow related.

See My Other Posts