How to Detect APT Activity with Network Traffic Analysis
Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities. Though there are a variety of tools available to attackers, they tend to prefer specific ones.
While they can routinely create new malware executables with automated builders and embed them in documents designed to exploit vulnerabilities in popular office software, the traffic generated by the malware when communicating with a C&C server tends to remain consistent.
This is significant because targeted attacks are rarely a “singular set of events,” but are in fact part of ongoing campaigns. They are consistent espionage campaigns—a series of failed and successful attempts to compromise a target over time—that aim to establish a persistent and covert presence in a target network so that information can be extracted when needed.
A significant portion of these ongoing campaigns can be consistently detected with the aid of network indicators. While detecting this kind of traffic requires prior knowledge or threat intelligence, network detection can effectively defend against known threats.
Network traffic can also be correlated with other indicators in order to provide proactive detection. In addition, proactive detection of unknown threats can be further extended by extrapolating methods and characteristics from known threat communication behaviors to derive more generic and aggressive indicators.
Today, Trend Micro releases the paper “Detecting APT Activity with Network Traffic Analysis,” which discuses techniques that can be used to identify malware command-and-control (C&C) communications related to targeted attacks. It illustrates how even the most high-profile and successful attacks of the past few years could have been discovered.
The report discusses the delicate balance between revealing enough information about APT campaigns to alert the public and allow defenders to take corrective action(s) and preventing threat actors from gaining an understanding of what is known about their operations, in turn giving them an opportunity to adjust their tactics. The report also discusses how attackers have adapted so far, as well as new threats that pose challenges to network traffic analysis.
Finally, the report expounds on how Trend Micro™ Deep Discovery utilizes the techniques described in this report to detect malware and attacker activities.