You are concerned with stealthy threat actors, who can be a nation-state or sponsored groups, gain unauthorized access to organizational networks and remain undetected for an extended period to conduct large-scale targeted intrusions for specific goals. Which of the following is the best to discover and hunt this type of attack?
A. Have security analysts conduct analysis with data from various sources
B. Create microsegments and establish a software-defined perimeter
C. Implement an anomaly-based intrusion prevention system
D. Install a hardened padded cell with anonymized data to observe attackers
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Have security analysts conduct analysis with data from various sources.
Advanced Persistent Threat (APT)
Even though there is no consistent definition, this question describes the advanced persistent threat (APT) in a generally accepted way as a threat initiated by stealthy threat actors, who can be a nation-state or sponsored groups, gain unauthorized access to organizational networks and remain undetected for an extended period to conduct large-scale targeted intrusions for specific goals.
As its “advanced” and “persistent” nature, an APT may have bypassed real-time monitoring and detection mechanisms in place and kept lurking inside an organization. APT discovery and hunt is a proactive and iterative process of discovering, investigating, and identifying malicious activities.
The following are major adversarial APT groups from Wikipedia:
- PLA Unit 61398 (also known as APT1)
- PLA Unit 61486 (also known as APT2)
- Buckeye (also known as APT3)
- Red Apollo (also known as APT10)
- Numbered Panda (also known as APT12)
- Codoso Team (also known as APT19)
- Wocao (also known as APT20)
- PLA Unit 78020 (also known as APT30 and Naikon)
- Zirconium (also known as APT31)
- Periscope Group (also known as APT40)
- Double Dragon (hacking organization) (also known as APT41, Winnti Group, Barium, or Axiom)
- Tropic Trooper
The following are some instances of notable APT attacks summarized by Simon Heron:
- Titan Rain (2003)
- Sykipot Attacks (2006)
- GhostNet (2009)
- Stuxnet Worm (2010)
- Deep Panda (2015)
In the paper of MITRE TTP Based Hunting, “hunting” is defined as the proactive detection and investigation of malicious activity within a network. Similarly, a “hunt team” is a group of individuals dedicated to performing a hunt on a given network.
A SIEM server collects data from various sources and provides rich value-added functions, such as formatting, correlation, enrichment, etc. It’s a prominent tool for security analysts.
Security Analyst for APT Discovery and Hunt is one of the most in-demand job positions. The following is a sample job description:
- As an APT Discover and Hunt Cyber Security Analyst, you will perform research on Advanced Persistent Threats (APT) using open and classified sources.
- You will apply intelligence learned from their attacks and use that information to discover possible undiscovered incidents through the creation of new signatures and providing search indicators to network operators.
Other responsibilities include:
- Using the totality of Information Technology Tools and Data available along with detailed knowledge of the CIA’s information systems and defenses to proactively hunt for Advanced Persistent Threat activity which is not detectable using traditional methods and indicators.
- Perform Tier 3 Analysis
- Develop and utilize “Case Management” process for incident and resolution tracking. The process should also be used for historic recording of all anomalous or suspicious activity. Currently, processes in place now use the JIRA tool.
- Work collaboratively with other Cyber Security Analysts and Cyber Forensics Engineers to perform incident response and analysis.
- Coordinate with appropriate organizations regarding possible security incidents. Conduct intra-office research to evaluate events as necessary, maintain the current list of coordination points of contact.
- Investigate virus/malware alerts/incidents to determine root cause, entry point of code, damage risk, and report this information as deemed necessary by CIRT Management and the COTR.
- Track, on a daily basis, intelligence (both open and classified sources) concerning cyber threats and assist in preparation of a daily report to senior management on the current status of a threat and our ability to counteract that threat.
- Generate, track, and report monthly statistics on virus activity both on enterprise networks.
- Investigation and analysis of all data sources, to include Internet, Intelligence Community reporting, security events, firewall logs, forensic analysis, and other data sources to identify malware, misuse, unauthorized activity or other INFOSEC related concerns.
- A bachelor’s degree in computer engineering, computer science, or other closely related IT discipline. If the candidate meets all of the qualifications, skills and experience for this labor category, but lacks a bachelor’s degree, then a minimum of eight (8) years’ of relevant work experience may be substituted for a bachelor’s degree.
- Experience with host-based and network-based APT tools like Carbon Black, Splunk, Mandiant MIR, or Tanium. – Minimum of three years’ of progressively responsible experience in cyber security analysis, incident response, or related experience
- DoD 8570 IAT Level I or higher certification. – Strong analytical and problem solving skills (i.e. the ability to problem solve; ask questions; and discover why things are happening)
- Top Secret/SCI w/Poly Desired – Experience with Hewlett-Packard’s ARCSIGHT SIEM.
- Experience with Splunk.
- Experience with an industry leading Endpoint Detection and Response Tools such as but not limited to Carbon Black, EnCase Cybersecurity, or Tanium.
- Experience with Intrusion Prevention Systems such as McAfee Network Security Manager, Sourcefire SNORT, or Palo Alto Wildfire.
- Experience with a Case Management Tool such as JIRA or ServiceNow.
- In the 2017 Threat Hunting Survey, the SysAdmin, Audit, Network, and Security (SANS) Institute (Lee & Lee, 2017) defines threat hunting as, “a focused and iterative approach to searching out, identifying and understanding adversaries that have entered the defender’s networks.”
- Sqrrl (2016) defines threat hunting as, “… the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.”
- Endgame defines hunting as, “the process of proactively looking for signs of malicious activity within enterprise networks without prior knowledge of those signs, then ensuring that the malicious activity is removed from your systems and networks.” (Scarfone, 2016, p. 1).
- For this paper, “hunting” is defined as the proactive detection and investigation of malicious activity within a network. Similarly, a “hunt team” is a group of individuals dedicated to performing a hunt on a given network.
Source: MITRE TTP Based Hunting
To create microsegments and establish a software-defined perimeter is an important practice in Zero Trust that prevents lateral movement and mitigates consequences of compromise. It doesn’t contribute to proactive APT discovery and hunting directly. However, visibility by observing and logging network traffic is emphasized in Zero Trust, which helps to monitor and detect APT.
An anomaly-based intrusion prevention system alone is not effective in preventing APT. It needs other countermeasures to work as a whole to be effective enough. For example, researchers at the University of South Wales recently demonstrated in the research, Effectiveness of blocking evasions in Intrusion Prevention Systems (2013), that intrusion prevention systems do a poor job of detecting attacks that utilize advanced evasion techniques.
Padded Cell and Honeypot
A honeypot is an enticement to attackers, which may lead to the controversial unlawful situation, entrapment, if not implemented properly. A padded cell is a well-protected or hardened honeypot to avoid controversy.
Either padded cell or honeypot is a passive control that attracts attackers. They may monitor, detect, observe, delay, or even prevent the attack. However, odds are they can be bypassed or surpassed in an APT. Moreover, they won’t proactively discover and hunt APTs.
In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site that seems to contain information or a resource of value to attackers, but actually, is isolated and monitored and enables blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as “baiting” a suspect.
- Threat Hunting
- Five notable examples of advanced persistent threat (APT) attacks
- Advanced persistent threat
- What is Advanced Threat Protection (ATP)?
- Advanced Persistent Threats: Learn the ABCs of APTs – Part A
- Cyber Security Analyst – APT Discovery and Hunt
- MITRE ATT&CK Groups
- Advanced Persistent Threat (APT) Protection- Market Quadrant 2020 *
- The role of the enterprise intrusion prevention system in APT defense
- Double Dragon APT41, a dual espionage and cyber crime operation
- Honeypot (computing)
- What is an Intrusion Prevention System – IPS
- 什麼是 APT進階持續性威脅 (Advanced Persistent Threat, APT)？
- Advanced Persistent Threat (APT) Attack and Zero-Day Protection
- Effectiveness of blocking evasions in Intrusion Prevention Systems (2013)
- HONEY POTS, HONEY NETS, AND PADDED CELL SYSTEM
- IPS needs to become more aware of advanced evasion techniques
- Introduction to Threat Hunting
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
D. 安裝帶有匿名數據的硬化填充單元(padded cell)以觀察攻擊者