Download the full research paper: Detecting APT Activity with Network Traffic Analysis
Targeted attacks or what have come to be known as “advanced persistent threats (APTs)” are extremely successful. However, instead of focusing on the attack methods and effects to improve network defenses, many seem more concerned with debating whether they are “advanced” or not from a technical perspective. On one hand, some believe that the threat actors behind these campaigns have mythical capabilities both in terms of operational security and the exploits and malware tools they use.
In fact, they do not always use zero-day exploits and often use older exploits and simple malware. Some, on the other hand, view the threats as pure hype conjured up by marketing departments even though they cannot explain why high-value targets worldwide suffer from repeated, successful, and long-term compromises.
While initial reports had a tendency to treat the cyber-espionage networks they uncovered as an “attack” or a “singular set of events,” it is becoming increasingly clear that most targeted attacks are in fact part of ongoing campaigns. They are consistent espionage campaigns—a series of failed and successful attempts to compromise a target over time—that aim to establish persistent, covert presence in a target network so that information can be extracted as needed.
Careful monitoring and investigation can help security researchers learn from the mistakes attackers make, allowing us to get a glimpse into malicious operations. In fact, we can track campaigns over time by relying on a combination of technical and contextual indicators. This paper focuses on using this threat intelligence to detect APT activity with network traffic analysis.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).