Advanced Persistent Threats – Considerations for Military Network Security

1 Aug

Advanced Persistent Threats
In today’s world, cyber-attacks are commonplace in targeting the military capabilities and infrastructure of nation states. Perpetrators of Advance Persistent Threats (APT) use unexpected, highly targeted and diverse attack vectors to intercept manipulate and degrade digital communications.

APTs are sophisticated, not just in terms of the technology and techniques utilised, but also in the on-going, focused and determined nature of the human teams controlling the attack. APT attack vectors are easy to alter and dynamic, making them difficult to detect. Their command and control (C&C) methodologies are more consistent, however, they are more difficult to change. Therefore C&C traffic can be an effective identification point of APTs.

Sustained APT threats are challenging to manage, because of high volumes of network data ease the hiding malicious content and the scale of potential damage. Perpetrators can range from single rogue operatives to the determined and targeted actions of a nation state. These perpetrators are seeking to gather intelligence, create misdirection, and sabotage assets and information, in order to achieve their military, economic and political objectives.

Digital Communication Susceptibility
The APT perpetrator’s advantage when attacking a military’s digital infrastructure and assets lies within their cyber anonymity and repetitious cycle of penetrative attempts. Further compounding the impact and scale of these relentless threats are the financial resource, expertise, time and motivation of the perpetrators. They ceaselessly evolve and hone their attacks until a breach is accomplished and a digital beachhead is gained.

Historically, the primary threat from cyber was from individuals who scanned networks for susceptible systems. Now, however, threats come from highly focused teams with set objectives and the requisite resources to achieve their goals.

This targeted approach to nation state and corporate assets is especially difficult to combat, due to the complexity and spread of IT systems. Not taking into account malicious individuals, the resource available to foreign powers and organised crime allows for significant focused, intelligence gathering and strategy building, over a prolonged period of time. Reliance on perimeter defence techniques alone to build a digital infrastructure bastion is not effective; as such, there is significant likelihood that security will be breached by APTs at some point.

Diverse Attack Vectors
A plethora of mechanisms are available to an entity focused on gaining access and control into your systems, and it’s unlikely to be a direct frontal assault. In many cases it’s easier to look for entry via “soft target,” such as military staff. For example, it might be easier to break into a civilian school network attended by a soldier’s child, in order to send a genuine looking email with embedded malware. It is then innocently and physically transported on a device inside a trusted zone, by the service personnel, where it then attempts nefarious activity.Assume You’re Compromised
When you are attacked repeatedly by an anonymous adversary, who evolves their attack mechanism after each attack, it is likely they are going to be successful, at some point. As security breaches by APTs are likely and may have already happened, systems and processes need to be in place to identify and then understand the extent of any breach. This is necessary, in order to mitigate any fallout, go after whoever did it, and remediate any security gaps discovered.

Managing the Risks of Compromise
When trying to identify, defend and protect against APTs, Security Analyst’s professional experience, knowledge and skills all play a powerful role in shaping effective security intervention decisions. Without a robust understanding of context, actual network traffic and content, they are left relying on making informed guesses, which may or may not prove to be correct. When APT security issues occur, network security analysts are instantly under pressure from their organisation to explain and resolve the problems swiftly.

So, how fast can you react to a suspected APT security anomaly, as it traverses your network? And even more importantly, are you giving yourself the best chance of success when you act by ensuring that your actions are informed, appropriate and effective?

Analysts’ Capabilities
First, let’s consider the human requirements needed from the security analyst. Those responding to events need the skills to use the tools that are in place in order to come up with accurate and speedy interpretations of the data. They must have an understanding of the network topology and experience of background events of that network, in order to provide a solid baseline from which to work.

Thorough testing and documentation of the way in which applications use a network is ideally with a transaction-by-transaction understanding of how an application works across the production network. For those with the resources, these baselines are often generated from live monitoring of a reference or staging network. For situations where such an approach is not practical, live data from the production network is the next best thing (although, recognise that it is a less predictable environment).

Armed with such real-time statistical analysis of the nature of connections on any given network link variations from the norm are now easier to spot. Automated monitoring tools can help identify changes from the norm. The final piece of the human puzzle is to ensure that analysts have effective workflow and processes in place for the security issue management and response. This becomes an important step to reduce human latency and miscommunication between security team members, during collaboration and task hand overs.

Deriving APT Insight from your Network History
Captured network packet data is the definitive network history of all network communications and provides irrefutable evidence of what has occurred. The examination of network traffic before, during, and after an event of interest can provide you the clarity to gain an absolute understanding of what has just happened, enabling analysts to make a truly informed intervention and increase their likelihood of an effective outcome. Depending on the size of the network segment to be monitored and the available resources; approaches to capture, index, search and recall captured traffic can vary in cost and complexity. This can range from simple open source software installed on a PC and deployed on an ad-hoc basis, to high performance, dedicated high fidelity Intelligent Network Recording (INR) fabrics distributed across the network and capable of operating at sustained link bandwidths up to 100 Gb Ethernet per second.

But human capabilities and solid data alone will not provide the understanding and insight required for an informed response. To be able to decode packets and gain actionable insight, analysis tools are also needed. Some analysis and alerting tools operate autonomously and are invaluable for automation of certain processes, but are limited to a single way of interpreting data, often relying on signatures and profiling, which cannot reasonably be expected to capture all security threats. At the same time, they may alert with false positives against non security related events and traffic. They do, however, play an important role in the overall security posture of organisations and provide broad coverage for the more voluminous and “easy to understand” threats. When considering APT, however, by their very nature, they are tailored, often unique threats, and automated analysis alone cannot be completely effective. Therefore, there is also a need for post-event tools to enable security analysts to manipulate through iterative interpretation of captured packet data, allowing more confident decision-making.

Automated detection, alerting and defence against APT threat, through the deployment of dedicated in-line APT security appliances has had a constructive role to play in an effective security posture, where there are numerous choices available commercially. However, it is dangerous to be lulled into a false sense of security, when faced with such insidious and dynamic threats. Reliance alone on automated analysis and response can leave organisations vulnerable. APT security appliances in isolation are not enough.

By having the network history evidence of exactly what has traversed your network, the where and when, right down to the make-up of each and every single packet, will be available for you. This enables you to identify and understand APT’s command and control traffic and behaviour, along with having the data to forensically analyse any data exfiltration. Only then can you have a truly pervasive and entirely accurate picture of what’s occurring.

Network packet capture enables you to derive actionable insight and certainty of what’s occurring by using network packet inspection and visualisation techniques. When hunting down APTs, the peace of mind of knowing exactly what you’re dealing with will be invaluable.