Posted on by & filed under Content - Highlights and Reviews, Information Technology.

cyber securityThe news these days is awash in articles about major companies and government organizations suffering from major data breaches, yet never before have we had such sophisticated antivirus, antimalware, and firewall software available to us.  Companies and government organizations are increasing their investment in IT security, yet they still seem vulnerable to malicious attackers, especially attackers intent on long term data theft and cyber-espionage commonly referred to as Advanced Persistent Threats (APT).

There are many reasons for the security issues that plague various organizations. One major reason is that APT attackers have changed their tactics from relying on specialized techniques and malware, to making greater use of social engineering, phishing attacks, and well know security flaws to gain access to a target’s system.  Even more troubling, APT attackers seem to be focusing on small companies, nonprofits, non-government organizations, and small departments in governmental organizations to take advantage of their general weaker security. Once inside these organizations, the attackers attempt to gain access to government or more sensitive networks by exploiting connections between organizations or simply sending phishing emails from a trusted source. APT attackers then often maintain access over long periods of time to their target’s system by leveraging their target’s operating systems against themselves. Given these threats, companies and organizations need to increase their security posture with common antivirus tools, but they also need to invest in using Intrusion Detection Systems (IDS) and Network Analysis tools to detect any intrusion attempts or successes.

It is important for organizations to implement IDS systems and Network Analysis tools because APT attackers are using malware less and less to maintain access and control of a target’s computers and IT infrastructure. Instead, many APT attacks initially penetrate a machine in their target’s network via common phishing or drive-by malware attacks. Next, an attempt is made to gain control over the target’s infrastructure with scripts, such as .bat files or bash files. These scripts make use of available tools on the target computer’s operating system, or within the host’s infrastructure.

For example, at Department 13 we have seen attackers gain access to a target’s computer, then get administrative privileges, and then create a .bat file that leverages legitimate software like a Jabber/XMPP client to exfiltrate data via Gtalk. Since the attacker’s malware is simply a windows.bat file with appropriate privileges on the operating system, few antivirus applications will detect it.  Furthermore, since it is transmitting data it has collected to a social network over https, or port 443 which is usually open on most corporate firewalls, signature-based antivirus software and firewalls will never detect the threat nor the data exfiltration. What’s worse is that most companies and organizations don’t run correctly managed or configured intrusion detection systems, such as the Open Source defacto standard Snort that might be able to detect anomalous network or system activity (see Figure 1). Indeed, some organizations systems have had data breaches that have persisted for years. In many cases, such as with some past customers of Department 13, the only way they know they have been penetrated is when the Federal Bureau of Investigation informs them of the fact. Yet even after breaches, many organizations respond by hardening their access policies and investing in more perimeter defense systems, instead of investing in more active monitoring and policies.

Figure 1:  Example of a threat detected in Snort and visualized with the tool Snorby.

One reason organizations don’t adopt more active network monitoring—managed and monitored by experienced systems or security specialists—is the perceived cost in resources. This is a problem given how APT attackers are focusing on smaller departments, offices, or even non-profits with much smaller security footprints that work with their intended target. APT attackers understand that smaller organizations, and some large ones as well, will balk at having to invest in IDS and network monitoring, due to concerns about staff time or financial resources. While some companies are highly concerned about their data, and even implement practices such as data encryption, savvy attackers that have compromised host machines can often then steal encryption keys, passwords, and user credentials. So, encrypting data may not even be sufficient in protecting data. Furthermore, many APT attackers are comfortable collecting and monitoring targets’ machines over a long period of time, unlike traditional cyber-criminals, who are usually looking for quick pay offs.

Many APT attackers have the resources to pay individuals to visually monitor a specific target’s computer that they have remote access to over a long period of time. The Laboratory of Cryptography and System Security (CrySyS Lab) with the Hungarian Nation Security Authority (NBF) recently published details of a cyber-surveillance operation targeting human rights activists and politicians in Eastern Europe. In this case the APT attackers used a number of tools, including TeamViewer (a legitimate and popular remote access and support tool), to install other tools onto their targets’ computers and devices. They also used TeamViewer to generate screen captures and view what targeted users were doing on their systems. In a case like this, anti-virus, firewalls, and even encryption can be thwarted, since the attacker is using legitimate software for malicious use and can see passwords or just plain text on targets’ screens. For organizations to increase their ability to detect and respond to such threats, it is necessary to invest in IDS, network analyzers, and more importantly, training for systems administrators and security specialists to detect potential threats.

The use of intrusion detection systems, network analyzers, and various network data mining tools can be expensive to purchase and difficult to setup and manage correctly.  There are; however, numerous good open source tools and resources that can help you.  As mentioned earlier, Snort is one of the most used IDS tools there is, and it is free and open source.  Snort also has a large community of supporters who generate new rules, signatures, tools, and a plethora of books allowing even smaller organizations to put robust IDS in place.

Just as importantly, you can use Snort with various tools such as OfficeCat, Squil, SnoGE, and others developed by the Snort community for real time network analysis and incident response. This is critical for organizations looking to mitigate threats from APT attacks by allowing system administrators to monitor network traffic to look for suspicious activity. While Snort and other tools look for specific anomalous patterns of behavior, it is critical to understand that automated tools and analysis are not sufficient.  System administrators and security specialists need to routinely monitor their logs, network traffic, and system activity to look for anomalous behavior. Fortunately there is a plethora of books, articles, and training available for organizations, so that even small budget restricted organizations can implement a strong level of intrusion detection that is both automated and backed up by real human monitoring. Without this additional layer of security, the quiet and careful attackers can leverage APT techniques to remain hidden for years, and if you’re a small organization with connections to the government, they are likely to be coming for you.

Safari Books Online has the content you need

Check out these books that will help you monitor your network traffic to mitigate your risks of a cyber security breach:

How well does your enterprise stand up against today’s sophisticated security threats? In this book, security experts from Cisco Systems demonstrate how to detect damaging security incidents on your global network–first by teaching you which assets you need to monitor closely, and then by helping you develop targeted strategies and pragmatic techniques to protect them. Security Monitoring is based upon the authors’ years of experience conducting incident response to keep Cisco’s global network secure. It offers six steps to improve network monitoring.
If you are a network administrator, you’re under a lot of pressure to ensure that mission-critical systems are completely safe from malicious code, buffer overflows, stealth port scans, SMB probes, OS fingerprinting attempts, CGI attacks, and other network intruders. Designing a reliable way to detect intruders before they get in is an essential–but often overwhelming–challenge. Snort, the defacto open source standard of intrusion detection tools, is capable of performing real-time traffic analysis and packet logging on IP network. It can perform protocol analysis, content searching, and matching. Snort can save countless headaches; the Snort Cookbook will save countless hours of sifting through dubious online advice or wordy tutorials in order to leverage the full power of SNORT.

About the author

Robi Sen is an experienced industry professional whose dynamic twenty-plus year career in information technology, engineering, and research has led him to work on cutting edge projects for NASA, the DoE, and the DoD. Robi also has extensive experience in the commercial space, including the creation of several successful start-up companies.  He is recognized as an application development authority and regularly contributes to papers, articles, and technical books, where he continues to help develop and define technology beyond the bleeding-edge. He has comprehensive experience in resource management and a strong theoretical and practical background in security and encryption technologies. Robi has authored or contributed to numerous patents in wireless technology, in addition to penning award-winning historical primary research into the effects of agency on insurgency and irregular warfare. Robi earned his B.S. in mathematics from Colorado State University and his Master’s in Military History at Norwich University. Robi can be reached at

Tags: Advanced Persistent Threats, APT, IDS, Intrusion Detection Systems, Network Analysis Tools, Snort,

4 Responses to “Combating Advanced Persistent Threats with IDS and Network Analysis Tools”

  1. Weyland Chiang

    Very interesting and well written! It should be noted that on a lesser technical side of the spectrum for defending against APT related attacks, user knowledge is essential for protecting organizations from spear phishing attacks.

  2. robi sen

    Mr. Chiang,

    Good point. User awareness and training are absolutely an important component in the security chain. Perhaps the most important. That being said spearphishing can be extremely hard to defeat using just awareness training. I have seen targets of spearphishing attacks get sent valid forms from a valid user on their network, with a valid certificate, and thus the target just unthinkingly opens the attached documents. For this reason I think there needs to be more time spent on awareness training and automated detection of malicious documents. Snort has OfficeKat that can be used to look at documents for potential malware and there is a plethora of tools for doing the same thing with PDF and other document formats. Bro is another good open source network monitoring and analysis tool that can be used to help detect malware in documents. Some other approaches are outlined in this document on page 13 .

  3. lois garcia

    Articles like this can easily get too dry, but this one held my attention till the end. I have an enduring interest in privacy issues, and even thought about pursuing a CISSP years ago. I’m a sysadmin, so this evolution of advanced persistent threats is definitely pertinent to my job.

    THANK YOU for an excellent article. I’m adding the recommended books to my Safari bookshelf.

    • Safari Books Online

      Thanks for the feedback, Lois! Glad you found the article helpful.