In part 1 of this series, we looked at three possible signs you may have been the victim of an APT and how to detect and defend against these activities: 1)Gaps in System and Security Logs; 2) Unexplained Changes in System Configurations; and 3) Anomalous Traffic. Part Two examined two more potential signs of APT activity: 4) Odd Activity Appearing in Application and/or Database Logs; and 5) Your Organization is Experiencing a DDoS Attack. In this third installment of the “You Might Be an APT Victim if…” series, we’ll look at two more signs of potential APT activity inside your networks and systems.
Sign 6: Anomalous User Activity
One of the ways that advanced attackers “hide in plain sight” is to steal legitimate user credentials and then poke around the network using those stolen credentials. This type of activity can be very difficult to detect (assuming you are looking for it at all), allowing attackers to hold access to systems and data for long periods of time while avoiding detection.
One key to detecting and stopping this type of activity is the development of a baseline for user behavior. Knowing what normal activity and usage patterns look like for a given user enables the organization to identify outlying behavior. While this type of capability has been used in the finance and retail industries for several years to prevent fraudulent transactions, the use of this type of approach to monitor internal users is still emerging.
As plans and roadmaps are developed for your security program, this is an area that should be watched and considered as new techniques and technologies come to bear.
Sign 7: Your Supply Chain has Suffered a Breach
As illustrated in Symantec’s White Paper on the Elderwood Project, advanced attackers do not always engage in full frontal assaults of their intended tartets. More and more, we are seeing advanced attackers go after the supply chain of larger organizations in an effort to gain access to the information that they are after. They often do this because members of the supply chain are not as well defended as their primary target. They also choose this route as communication of breaches or potential breaches are not always reported upstream.
Having a formal vendor risk assessment process in place can help to mitigate this risk and to improve the awareness and defenses of smaller organizations in the supply chain. Some organizations have taken the step of requiring their suppliers to certify compliance with a given security standard (ISO 27001 is most common) in order to provide an additional level of assurance that proper security controls are in place.
In summary, there are a variety of ways that advanced attacker activity can be detected and prevented. The short list provided in this series is by no means exhaustive, but hopefully has provided some food for though around the types of things your organization should be doing to protect itself. If you have additional thoughts on ways to detect and prevent advanced attackers, please add your thoughts in the comments section.