You Might Be an APT Victim... - Part 2
In part 1 of this series, we looked at three possible signs you may have been the victim of an APT and how to detect and defend against these activities: 1)Gaps in System and Security Logs; 2) Unexplained Changes in System Configurations; and 3) Anomalous Traffic. In this second installment of the “You Might Be an APT Victim if…” series, we’ll continue our look into signs of potential APT activity inside your networks and systems.
Sign 4: Odd Activity Appearing in Application and/or Database Logs
The bad news is that attacks against web applications continue to be a favorite for unskilled and advanced attackers alike. Unfortunately, as seen repeated again and again in headline news, this attack vector is often very successful. While progress has been made in the realms of IPS and application level firewalls, these defenses are not bulletproof and can be evaded by skilled attackers. Assuming that you are collecting web application and database logs and properly protecting them (See Part 1, Sign 1 for more on this topic), they can be a valuable source of information regarding advance attacker activity.
Regular review of web server, application, and database logs (in addition to review of other available logs) can provide an excellent means of detecting possible APT activity. To read more about the specifics of what to look for and how to detect this type of activity, I recommend reviewing the following paper posted to the SANS Reading Room: http://www.sans.org/reading_room/whitepapers/logging/detecting-attacks-web-applications-log-files_2074
Sign 5: Your Organization is Experiencing a DDoS attack
While DDoS attacks have historically been considered the work of pranksters and low-level hacktivists, recent events have proven that this is also the realm of very sophisticated attackers as well. In some cases, DDoS has been used as a diversionary tactic to distract attention and resources away from monitoring other parts of the environment, thereby allowing attacks and data exfiltration to go unnoticed until it was too late. One example of this type of attack is described in this article on The Register: http://www.theregister.co.uk/2012/09/19/pushdo_spews_fake_traffic/. Again, this is just one example of this type of attack.
While certainly there is a need to apply appropriate resources to squelch DDoS attacks and return to normal operations, these activities should also prompt organizations to increase general awareness and state of alert to look for other, more subtle attacks or data exfiltration that may be taking place away from the focal point of DDoS attack. The best line of defense is to head off the attackers’ ability to successfully launch a DDoS attack in the first place. While this is sometimes easier said than done, there are some excellent DDoS mitigation services available on the market today. Two I recommend are from Akamai and Verisign.
In addition to DDoS mitigation, a holistic approach to monitoring, analysis, and response are essential (you should see a theme emerging – diligent monitoring is a must). Maintaining a high level of general activity monitoring and the ability to filter out DDoS traffic from other traffic when conducting analysis is key to seeing through the smokescreen in order to detect and block other attacks in the middle of a DDoS storm.