Advanced Persistent Threat use commercially available and custom-made advanced malware to steal information or to do fraud transactions. The conventional perimeter and endpoint security controls, such as firewalls, Anti Virus gateways and Anti Virus desktop clients, are unable to stop advanced threats.
Advanced malware are polymorphic in nature and also use different attack tactics to execute an APT. Spear phishing is typically used to lure targeted users to infected web sites (e.g. Drive-by-download) or social engineer them to download infected documents (e.g. XLS / PDF files with exploit code embedded). Once infected, Keylogging and screen capturing is used to grab user credentials to sensitive corporate applications. Botnets or comprised end points (part of CNC) are used to remotely access the endpoint and use authenticated endpoints within the enterprise perimeter to access sensitive files and application.
Organizations should consider a defense in depth approach that includes network and endpoint layers. They should specifically address the evasive nature of APTs and the way they bypass infection prevention controls. Through real-time detection of malware algorithm execution in memory it is possible to break the infection process of polymorphic and evasive malware.
The threat Life cycle can be explained in the following way:
Our solution has a 4 dimensional threat intelligence to tackle the APT attacks on the enterprises:
Content Wise : What information is being transferred ? with the type of files, how they are packed, what is the file structure, also to check if this is a known or unknown malware, executable, etc.
02The Second dimension is the Channels – how is the information being transferred – via an encrypted communication or the type of tunnels, what port, protocols or applications being used, whether it is a trusted or untrusted application being used, standard or non-standard ports etc..
03The third dimension comes with the geographical intelligence, i.e. the location centric information like Where/who is the information coming from? Or where/who is the information going to
04The final and more important dimension of APT is time. Speed matter when you are in a race with the attacker. A compromised target will have milliseconds to minutes only as a time to prevention, the exfiltration in any attack can vary from minutes to days, so the solution should compress or eliminate the data exfiltration window by reducing the time to discovery and time to containment.