• Advanced Persistent Threat (APT) is a term referring to targeted attacks

    Sports Consulting Services

Advanced Persistent Threat use commercially available and custom-made advanced malware to steal information or to do fraud transactions. The conventional perimeter and endpoint security controls, such as firewalls, Anti Virus gateways and Anti Virus desktop clients, are unable to stop advanced threats.

Advanced malware are polymorphic in nature and also use different attack tactics to execute an APT. Spear phishing is typically used to lure targeted users to infected web sites (e.g. Drive-by-download) or social engineer them to download infected documents (e.g. XLS / PDF files with exploit code embedded). Once infected, Keylogging and screen capturing is used to grab user credentials to sensitive corporate applications. Botnets or comprised end points (part of CNC) are used to remotely access the endpoint and use authenticated endpoints within the enterprise perimeter to access sensitive files and application.

Organizations should consider a defense in depth approach that includes network and endpoint layers. They should specifically address the evasive nature of APTs and the way they bypass infection prevention controls. Through real-time detection of malware algorithm execution in memory it is possible to break the infection process of polymorphic and evasive malware.

The threat Life cycle can be explained in the following way:

1. Initial penetration into the enterprise network. Can be malware based or non-malware based. Can be server-side, client-side, or even, in rare cases, non-network based. – this is the Infiltration phase.

2. Communication with an external malicious command and control system. Can occur on any port or protocol. May or may not involve download of additional malcode. Malware downloaded during this stage is normally packed and inert (non-executable). – this is the called as the CNC (command & control center communication) phase.

3. Lateral movement through the internal network seeking higher levels of privilege and better access to valuable, sensitive or classified information. Often involves staging of information. Popularly called as Network propagation phase.

4. Extraction of target information, typically across the enterprise network perimeter. Can occur over any port or protocol – the exfiltration phase.

Our solution has a 4 dimensional threat intelligence to tackle the APT attacks on the enterprises:

Content Wise : What information is being transferred ? with the type of files, how they are packed, what is the file structure, also to check if this is a known or unknown malware, executable, etc.

02The Second dimension is the Channels – how is the information being transferred – via an encrypted communication or the type of tunnels, what port, protocols or applications being used, whether it is a trusted or untrusted application being used, standard or non-standard ports etc..

03The third dimension comes with the geographical intelligence, i.e. the location centric information like Where/who is the information coming from? Or where/who is the information going to

04The final and more important dimension of APT is time. Speed matter when you are in a race with the attacker. A compromised target will have milliseconds to minutes only as a time to prevention, the exfiltration in any attack can vary from minutes to days, so the solution should compress or eliminate the data exfiltration window by reducing the time to discovery and time to containment.

Our Solution Architecture:

The ISYX Technologies solution is based on real time Deep session Inspection, and what does this provide the customers is:

Deep visibility over network protocols and applications

  • Port-independent recognition and decoding of protocols, applications and application usage modes.
  • Extraction of session attributes at every layer of the network protocol/application stack

Deep visibility over the content that’s flowing over the network

  • Including document-based threats that are deeply encoded, embedded and/or compressed, and are not visible in the packets

The ability to make a real-time policy decision based on a network session’s

  • Content – “If this network session contains a suspicious executable…
  • And/or context – from a suspected malware download site…
  • And/or context – rom a suspected malware download site…