APT Detection Indicators – Part 2

APT Detection Indicators – Part 2

APT Detection Indicators – Part 1
APT Detection Indicators – Part 3
APT Detection Indicators – Part 4

Advanced Persistent Threats (APT) typically exhibit recognizable attributes and patterns that can be monitored by readily available, open source tools. These tools can enable early detection of APT behavior, especially by monitoring unusual inter-zone or outbound traffic.

APT Detection Indicators 2

While there is no silver bullet in the fight against concerted and targeted attacks, a holistic framework that includes varied methodology and tools while embracing layered defensive tactics can prove very helpful. This post is a complement to the blog on APT Red Teams – Part 1 to enable a continuous improvement and optimization cycle from counter-intuitive sources and help mitigate advanced threats.

Monitoring to Detect APT Behavior

Monitoring a combination of network data and host file integrity data can be key for detecting APTs. A combination of open source tools, such as Snort, Splunk, Sguil, and Squert are uniquely suited to monitor patterns of activity in data over time to see a potential attack.

The information contained in this blog, together with APT Detection Framework and APT Red Teams series represents only a starting point for observing anomalous activity on hosts and on the networks and is not meant as a complete APT program. Attack vectors are constantly changing and it is up to the reader to stay abreast of conditions that may warrant changes in APT strategy or seek to partner for expertise and best-practice help.

The APT Malware Signature

  • APT malware hides in plain sight –
    • Avoids detection by using common network ports, process injection and Windows service persistence
    • APT malware initiates outbound network connections
    • Monitor outbound network traffic
      • Identifies APT outbound beaconing attempts
  • Avoids anomaly detection through –
    • Outbound HTTP connections
    • Process injection
    • Service persistence
  • APT Communication –
    • 100% of APT backdoors made only outbound connections
    • 83% used TCP port 80 or 443, Many Proxy-aware
    • Simple malware signatures such as MD5 hashes, filenames, and traditional anti-virus methods usually yield a low rate of true positives

Detect the Breach

Addressing the Gap: Detect the Breach

Factors associated with APT attacks include the following:

  • Sudden increases in network traffic, outbound transfers
  • Unusual patterns of activity, such as large transfers of data outside normal office hours or to unusual locations
  • Repeated queries to dynamic DNS names
  • Unusual searches of directories and files of interest to an attacker, e.g., searches of source code repositories
  • Unrecognized, large outbound files that have been compressed, encrypted password-protected
  • Detection of communications to/from bogus IP addresses
  • External accesses that do not use local proxies or requests containing API calls
  • Unexplained changes in the configurations of platforms, routers or firewalls
  • Increased volume of IDS events/alerts

APT Detection & Analysis Tools

An APT depends on remote access and control, as such, the network activity associated with remote control can be identified, contained and disrupted through the analysis of inter-zone and outbound network traffic. Techniques for the detection of APT can be implemented through open source software tools and used to implement methodologies, such as:

  • Snort: an open source network-based intrusion prevention and detection system (IDS/IPS) originally developed by Martin Roesch. Snort employs signature and protocol, as well as anomaly-based inspection
  • Scapy: a packet manipulation program. Scapy can create packets for a wide range of protocols. It can send and receive packets and match requests and replies. It is extensible via Python scripts and can be used for a variety of detective measures
  • OSSEC: a host-based open source IDS, as opposed to Snort. Its correlation and analysis engine provides log analysis, file integrity checking, Windows registry monitoring, rootkit detection, and time-based alerting as well as active response and can support most operating systems
  • Splunk: a search, monitoring and reporting tool integrating logs and other data from applications, servers and network devices. The data repository is indexed and can be queried to create graphs, reports and alerts
  • Sguil: includes an intuitive GUI that provides access to real-time events, session data, and raw packet captures. Sguil facilitates the practice of network security monitoring and event driven analysis
  • Squert: a web application used to query and view event data stored in a Sguil database. Through the use of metadata, time series representations, weighted and logically grouped result sets it provides additional context to events

Analyze NIDS Alerts with Snorby

Analyze NIDS alerts with Snorby

These tools fit into the general category of network security monitoring (NSM), as described in several books by Richard Bejtlich, see “The Practice of Network Security Monitoring, Understanding Incident Detection and Response” for more details.

Intrusion detection (IDS) alone is sub-optimal and organizations really need a combination of tools as an NSM to deal with various data types. Sguil is the de-facto implementation of NSM.

The Security Onion

The Security Onion (SO) is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows organizations to build an army of distributed sensors for the enterprise in minutes. For more information see the Security Onion Blog.

Squert to Analyze NIDS-HIDS Alerts

Use Squert to analyze NIDS/HIDS alerts and other data

Security Onion is configured for immediate use by default. Ideally, it should be installed on dedicated hardware but short term it can be deployed via virtual machines or systems booting from LiveCD OS media. The first step to enhancing SO for optimal correlation functionality is to add Splunk. A commercial license is required for full action-based alerting, however, the limited community release can suffice with a small data footprint and console-only monitoring. Splunk installation is remarkably straightforward.


It is vital to practice an elevated operational awareness around critical data and assets, for example, sensitive data (PII, PHI, CHD), source code, and intellectual property. Segment and wrap critical data in managed secure zones within the deeper protection of well monitored defensible infrastructure (see Defensible Security Posture) with network taps, network flows (NetFlow) and, logging tools to increase visibility and enable on-demand packet capture.

Pivot Data Types Sguil Send Pcaps

Pivot between multiple data types with Sguil, send pcaps to Wireshark & Network Miner

It is impossible to protect everything equally. Incremental efforts, targeted at protecting high value data, typically through smaller and protected network segments (see Adaptive Zone Defense) provide far greater gains than broader, less focused efforts on lower value targets. Similarly, layered defensive tactics (multiple layers and means of defense) can contain security breaches and buy time to detect and respond to an attack, reducing the consequences of a breach.

It is all about starting with a Back to Basics: Defensible Architecture that is well-organized and managed based upon asset and data classification and risk assessment that defines policy, placement and, controls.

Focus on Detect, Contain, Investigate, Respond, Eradicate, Recover

Even the best monitoring mindset and methodology may not guarantee discovery of the actual APT attack. Instead, use more comprehensive analysis and correlation to discover behaviors indicative of APT-related attacks, lateral movement and, data exfiltration.


This APT Detection Indicators – Part 2 blog is a part of the APT Strategy Series and complements and builds upon the Adaptive Zone Defense, Defensible Security Posture and the APT Red Teams blogs.

In APT Detection Indicators – Part 3 we will discuss the use of the above tools in more detail together with a methodology to integrate and leverage events and data. In this series we will share more Indicators of Compromise (IoC) examples and scenarios together with posts on APT Defensive Actions and Adaptive Response Strategy.

Thanks for your Interest!

Nige the Security Guy.


About secureadvisor
Security Guy

8 Responses to APT Detection Indicators – Part 2

  1. Pingback: APT Detection Indicators – Part 1 | Nige the Security Guy

  2. Pingback: Security Series Master Index | Nige the Security Guy

  3. Pingback: APT Strategy Series | Nige the Security Guy

  4. Pingback: APT Defense Puzzle | Nige the Security Guy

  5. Pingback: APT Strategy Guide | Nige the Security Guy

  6. Pingback: APT Detection Indicators – Part 3 | Nige the Security Guy

  7. jj says:

    Great blog please continue

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: