APT Anomaly Detection – Part 1

APT Anomaly Detection – Part 1: Eliminating the Noise

The rapid discovery of a breach is key to minimizing the damage of a targeted attack. Context-aware anomaly detection improves an organizations security accuracy and efficiency by bringing relevant suspect events into focus and thus helps eliminate distracting noise.

APT Anomaly Detection

Improve security analyst efficiency, reduce operational overhead and cost by eliminating noise

In APT Anomaly Detection – Part 1 we present a primer on the various options for Network Behavior Analysis as a complement to other core technologies and tools, adding to the capability to detect and investigate targeted attacks. The series then digs into and focuses upon improving the accuracy of events through triage to improve detection precision as well as eliminate the noise.

Signal to Noise Ratio

It’s a known fact that a lot of time is typically wasted on analyzing false positives generated by technology that is not correctly baselined, customized, tuned, optimized. Depending upon the environment, false positives can often be numerous and very difficult to verify, costing analysts a valuable time determining whether or not something is an event the analyst should be worried about.

Signal to Noise

Security Event Signal to Noise Ratio

Organizations today are exposed to a greater volume and variety of network attacks than ever before. Adversaries are exploiting zero-day vulnerabilities, taking advantage of risks introduced by cloud and mobile computing, and applying social engineering tactics to compromise user accounts. Advanced attackers are both patient and clever, evading detection at the network level. Security professionals wrestle with efficiently detecting these threats and effectively resolving them.

Reportedly Neiman Marcus experienced 60,000 alerts during their latest breach and Target was flooded with alerts. In both cases, the alerts failed to generate proper action. Relying on a tool (or tools) for alerts is useless if it generates too much noise and not enough signal. Too many alerts without the proper context fail to guide the right response.

Insider attacks are on the rise. To monitor and act on internal abuse, as well as comply with data protection regulations, organizations need to tie network security events to local systems and user credentials. Correlating threat information from intrusion prevention systems with actual user identities (logged on to local systems) allows security professionals to identify breaches of policy and fraudulent activity more accurately within the internal network.

Context-Aware Security

Traditional defenses, such as signature-based anti-malware tools and stateful inspection firewall technology, are less and less effective against new threats, they have no knowledge of applications in use, normal traffic patterns or user activity in the context of a network’s normal behavior patterns. New approaches to security, such as those focusing on context awareness and security intelligence, will provide the next generation technology to cope with evolving threats.

Inside IT: Context-Aware Computing

Leveraging Context-Aware Security

Context-aware security is the use of supplemental information to improve security decisions at the time the decision is made. The goal? More-accurate security decisions capable of supporting more-dynamic business and IT environments as well as providing better protection against advanced threats.

If possible, all information security infrastructure must become context-aware – endpoint protection platforms, access control systems, network firewalls, IPS systems, security information and event management (SIEM) systems, secure web gateways, secure email gateways, data loss prevention (DLP) systems, and so on.

The shift to incorporate “application awareness”, “identity awareness”, “virtualization awareness”, “location awareness”, “content awareness” and so on are all facets of the same underlying shift in information security infrastructure to become context-aware.

Why Context-Aware Security is Needed

To understand contextual security, organizations should understand the signature of a typical attack. A common type of APT attack involves embedding Trojan horse code in PDF documents delivered as an email attachment. When the unsuspecting email recipient clicks on the attachment, malicious code is unleashed, but it doesn’t immediately execute, delaying until any antimalware program is no longer watching. When the Trojan does finally execute, it discretely begins collecting data and sending GET requests to commonly visited sites to test network connectivity. If it detects an active network connection, the Trojan initiates a status beacon message to a command-and-control node.

APT Attack Kill Chain 2

The Signature of an Advanced Targeted Threat

As malware authors continue to introduce new antivirus evasion techniques, organizations must learn how to detect attacks that have slipped through the net and are living on the network. As the Mandiant APT1 report illustrated to the security community, attackers are capable of staying inside an organization’s network for years if organizations lack robust measures to detect and remediate attacks.

Network Baseline and Behavior Analysis

Network Behavior Anomaly Detection (NBAD) techniques were originally developed to monitor network traffic thresholds for shifts or changes that could indicate attacks or signal specific issues with systems. Over time, NBAD evolved into Network Behavior Analysis (NBA) which focuses on the establishment of a comprehensive network baseline. This overall baseline is then continually monitored for deviations or exceptions that may alert an analyst to an issue.

Behavior-based Anomaly Detection

Behavior-based Anomaly Detection

There are three main components of a network behavior monitoring strategy for use in information security and network operations:

  • Traffic Flow Patterns and Data: Network flow data such as NetFlow, sFlow, and Jflow.
  • Network Performance Data: Simple Network Management Protocol (SNMP) events and Quality of Service (QoS) data for system and network performance.
  • Passive Traffic Analysis: Passive analysis tools can continually monitor traffic for protocol anomalies, tunneled protocols, use of non-standard ports and protocol field values, etc.

Ultimately, these tools can also provide a much higher degree of visibility into what systems and applications are communicating with one another and where they are on the network, which provides intrusion prevention systems with much needed environmental context.

Forensic NetFlow and IPFIX analysis tools are ideal security layers with which to detect and investigate APTs. Network flows provide a complete account of all network activity both at the perimeter of the network as well as the network core. Advanced flow analysis solutions trigger alarms by monitoring for suspect behavioral patterns within the network flows. Identifying suspicious traffic patterns involves automated correlation of different types of contextual information then, deciphering the intent and danger associated.

One of the best ways to detect if internal hosts are communicating with other external APT launch points, is to compare NetFlow data to a host reputation list. By sending NetFlow from the Internet facing routers to a NetFlow collector that can compare all flows to the host reputation database, internal machines talking with known compromised Internet hosts, can be identified.

Getting started with Contextual Security

In order to combat these increasingly common scenarios, organizations must implement four lines of defense.

Rule Sets: Usually in conjunction with an intrusion detection system such as Snort.

Formulating effective rule sets is a fundamental portion of the contextual approach to network security. Rule sets are typically reactionary since they are usually only formulated after an attack vector has been identified but are still an important tool.

Also see, the APT Detection Indicators series which discusses Indicators of Compromise (IoCs) that can be used to develop and correlate rules.

Statistical Correlation: Utilize statistical and correlation methods to analyze the latest trends in malware.

This is the key that ties all of the other methods together since it meshes rule sets, log examination and data exfiltration monitoring. Correlation methods are used to examine whatever alerts are currently configured and to look for relationships between each alert that is triggered. These relationships can be with regard to type of alert, port number or any other type of selector configured by the security analyst. Statistical methods do not rely on prior knowledge of an attack vector, but rather on the time and frequency of a set of alerts.

Monitoring: Monitor for unusual data exfiltration attempts.

The most important portion of a context-aware security paradigm, examining and blocking data exfiltration attempts is the last line of defense when attempting to combat APT attacks. It is important for an organization to know what should and should not be leaving the network.

Log Analysis: Strongly emphasize the need to manually examine logs.

Automating log reviews with tools such as Splunk is a popular technique, and when operating in a highly trafficked network, automation is indeed a necessity. However, when attempting to discover new attacks against a network, nothing is as effective as human observation and intuition. Human intuition, along with informed experience should alert the security administrator to any site that looks suspicious, which could then spawn a new network monitoring rule to block that avenue of attack in the future.

Context Reduces Noise

As attackers become better at hiding out on networks, organizations need to be aware of the context surrounding security events to better sniff out APTs and reduce the noise. This means setting up the right kind of alerts based on Indicators of Compromise (IoCs) as well as previous attack vectors and correlating the information between triggered alerts. Most importantly this means having some human eyes monitoring data leaving the network and looking over logs to become familiar with the network and spot interesting traffic that may not be coded yet as triggers.

If an organization cannot connect all the dots across its network, it will be unable to fend off a new breed of persistent, stealthy malware. The organization needs to consider is this something that they build and operate in-house since security is mission critical?, whether they partner with consulting or a service to co-source both monitoring and skilled resources in a Hybrid SoC? or, outsource completely to a managed service since security is just not a core competency – although this needs strong process integration in terms of contextual awareness of the internal business operations as well as strict SLAs to ensure preparedness to respond.


Protecting an organizations data from APT invasion is an ongoing and daily task. Vigilance and healthy paranoia is a good defense against the possible insurgence. Many experts combating APTs suggest that organizations always be on the alert, that is assuming an APT is always present or already underway and to operate defensively rather than passively. Use Red Teams (see: APT Red Teams) to keep skills current and hone capabilities and response.

Holistic Logging

Improving communications visibility with evolving contextual anomaly detection is one of the best ways to detect internal malware that has circumvented the traditional firewalls. Many APTs have no trouble sneaking right past even the best security appliances, however, they have a habit of exhibiting the same suspicious behaviors, see Defensible Security Posture for details on the signature of an APT and Cyber Kill Chain.

In APT Anomaly Detection – Part 2 we will expand upon the above topics in more detail as well as discuss the options to add contextual sources, as well as fine tune and improve detection precision to improve analyst efficiency and reduce operational overhead and cost. This post is complemented by the APT Detection Indicators blog series which discusses Indicators of Compromise (IoCs) as well as useful open source tools and techniques to detect APTs.

Thanks for your interest!

Nige the Security Guy.


APT Strategy Guide

APT Strategy Guide Navigating the APT Strategy Series

Continuous monitoring is an important part of an organization’s cyber security efforts. But without establishing an effective security framework first, those efforts may be misspent.

APT Strategy Guide

Strengthening IT infrastructure begins with establishing a sound cyber security threat and risk management governance process. Next, organizations must manage the complexity of their IT infrastructures by using enterprise architecture to consolidate, standardize and optimize the current inventory of IT assets as well as developing “threat aware” mission and business processes.

Organizations must also develop and integrate into their enterprise architecture a security architecture that guides the effective allocation of security controls to their information systems. And finally, organizations must initiate continuous monitoring of all of the above activities to ensure ongoing effectiveness of cyber security and risk management governance, mission/business processes, enterprise and security architectures, and security controls deployed within the enterprise.

APT Strategy Guide

This blog provides an overview to the site to facilitate navigation as well as place the various topic threads in context. The following APT Strategy Guide Map graphic provides an at-a-glance simplified summary of the blogs to help understand how they fit together to form a building block picture.

APT Strategy Maps

APT Strategy Guide Map

APT Strategy Framework

APT Response Strategy

Adaptive Response Strategy

How do you implement a Plan C? Organizations are starting to recognize the ever increasing importance of rapid and well orchestrated incident response capabilities as a key component in their defense-in-depth strategy.

Increased complexity and frequency of attacks, combined with reduced effectiveness of preventative security controls, elevate the need for enterprise-scale security incident response. The APT Response Strategy (aka APT-IR) series of blogs discuss the development and evolution of an effective rapid incident response program, a call to action.

APT Red Teams

APT Red Teams

How do you prevent an APT? The APT Red Teams blog defines core components used by successful red teams and proposes an approach for categorizing and implementing red teams to enable continuous improvement and optimization from counter-intuitive sources and help mitigate advanced threats.

Advanced Persistent Threats (APTs) initiated by an ever growing population of highly capable cyber criminals who are focused, determined and, stealthy are an ever increasing risk. While many organizations have the basic tenets of security in place and regularly test their industry standard best-practice procedures, they are caught off guard by exposed vulnerabilities, risks and threats not previously identified and formally escalated to resolution.

A Red Team approach provides a proven method of risk analysis which uncovers risks and quickly adapts to real world approaches taken by adversaries.

APT Threat Analytics

APT Threat Analytics 1

How can you predict emerging threats? Threat intelligence and analytics continues to dominate the headlines and attention of organizations seeking viable options in their escalating battle against advanced threat actors.

Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging threat to assets. It is used to inform decisions regarding response in terms of prevention enhancements with mitigating controls or detection adjustments (rules or triggers).

This blog discusses best practices to identify internal and external data sources as well as help overcome many operationalization challenges to take an emerging program to the next level as a strategic component.

APT Detection Indicators

APT Detection Indicators

In a world where organizations need to be watching or monitoring their networks continuously knowing what to look out for is critical. In this blog we discuss how to detect incidents early by identifying “attack precursors” and other leading indicators that help protect your organization from compromise and can stop an attack in its tracks.

Advanced Persistent Threats (APT) typically exhibit recognizable attributes and patterns that can be monitored by readily available, open source tools. These tools can enable early detection of APT behavior, especially by monitoring unusual inter-zone or outbound traffic.

APT Detection Framework

APT Detection Framework Logo 2

The last decade has seen a lot of research on intrusion detection with intelligent data analysis and its implementation in commercial products but there are still some challenges remaining. Effectiveness, accuracy and scalability are key considerations in the technical design, implementation, and operations of an IDS.

This blog presents a proposed APT Detection Framework that can be used both for advanced multistep threat scenario analysis as well as detection system design – to identify an organizations gaps based on new threats and/or indicators of compromise and make iterative improvements.

Defensible Security Posture

Defensible Posture - Part 2

The purveyors of Fear, Uncertainty and Doubt (FUD) assert that preventing today’s advanced threats is unrealistic, internal compromise is inevitable and – that FUD factor is reinforced by more and more reports of malware and advanced attacks penetrating insufficient security controls. However, it’s not all doom and gloom. Although the experts concede that stopping 100% of attacks is a technical impossibility, there are ways for organizations to avoid becoming the next devastated victim.

The basic idea of a Defensible Security Posture is that you aren’t striving for an absolute, but rather for a position (or posture) that is able to be defended even when it’s infiltrated

Adaptive Zone Defense

Zone Defense

Limiting and intelligently managing communications between services and systems on an organizations network helps contain an infection or compromise to keep malware or a persistent threat from running rampant. In addition, business needs, regulations and other compliance requirements impact security architecture and design and thus may impose mandated separation or additional boundary controls.

This blog offers guidance to organizations seeking to develop a modular and scalable network segmentation design.

There is a lot of hype and yet no silver bullet. However there is much an organization can do to extend and evolve their defense-in-depth strategy, to improve their detection and containment capability and, to gain key visibility to rapidly respond to a compromise or attempt. There is also a win-win in that many best-practices, controls and, detection techniques needed for APT also help address the Insider Threat.

Thanks for your interest!

Nige the Security Guy.

APT Threat Analytics – Part 2

APT Threat Analytics – Part 2

APT Threat Analytics – Part 1

In today’s threat environment, rapid communication of pertinent threat information is vital to quickly detecting, responding and containing targeted attacks. The key to improving an organizations reaction time is a workflow and set of tools that allows threat information to be analyzed and actionable results communicated across the organization rapidly.

APT Threat Analytics 2

In this APT Threat Analytics – Part 2 blog, we will discuss the options for threat intelligence collaboration and sharing together with a current snapshot of the available tools and standards/developments to help determine whether your organization can benefit from an emerging dedicated in-house threat intelligence  program.

Given the escalating threat landscape, improving threat detection is key for most organizations, specifically developing an intelligence-driven approach. This requires collecting and consolidating threat intelligence data from internal sources (e.g. systems and applications) and external sources (e.g. government or commercial threat feeds) and using analytics to spot attack indicators or anomalous behavior patterns.

The core team should have the capabilities to achieve good visibility and situational awareness across the organization.

  • People: Internal and external networking for developing good sources of intelligence, communication for developing reports and presenting intelligence briefings
  • Process: Designing an end-to-end intelligence process including obtaining and filtering data, performing analysis, communicating
    actionable results, making a risk decision, and taking action
  • Technology: Analysis (drawing connections between seemingly disconnected data), and data analytics techniques

What is Threat Intelligence?

Threat intelligence means different things to  different organizations, so it’s important to first  define what threat intelligence means to your organization. The ultimate goals of threat intelligence gathering and sharing should be, as follows:

  • Develop actionable intelligence
  • Better intelligence translates to better protection
  • Increased protection translates to less fraud and decrease in revenue loss
  • Collective intelligence is far more effective than individual silos
  • Both external and internal sources are needed to address targeted threats

In-House Threat Intelligence

With the increase in advanced, multidimensional threats, organizations can no longer depend solely on existing automated perimeter gateway tools to weed out malicious activity. More and more organizations are considering development of an in-house threat intelligence program, dedicating staff and other resources to network baselines, anomaly detection, deep inspection and, correlation of network and application data and activity.

With the advanced, blended, multidimensional, targeted cyber attacks being levied today, your organization still needs an experienced set of human eyes analyzing data collected —not to mention its reputation.

APT Attack Patterns

Performing in-house threat intelligence need not be complex or expensive. Such a program can be as simple as IT staff being trained to pay closer attention to data. In other cases, threat intelligence might mean having a team of people performing deep content inspection and forensics on a full-time basis. Where an organization falls in that range depends on various factors such as critical assets/data, risk tolerance, core competency, and so on. The organization may elect a DIY in-house model or a co-sourced partner.

One of the biggest benefits of taking control of internal threat intelligence is that it forces organizations to, as follows:

  • Develop a deep understanding of –
    • How systems are used
    • How data is accessed
  • Recognize traffic and usage patterns
  • Pay attention to log data and to correlate that data with a known baseline of how users interact with data, applications and servers.
  • Consolidate and manage log sources

With all of this data at an analyst’s fingertips, organizations can recognize the subtle anomalies that may indicate an attack—the main goal of your threat intelligence effort. For more information see the forthcoming blog: APT Anomaly Detection as well as the new NG Security Operations (SoC V2) series.

APT Behavior

What would constitute a subtle anomaly? One example is inappropriate remote access to critical servers in your environment. Many organizations don’t bother to actively audit remote desktop access to critical servers, but what if out of the blue you detect repeated Remote Desktop Protocol (RDP) sessions and failed logins to a domain controller from a new system in your environment? Your gateway tools won’t help here, and this activity would certainly warrant investigation because it could indicate the beginning (or middle) of an advanced persistent threat (APT).

Picking the Right Tools

There are a few major hurdles when it  comes to performing comprehensive cyber threat  intelligence (CTI) in-house. Organizations need a core set of security tools to provide the essential foundational elements for performing threat intelligence. They should certainly consider leveraging external sources and service providers to fill in gaps in their defenses.

Some of the frameworks, tools, standards, and working groups to be considered are, as follows:

  • OpenIOC – Open Indicators of Compromise framework
  • VERIS – Vocabulary for Event Recording and Incident Sharing
  • CybOX – Cyber Observable eXpression
  • IODEF – Incident Object Description and Exchange Format
  • TAXII – Trusted Automated eXchange of Indicator Information
  • STIX – Structured threat Information Expression
  • MILE – Managed Incident Lightweight Exchange
  • TLP – Traffic Light Protocol
  • OTX – Open Threat Exchange
  • CIF – Collective Intelligence Framework


Incident Object Description and Exchange Format (IODEF) is a standard defined by Request For Comments (RFC) 5070. IODEF is an XML based standard used to share incident information by Computer Security Incident Response Teams (CSIRTs). The IODEF Data Model includes over 30 classes and sub classes used to define incident data.

IODEF provides a data model to accommodate most commonly exchanged data elements and associated context for indicators and incidents


OpenIOC was introduced by Mandiant. It is used in Mandiant products and tools such as RedLine, but has also been released as an open standard. OpenIOC provides definitions for specific technical details including over 500 indicator terms. It is an XML-based standardized format for sharing Threat Indicators.

  • Derived from years of “What Works” for Mandiant
  • Indicator Terms
    • Artifacts on Hosts and Networks
  • Logical Comparisons
    • Groupings, Conditions
  • Ability to Store & Communicate Context
  • Continues to be developed and improved

OpenIOC Process Flow

OpenIOC Process Flow


The Vocabulary for Event Recording and Incident Sharing (VERIS) framework was released by Verizon in March of 2010. As the name implies VERIS provides a standard way for defining and sharing incident information. VERIS is an open and free set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner.

  • DBIR participants use the VERIS framework to collect and share data
  • Enables case data to be shared anonymously to RISK Team for analysis
VERIS OverviewVocabulary for Event Recording and Incident Sharing (VERIS) Overview


The Collective Intelligence Framework (CIF) is a client/server system for sharing threat intelligence data. CIF was developed out of the Research and Education Network Information Sharing and Analysis Center (REN-ISAC). CIF includes a server component which collects
and stores threat intelligence data. Data can be IP addresses, ASN numbers, email addresses, domain names and uniform resource locators (URLs) and other attributes. The data can be accessed via various client programs.

CIF Architecture 2

  • CIF is a cyber threat intelligence management system
  • Can combine known malicious threat information from many sources
  • Use information for action: identification (incident response), detection (IDS) and mitigation



CybOX is used for defining details regarding measurable events and stateful properties. The objects that can be defined in CybOX can be used in higher level schemas like STIX. The goal of CybOX is to enable the ability to automate sharing of security information such as CTI. It does this by providing over 70 defined objects that can be used to define measurable events or stateful properties. Examples of objects are File, HTTP Session, Mutex, Network Connection, Network Flow and X509 Certificate.



Mitre developed Structured Threat Information Expression (STIX) is for defining threat information including threat details as well as the context of the threat. STIX is designed to support four cyber threat use cases:

  • Analyzing cyber threats
  • Specifying indicator patterns
  • Managing response activities
  • Sharing threat information

It uses XML to define threat related constructs such as campaign, exploit target, incident, indicator, threat actor and TTP.

STIX V1 Architecture

Structured Threat Information Expression (STIX) Architecture

STIX provides a common mechanism for addressing structured cyber threat information across wide range of use cases:

  • Analyzing Cyber Threats
  • Specifying Indicator Patterns for Cyber Threats
  • Managing Cyber Threat Response Activities
    • Cyber Threat Prevention
    • Cyber Threat Detection
    • Incident Response
  • Sharing Cyber Threat Information



Mitre developed Trusted Automated eXchange of Indicator Information (TAXII) supports sharing of threat intelligence data. The Mitre definition for TAXII states, “Defines a set of services and message exchanges for exchanging cyber threat informationThese models allow for push or  pull transfer of CTI data. The models are supported by four core services:

  • Discovery,
  • Feed management,
  • Inbox
  • Poll



Open Threat Exchange (OTX) is a publicly available service created by Alien Vault for sharing threat data. AV-OTX cleanses aggregates, validates and publishes threat data streaming in from a broad range of security devices across a community of more than 18,000 OSSIM and Alien Vault deployments. OTX is a centralized system for collecting threat intelligence. It is provided by AlienVault and interoperates with their Open Source SIEM (OSSIM) system, where SIEM is Security Event and Information Management. OSSIM is free to use. OSSIM users can configure their system to upload their threat data to OTX.


The Managed Incident Lightweight Exchange (MILE) Working Group is working on standards for exchanging incident data. The group works on the data format to define indicators and incidents. It also works on standards for exchanging data. This group has defined a package of standards for threat intelligence which includes Incident Object Description and Exchange Format (IODEF), IODEF for Structured Cyber Security Information (IODEFSCI) and Real-time Inter-network Defense (RID).

Cyber Security Standards

Structured Cyber Security Standards


The Traffic Light Protocol (TLP) is a very straight forward and simple protocol. TLP is used to control what can be done with shared information. Shared information is tagged with one of four colors white, green, amber or red. The color designates what can be done with the shared information. Information tagged white can be distributed without restriction. Information tagged green can be shared within the sector or community, but not publicly. Information tagged amber may only be shared with members of their own organization. Information tagged red may not be shared. Given its simplicity TLP can be used verbally, with email or incorporated in to an overall system.

Conclusion – KISS

The simplest way to mine threat intelligence is to leverage the information already on your systems and networks. Many organizations don’t fully mine logs from their perimeter devices and public-facing web servers for threat intelligence. For instance, organizations could review access logs from their web servers and look for connections coming from particular countries or IP addresses that could indicate reconnaissance activity. Or they could set up alerts when employees with privileged access to high-value systems attract unusual amounts of traffic, which could then be correlated with other indicators of threat activity to uncover signs of impending spear-phishing attacks.

Many of the standards are a good fit for organizations with specific needs. If an organization wants to share incident data and be part of the analysis of a broad data set, then VERIS would be the best choice. If an organization wants to share indicator details in a completely public system, then OTX would be a reasonable choice. If an organization is using tools that support OpenIOC, then of course OpenIOC would be the best choice. If an organization is looking for a package of industry standards then the MILE package (IODEF, IODEF-SCI, RID) or the Mitre package (CybOX, STIX, TAXII) would be suitable. Both have the capability to represent a broad array of data and support sharing of that data.

As a recipe for success it is important to start small, start simple, prototype and evolve as organizations gain confidence and familiarity and grow the threat sources, communication and collaboration – so that there is valid data, analysis and, actionable results. Focus on and validate the process.

Next Steps

In future parts we will delve further with some practical use cases containing examples and implementations, review external feed sources (pros and cons), discuss triage, building context, validation of data, and performing analysis as well as discuss the development of organization threat profiles based on risk management process.

In addition, we will be publishing the APT Anomaly Detection blog that complements this work using network flows to baseline a network and detect anomalous activity, so that there isn’t reliance on just one methodology. We will also kick-off the Next Generation Security Operations series that seeks to tie all of the APT Series threads into a holistic architecture and defensive strategy (SoC V2).

Thanks for your interest!

Nige the Security Guy.

APT Red Teams – Part 2

APT Red Teams – Part 2

APT Red Teams – Part 1
APT Red Teams – Part 3

Have you tested your resilience to attack? Addressing security more aggressively and working to identify areas of weakness is a more sensible, and ultimately, more effective approach than working to build a “bigger wall” that you hope attackers can’t get through.

APT Red Teams 2

The Paralyzing Polarization Conundrum

We are at a fascinating point in the evolution of what we now call cyber security defense. Massive data losses, theft of intellectual property, credit card breaches, denial of service – these have become a way of life for all of us. Ironically, as defenders we have access to an extraordinary array of security tools, technology and resources. But all of this technology, information, and oversight has become a veritable “Fog of More” [Source: CSC5]: competing options, priorities, opinions, and claims that can paralyze or distract an organization from vital action.

What are the most critical areas we need to address, how should an enterprise take the first step to maturing their risk management program? Rather than chase every new exceptional threat and neglect the fundamentals, how can we get on track with a roadmap of fundamentals, and guidance to measure and improve? Which defensive steps have the greatest value?

APT Red Teams – Part 2 blog discusses the importance of and contrasts the CSIS Top 20 Critical Security ControlsControl 20: Penetration Tests and Red Team Exercises. There are many parallels between APT and Red Teams. APTs advance on a “continuous area of attack” leveraging blended, multi-step targeted determined attacks while technology is ubiquitous, constantly being implemented, and is often filled with flaws as soon as it is implemented.

Red Team Goals

The goal of Red Teams is to enhance decision making by challenging assumptions and exploring new ideas, typically from the perspective of an adversary or a competitor. A Red Team, for example, might play the role of an attacker and test the security of a system. Alternatively, a red team might review and assess the assumptions of a strategic plan.

Red Teams are particularly suited to business strategy and planning focused on operational process to validate and evolve it. Whether a Red Team adopts a specific perspective, method, or toolkit depends on the nature of the problem and the circumstances of the Red Team. A Red Team that performs a given type of task repeatedly is likely to develop a process framework and an associated toolkit.

Thinking Outside the Box

Think Outside Box

Ideally Red Teams should, as follows:

  • View the target problem from a systems perspective
  • Shed the cultural biases of the decision maker and, as appropriate, adopt the cultural perspective of the adversary or competitor
  • Employ a multidisciplinary range of skills, talents, and methods
  • Understand how things work in the real world
  • Avoid absolute and objective explanations of behaviors, preferences, and events
  • Question everything (to include both their clients and themselves)
  • Break the “rules

One can argue that the best Red Teams are born, not trained. It seems that some people have an instinctive ability to Red Team, while others—despite extensive training—can never escape the secure but confining convention box.

Be Prepared: Test and Validate

Test and Validate

In January 2014 the Ponemon Institute conducted a Cyber Security Incident Response study. In the study they surveyed 674 IT and IT security professionals in order to determine the level of preparedness of their Computer Security Incident Response Teams (CSIRT).

Most respondents agreed that the best thing that their organizations could do to mitigate future breaches is to improve their incident response capabilities.

How frequently does your organization assess the readiness of your incident response teams
(for instance, through tabletop exercises, red teams, or other means)?

IR Readiness

Assessing Incident Response Readiness

Leveraging Red Teams can help both in terms of testing an organizations true resilience to attack as well as preparedness to respond to and investigate an incident. A vital win-win.

SANS Top 20 Critical Security Controls

The SANS Top 20 Critical Security Controls focus on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on “what works“. They prioritize and focus on a smaller number of actionable controls with high-payoff, aiming for a “must do first” philosophy. Since the Controls were derived from the most common attack patterns and were vetted across a very broad community of government and industry, with very strong consensus on the resulting set of controls, they serve as the basis for immediate high-value action.

CSC 20: Penetration Tests and Red Team Exercises

Test the overall strength of an organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.

Why is SANS Control #20 Critical?

In a complex environment where technology is constantly evolving, and new attacker tradecraft appears regularly, organizations should periodically test their defenses to identify gaps and to assess their readiness. Attackers often exploit the gap between good defensive designs and intentions and implementation or maintenance.

SANS Top 20 Controls

Examples include: the time window between announcement of a vulnerability, the availability of a vendor patch, and actual installation on every machine; well-intentioned policies which have no enforcement mechanism (especially those intended to restrict risky human actions); failure to apply good configurations and other practices to the entire enterprise, or to machines that come in-and-out of the network; and failure to understand the interaction among multiple defensive tools, or with normal system operations that have security implications.

Red Team exercises take a comprehensive approach at the full spectrum of organization policies, processes, and defenses in order to improve organizational readiness, improve training for defensive practitioners, and inspect current performance levels. Independent Red Teams can provide valuable and objective insights about the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even of those planned for future implementation.

How to Implement This Control

SANS Control 20

Rules of Engagement

Attackers penetrate networks and systems through social engineering, via phishing attacks and by exploiting vulnerable software and hardware. Once they get access, they often burrow deep into target systems and broadly expand the number of machines over which they have control. For more details on the signature of an advanced targeted threat (APT) see Defensible Security Posture.

A problem that many companies face is that they don’t fully understand the threats against their organizations. Creating a threat profile is a key step in understanding what threats a company faces and the potential impact if an attack were to be successful. A threat profile can also help organizations prioritize resources in order to successfully defend sensitive data. For more information see APT Threat Analytics.

Many organizations do not exercise their defenses so they are uncertain about their capabilities and unprepared for identifying and responding to attack.

Network Security Evaluation

Developing Scenarios to Exercise and Validate Defenses

Organizations should define a clear scope and rules of engagement for penetration testing and Red Team analyses. The scope of such projects should include, at a minimum, systems with the organization’s highest value information and production processing functionality. Other lower-value systems may also be tested to see if they can be used as pivot points to compromise higher-value targets. The rules of engagement for penetration tests and Red Team analyses should describe, at a minimum, times of day for testing, duration of tests, and the overall test approach.

In developing Rules of Engagement they differ from exercise to exercise. The end result is designed to incrementally strengthen an organization’s security posture. It assists in the identification of weak areas and highlights the strengths to improve and evolve the minimum security baseline. Some initial avenues used to identify security weaknesses are, for example:

  • Vulnerability scans
  • Device configuration assessment
  • Web application security
  • Firewall rule assessment
  • Segmentation / Zone controls
  • System decomposition and risk analysis
  • Social engineering
  • Malware
  • Specialized tools
  • Passive attacks correlated to back-end logging/alerts

Each test should have a specific goal, and provide different pertinent information. Each test by itself will not provide an overall picture of the current security state of the target system or network, but when all the areas are evaluated and put together, organizations will have a better overall picture of their security posture.

Red Team efforts can identify multiple areas of concern such as:

  • System vulnerabilities
  • Design flaws or weaknesses
  • Personnel complacency
  • Security monitoring flaws
  • Response procedures

Using the above items, it’s possible to conduct a root cause analysis in an effort to assist the shoring up of the target system or network. Each area tested is designed to mimic the actual multi-step methods and tools used by a would-be hacker seeking to penetrate deeper or move laterally.


Evaluating and Understanding the TRUE Defensible Posture and Risk

The assessment team should be skilled and have the ability to identify weaknesses and use them to gain access to the target system or network. This enables the opportunity to identify weaknesses, gauge response capabilities and, and correct shortcomings. The overall goal of an assessment is to ensure the organization is as secure as possible and is prepared for future incidents.


Nearly every organization can benefit from some form or degree of Red Teams. Whether the “red team” is a highly structured, a formal unit or a self-appointed devil’s advocate, almost every idea, concept, design, or plan benefits from healthy opposition and testing. Aiming a seasoned Red Team at a problem or system at the right time with the proper mandate can steer a decision maker away from an otherwise pending catastrophe, help validate the strategy and direction and, provide useful feedback and lessons learned for other projects.

In APT Red Teams – Part 3 we will develop this foundation further and discuss some actual example Red Team exercises, as techniques, tools and tests to validate a defensible security posture.


Thanks for your interest!

Nige the Security Guy.