How to solve the apt defense dilemma? Apt defense form is a serious and arduous task

In recent years, with the development of Internet technology, the cloud computing based on the development of "virtualization technology" and "high-speed network" is regarded as an important change in the future development of internet era. As cloud computing technology gradually lands, Internet users face more and more security problems, the higher the level of cloud computing, the previous decentralized attacks against individuals become increasingly inefficient, hackers will focus on the cloud computing platform, dedicated, professional apt attack, in order to obtain the largest and most core confidential data, thereby causing the greatest damage, or obtaining the greatest benefit. More foreign media bold forecast, once the cloud computing technology, based on the security of the client will not be too big problem, we should pay attention to the cloud platform, data center, DMZ, server area and other apt attack aggregation point.

Compared with the professionalism and complexity of apt attack, it is very difficult for enterprises to guard against it. Hackers secretly collect a lot of information by means of social engineering, and the attackers have no knowledge of them. The resulting asymmetric information creates a defensive difficulty for apt attack.

As far as the current defensive status of apt attack, the traditional security software is mainly to prevent viruses and trojans, and can not effectively prevent the vulnerability attack. Only when vulnerabilities are massively attacked by hackers do security vendors have the opportunity to monitor vulnerabilities. The traditional detection techniques, such as firewall, intrusion detection, security gateway, anti-virus software and anti-spam system, are mainly detected by network boundary and host boundary, which lack the ability of detecting unknown attack and the depth analysis of traffic. This kind of lag response has not been able to adapt to the new security situation.

How to solve the apt defense dilemma?

According to Coley, using a 0day vulnerability to the apt attack, is very difficult to defend the unknown attack, although the defense is difficult, but the industry recognized dynamic detection technology, is an effective defense means, can be carried out by the sample to observe all its behavior, to detect the presence of malicious apt attack code. But the senior Trojan will actively match the target host environment, only the environment matching can induce the Trojan horse behavior of samples. But this technology also has deficiencies: some senior Trojans have a variety of escape technology, and even through whether there is artificial action to determine whether the virtual machine, to avoid exposing themselves. So the dynamic detection technology is still the advantage of the Trojan escape detection ability, not be Trojan detection is the key. Therefore, based on hardware instruction simulation technology, is a better detection countermeasure technology, it is understood that this is fire eye adopted technology, and currently only Coley in the application of the technology.

However, for apt defense, dynamic detection is only the attack phase against malicious code or samples, and the behavior analysis before and after the attack requires the detection technology of abnormal traffic and the retrieval technology of full flow audit. Trojan attack successfully, after lurking down through the covert channel technology to evade inspection, heartbeat data is very little, or even encryption, mixed in a large amount of traffic, to identify very difficult, like a needle in a haystack. This requires a very precise application and protocol identification technology, through the establishment of abnormal behavior model to some extent, that is, abnormal flow detection technology. According to Coley, no matter how the attackers hide, as long as the transmission through the network, will produce the corresponding data, so the full flow of security audit is apt to safety detection of the essential technology, enterprises only to do the full flow data records, at the same time on the network data in-depth analysis, and establish a private cloud Can be found to track evidence defense apt.

Coley apt Defense solution and thinking

Based on the above ideas, the division from the main development of a complete apt solution, divided into front-end, analysis center and backstage, covering the abnormal flow analysis, dynamic analysis and full flow backtracking analysis technology.

The user can discover the network anomaly and the unknown high risk file type Trojan by the unusual traffic and the dynamic analysis technology, using the full flow recording equipment-backtracking system to fetch attack data for packet level analysis, the system also has blocking function, can block high-risk session and domain name access, protect internal users, to achieve timely stop loss. This makes the apt solution from anomaly discovery to forensics and blocking can form a closed-loop working mode.

As a targeted means of attack, apt is difficult to detect when not attacking it is also difficult to like Trojans, viruses, such as being swept seconds out, so for users, even if the use of apt defense solutions, it is difficult to actually feel its pros and cons and bring value, but once the impact of the problem is unprecedented. Therefore, in addition to deploying APT defense solution, Coley also provides the following several apt attack defense suggestions for enterprises:

1, in the ideological enterprise security departments should attach great importance, do not think apt attack away from themselves very far.

2, in the target lock of apt attack and information stage, it is difficult to prevent from technology, need to defend from the management system. In the penetration stage of apt attack, the defense can be implemented by means of hardware simulation dynamic analysis technology, black and white list, abnormal flow detection, full flow audit technology and large data analysis, which involves the detection ability of unknown attack and the depth analysis ability of flow. At this time, Coley's apt complete solution becomes the enterprise can choose the multi-dimensional defense plan.

Apt defense form is a serious and arduous task

In the network space is becoming more and more attention today, apt attack already is the national network space confrontation of a means, and has been unavoidable, with the United States led five eyes, Unite more countries ' global information monitoring, will further promote the global attention to cyberspace confrontation.

Apt attack is one of the main ways of national network confrontation, we need to draw lessons from American investment and planning in network security. However, we are far more difficult to protect against apt attacks than the United States, because the United States has mastered a large number of network resources and network technology, such as root domain servers, operating systems, chips, switches, routers and so on, we have to establish a defense system, Not just the dynamic detection of malicious code or the next generation of security products that have been slightly altered in traditional security products, it is necessary to have a foreign security enterprise such as FireEye and so effective apt detection means, at the same time with the traceability of data, so that apt attack discovery, tracking, forensics and defense.