Analysis of Four detection and defense solutions for decomposing APT attacks step by step

Apt attacks are advanced attacks that have emerged in recent years and are characterized by hard detection, long duration, and clear attack targets. Traditional intrusion detection and defense methods based on attack characteristics have poor results in detecting and defending against apt. Therefore, various security vendors are studying new methods and proposing a variety of solutions. At this year's rsa summit, we gathered a large number of security vendors and introduced many apt security solutions. Here we will sort them out and share them with you.

　　Apt attack process decomposition

The entire apt attack process includes targeted intelligence collection, single point of attack breakthrough, control channel construction, internal horizontal penetration, and data collection and uploading steps:

　　1. Targeted information collection

Targeted information collection: attackers can collect network systems and employee information of specific organizations. There are many methods to collect information, including network concealed scanning and social engineering methods. According to the existing apt attack methods, most apt attacks start with the employees of the organization. Therefore, attackers pay great attention to collecting information about the employees of the organization, including their weibo posts and blogs, in order to understand their social relationships and hobbies, and then use social engineering methods to attack the employee's computer, thus entering the organizational network.

　　2. single point of attack breakthrough

A single point of attack breakthrough means that after attackers collect enough information, they use malicious code to attack the personal computers of employees. The attack methods include:

1) social engineering methods. For example, if an employee sends an attachment containing malicious code via email, the employee's computer is infected with malicious code when the employee opens the attachment;

2) Remote Vulnerability attack methods, such as placing webpage trojans on websites frequently accessed by employees. When employees access this website, they are attacked by webpage code, this attack method was used by rsa watering hole last year.

These malicious codes often attack unknown system vulnerabilities, which are invisible to existing anti-virus and personal firewall security tools. The final result is that the employee's personal computer is infected with malicious code and thus completely controlled by attackers.

　　3. control channel construction

Control channel construction: After attackers control employees' personal computers, they need to establish a channel to contact the attackers to obtain further attack commands. Attackers will create a command control channel between the controlled personal computer and the attacker's control server. Currently, this command control channel is mostly built using the http protocol to break through the firewall of the Organization, more advanced command control channels are built over https.

　　4. Internal horizontal penetration

In general, the employee's personal computer that the attacker first broke through is not of interest to the attacker. It is interested in other servers within the organization that contain important assets. Therefore, the attacker uses the employee's personal computer as a stepping stone to conduct horizontal penetration within the system to attack more PCs and servers. The attacker adopts the following methods: Password eavesdropping and vulnerability attacks.

　　5. Data collection and uploading

Data collection and uploading: attackers consciously collect important data assets on servers during internal horizontal penetration and long-term latent processes, compress, encrypt, and package data, then, the data is transmitted back to the attacker through a concealed data channel.

Page 1: apt detection and defense solution Classification

　　Apt detection and defense solution Classification

Looking at the entire apt attack process, several steps are the key to implementing apt attacks, this process includes cracking through spof attacks on employees' personal computers through malicious code, horizontal penetration by attackers, acquisition of attacker commands through control channels, and the final transfer of sensitive data. The current apt attack detection and defense solutions are based on these steps.

We have sorted out the apt detection and defense solutions collected at the rsa conference, and divided them into the following four categories based on the apt attack stages they cover:

　　1. malicious code detection solutions:

This type of solution mainly covers the single-point attack breakthrough stage in the apt attack process. It is used to detect malicious code propagation in the apt attack process. Most apt attacks use malicious code to attack employees' personal computers to break through the defense measures of the target network and system. Therefore, malicious code detection is crucial for detecting and defending apt attacks.

　　2. Host application protection solution:

This type of solution mainly covers single point of attack breakthrough and Data Collection and uploading In the apt attack process. No matter which channel the attacker sends malicious code to the employee's personal computer, the malicious code must be executed on the employee's personal computer to control the entire computer. Therefore, if you can strengthen the security measures of various host nodes in the system to ensure the security of employees' personal computers and servers, you can effectively defend against apt attacks.

　　3. network intrusion detection solutions:

This solution mainly covers the control channel construction phase in the apt attack process. by deploying an intrusion detection system at the network boundary to detect commands and control channels for apt attacks. Security Analysts found that although apt attacks use multiple malicious code variants and are frequently upgraded, the communication modes of command control channels built by malicious code do not change frequently, traditional intrusion detection methods can be used to detect Command Control Channels of apt. The key to success of this type of solution is how to obtain the detection features of Command Control Channels of various apt attack methods in a timely manner.

　　4. Big Data Analysis and detection solutions:

This type of solution does not focus on detecting a certain step in apt attacks. It covers the entire apt attack process. This type of solution is a network forensics concept. It fully collects the raw traffic of each network device and logs on each terminal and server, and then stores and analyzes massive data in depth, it can restore the entire apt attack scenario by comprehensively analyzing the massive data after discovering a trace of apt attacks. Because the big data analysis and detection solution involves massive data processing, it is necessary to build a big data storage and analysis platform. The typical big data analysis platform is hadoop.