How can we defend APT attackers with a large degree of control?

When our traditional defense fails, what measures can we do next to prevent APT advanced persistent threats/Target attacks? A good attitude is to assume that the attack has already entered the internal network, because this will force us to rethink the current protection measures.

Understanding target attacks: How do we defend ourselves?

In the previous articleUnderstanding target attacks: What are we really fighting against?In, I talked about the advantages of attackers in APT advanced persistent threats/Target attacks, and the importance of accepting such facts to correctly handle attacks. Now we need to talk about the difficult part: what should we do now when we realize that attackers have a great degree of control?

Remember that even if we realize that attackers have more control capabilities, it does not mean that we do not have any control. We do, and remember that it is very important to make good use of our control capabilities to deal with target attacks.

Control peripheral Network

Of course, if you want to make full use of any form of control capabilities, you must fully understand what you actually have. The risk of APT high-level persistent threats/Target attacks may be compromised if you firmly control who and what can access the network and have permissions at what level may sacrifice the convenience of most employees, it is important to put security first.

Some of the work of confirming the network is to have a deep understanding of the operations, processes, events and actions that we think are normal. Knowing what is actually normal will help you identify exceptions faster and more correctly.

Once the network scope is confirmed, another key is to have monitoring network measures. Here we talk about the visibility and control capabilities for any network access. One of the technologies that can help network administrators do this is DNS Response Policy Zone (RPZ ). Dns rpz provides an extensible way to manage network connections. With the domain name blacklist mechanism, you can create a safer network environment.

Deploy internal-External Protection

Traditional defense focuses on strengthening the firewall and filtering bad elements through blacklists. Today, this "from the outside to the inside" strategy is very effective against General simple attacks, but it cannot help in the face of APT advanced persistent threats/Target attacks. Traditional defense is used to defend against attacks that are easy to identify in both forms and sources, but not target attacks.

Traditional defense

A good defense model is Minas Tirith, the capital of the gang duo in the magic ring. The castle is designed to put the main city in the center, surrounded by a seven-story high wall. Each layer is taller than the previous one, with the lowest perimeter wall and the strongest. Each layer of walls has a city gate, but there is no way to directly pass between the door and the door. Each city gate is placed in different directions of the castle. This is also a strategy called "defense in depth" in military strategies. It is effective because it not only provides protection against external attacks, but also prevents internal attacks. Apply to network defense, as if to deploy multi-level protection and Encrypt Key data.

Defense in depth

The Wall also represents another important strategy. It is to make it more and more difficult for attackers to penetrate forward. The anchor standing on the high wall can have a bird's eye view of any breeze. At the same time, the archer not only defends against enemies outside the wall, but also instantly defends against enemies that already appear inside. In terms of information security, network monitoring is used to increase visibility and give the defender a considerable degree of control over internal and external attacks.

Assume that the system has been intruded and takes corresponding actions

In retrospect, In the Middle-earth world, the first wall of the unbreakable gangduo Castle was finally broken by the army of the Dark Lord suo Lun. Similarly, when our traditional defense fails, how can we prevent APT advanced persistent threats/Target attacks? A good attitude is to assume that the attack is already in the internal network, because this will force us to rethink the current protection measures.

@ Source: Understanding Targeted Attacks: How Do We Defend Ourselves?