Prevent APT from relying only on firewall, ISP, and anti-virus software

Once, security technology had to avoid a series of Event Notifications. Adjusting the system to only notifying identified malicious attack events is the primary task. Your Firewall must be very certain that these inbound packets do not belong to established network connections, or the intrusion defense system must be able to clearly state that these packets are being attacked by a vulnerability to trigger an alarm.

In the 20th century or even the beginning of the 21st century, we were used to making everything clear. Firewalls told me everything was normal, IPS told me everything was normal, and anti-virus software told me everything was clean; so everything works, right? Wrong. This short-sighted security approach is one of the reasons for the success of targeted attacks across the world.

In reality, the old saying that doesn't see trees can't say anything about them. We pay too much attention to "known malware" because we want to streamline and centralize analysis and process "normal", which puts us at risk by ignoring the context.

Imagine a security monitor in the corridor outside your server room lighting a person and asking us to call him Dave. Using both the gait recognition and face recognition can identify Dave, and the system can even point out that he is wearing a cleaner uniform, which is good because Dave is a cleaner. Dave approached the door of the server room and opened the door with his NFC card because the security monitor and access control system were already online. The second monitor in the server room also confirmed Dave had entered the door and everything was fine.

According to the short-sighted model, these events will be discarded and put into the log folder to be cleared, because "There is nothing worth looking at here ", but the context of these events is very precious for what we want to monitor ......

If Dave is not doing well-known behaviors like floor cleaning in the server room, but sitting in front of a server, he starts typing on the keyboard. This is obviously not a good thing. It should be a wake-up call somewhere. But if we get rid of all the contexts that our smart brains remember and relate to, what else is there? Is a person using a computer in the server room? The Alert team withdrew and the incident certainly belongs to the "nothing worth seeing here" folder.

In the age of APT advanced persistent penetration attacks, the security event monitoring rules have also changed. Unless we begin to take advantage of the opportunities brought about by massive data management and event association, unless we begin to expand the data that can be used by our security information and event management systems, otherwise, highly targeted attacks will continue to escape our monitoring. Attackers can use legitimate user identity authentication and trust relationships to stay in your most sensitive network for a long time and freely traverse loose security technologies.

Unless you learn to take two steps back to view the event, you will still only meet the tree instead of the forest. Context is king.

@ Original Source: Perspective Matters: Contextual Security