Some APT talks ÔÇô Part 2 ÔÇô Detect the Undetected

We have discussed about APT and its attack vectors in Part 1. Now it is important how we plan the mitigation strategies? There are multiple solutions in the market that offers different tools to effectively mitigate APT’s.  It would be boring and repetitive if I go through the best practices and the technologies I have already discussed in this forum such as User Awareness, Password policies, Patching etc. We will have a look at something new- Deception, a proactive way of dealing with these sorts of cyber attacks.

Deception technology is a new category of cyber security designed to meet the new threats of cyber battle field and is quickly emerging as the next phase in fighting cyber crime. Having said that it is a new category, Deception is not a new technology. Previously it was known as Honeypots, those are servers or systems setup to gather information regarding an attacker or intruder into our system or network.

By this way, we would be able to learn how malicious intruders attempt to gain access to our network or systems. We would be able to track all intruders’ activities and this will help in getting information about the attack methodologies they use and will help us to protect our real production systems in a better manner. While placing honeypots, one thing you need to make sure is the type of traffic you allow the intruder to send back to the Internet. If you are going to send back traffic, anything related to your actual production systems, and then it would become a launch point for attacks against your systems.

With the help of honeypots, we would be able to detect the attack as early in the cycle as possible and take advantage of this when it actually does occur. But don’t you think the hackers are that foolish!! If they were able to access some application that quickly, then for sure they would be able to sense some trap in it. Within no time, they would be able to identify that this is a honeypot and they will do things that can confuse us more. So it is important that when you place honeypots, you should place it smartly by making sure that your honeypot is as secure as your production web server. As we live in this APT era, it is not that easy to trap a hacker. As they would have already done the homework before planning out the first phase, it is more important that we need to understand the data  and  accounts that are going to be analyzed by  the attacker,  so  that the applications must respond and present up to date data, relevant to our organization.

We need to look for next generation honeypots, in a new matured form called Deception technologies powered by virtualization techniques. Rather than going through the logs or traffic to see what all things the attacker has done, now with the deception technologies we can get an alert. Once our cyber security operation center gets that alert, we would be able to have a close look at it, identify more about it and immediately plan the mitigation strategies for the actual systems. So here even though it is an APT attack, the deception technology solution we are using will be helpful to inform us about the attack or abnormal behaviour of traffic and with the help of an alert, our SOC team will be able to check it in detail. As I mentioned earlier, if we go with the traditional honeypot ways then I dont think it is as effective as above. With the traditional approach we would be able to identify what they have done, but won’t be able to perform a real time action.

This gives us some insight how deception technologies can be effective when we plan to mitigate APT attacks. Rather than setting it up ourselves, the solution will do all the emulation for us and will provide reports. The trap looks identical in every way to our real IT assets. Some people are over confident to use copies of production data to make it extremely difficult for the attacker to identify whether it is real or not. But I won’t recommend that approach as it is risky even though I agree that you will get good time to fix the problem related to the real production data.

Deception can play an important role as the next line of defence for detecting intrusions before an attack can be completed and damages are done. It’s high time for us to look at deception technologies to outsmart the hackers and to protect our company’s assets and brand.

Authored by Aju Nair

Rate this article: 
Average: 2.4 (7 votes)
Article category: