Detecting DarkHotel and Advanced Persistent Threats: Security that Moves Beyond Signature Detections
Author: Amritam Putatunda.
Not so long ago, Brian Dye senior vice president for information security at Symantec talked about AntiVirus’s being “doomed to failure.” Dye was actually talking about the change in the behaviors of cyber criminals, where cyber attacks are now focused more on denial-of-service assaults, phishing, spamming, and network intrusion rather than mass-emailing malicious executable file randomly to millions.
This tectonic shift in hackers’ attack methodology made most anti-virus solutions quite ineffective in stopping the majority of modern cyber attacks. It also pushed forward network security devices as being the more effective tools in detecting and mitigating such attacks. Most of the present day network security devices rely on deep packet inspection and signature matching techniques of known malicious files and contents to identify attacks, with some newer tools also having the methods of sandboxing to catch potential zero-days. If the trends of the modern attacks are to be believed, even these techniques may in the future be futile in preventing or detecting the sophisticated Advanced Persistent Threats (APT).
The recently discovered Dark Hotel APT is a great example of such futuristic attacks, and the fact that it remained undiscovered for more than five years (Kaspersky lab report suggest of Darkhotel server logs having connections as early as Jan 1, 2009) is a great testimony to its sophistication and resiliency. It’s well-known that modern cyber-criminals are now working like well-organized institutes, with focused targets and agenda. However Darkhotel APT took the game a notch higher, with its unique features like pre-identified target groups, ability to consistently discover and exploit zero-day vulnerabilities, virtual machine execution sensors, time bound execution, self-destruction routines, selective viral infection routines, etc.
Each of its steps were carefully crafted and designed to deliver maximum damage while making minimal noise, which is why it has become one of the most holistic APT that we have ever known. It also had all the ingredients to evade older signature based and even newer (sandbox-) based detection/mitigation techniques. The point to note here is that due to its dynamic nature it can still resurface, and it can find another set of zero days to exploit.
The early detection and mitigation of such APT’s may become a completely different ballgame in the future, where security mechanisms will need to collect, match, and detect malicious behavior patterns by investigating millions of past and present network incidents. Even for the smartest of attacks/attackers, deleting footprints from network is an extremely difficult task. This is where our chance to catch them lies—by scrutinizing network logs-both historical and real time. There are several security analytics tools that are working in this area right now, and hopefully in the future we would be capable of nipping such attacks in the bud at the earliest possible stages.
Fig1: Finding out malicious patterns hidden within several seemingly benign transactions.
However, one big issue in such tools is their accuracy in finding such patterns—meaning lowering trust factor may make these tools completely unusable (as it could victimize innocents or spare the culprits). The challenge would be to analyze both runtime and historical logs and be able to find and malicious patterns/sequences in the haystack of data almost all the time. The algorithms need to be extremely efficient to avoid false positives, true negatives, and other such failures in detecting malicious patterns.
This is where Ixia’s BreakingPoint solution can play a key role. Its highly editable applications, attacks, and actions allows testers to create millions of network transactions that span through hundreds of network endpoints. The users can also create and inject specific malicious behavioral pattern that could comprise of several disjointed and singularly benign actions. Mixing regular production traffics like web searches, file downloads, mails, or even simple network noises with the malicious patterns can potentially replicate several such investigation-worthy scenarios that can test the efficiency of the security analytics engines.
Additionally Ixia’s PerfectStorm hardware platform, using its patented network processor technologies, can generate terabits of such traffic within a few minutes of time—helping the security analytics to tune their algorithms to successfully detect malicious behavior patterns hidden within humongous data every single time.