On Advanced Persistent Detection by Tim (TK) Keanini

The Difference that Makes a Difference

When we consider the term Advanced Persistent Threat, the logical countermeasure is Advanced Persistent Detection. At the point of detection, the threat cannot persist, and must reinvent itself, creating a spiral that we have come to know as the process of cyber security. I’m focused here on detection because it is the perceptive boundary of any defensive measure, and it is critical to a dominant defensive strategy. 

I spent years developing signature-based products whereby detection was always behind the threat.  This technique is still effective, but another technique is required if we are to uncover the most advanced threats lurking within enterprise networks.

When I proclaim the benefits of non-signature based techniques, people are quick to jump to a category called ‘anomaly detection.’ However, I do not think that term (while widely accepted) really does the method full justice. I go back to the cybernetician Gregory Bateson’s saying about “The Difference that Makes a Difference.” By finding variance in the normal ebb and flow of network traffic, a.k.a. anomaly detection, we can begin to develop a strategy built on “advanced persistent detection.”  

Internet Protocols are specified in standards, and adherence to these standards will yield interoperability. However, advanced threats will look at these standards and find ways to trick the system into giving them access or capabilities not intended by the designer. To provide a good understanding of this, I’d like to use an example that happened in the auto industry.

A car designer known for its excellence in safety put a feature into its new line of cars whereby, upon impact, a plethora of safety features would trigger: airbags deploy, lights flash, seatbelts unbuckle so passengers can escape, doors unlock, and so on. It was not long after these cars were released that, during the holidays, criminals figured out they could take a small sledge hammer and hit the bumper ever so slightly to simulate a crash, and hence the doors would unlock and they would take everything from the car with no glass broken.

This is a great example of a protocol that is effective in one context failing in another. From the automobile’s perspective, a crash is just force on the bumper, but the external observer can see the difference between a car crash and a criminal with a sledge hammer.

Protocols have this same pattern. From the client and server’s point of view, everything is as designed, but significant differences exist in other facets. It may be the symmetry or asymmetry of the traffic; it may be some byte count in a certain direction that is grotesquely wrong. Either way, there is something in the behavior of the traffic that is anomalous – directionality, size, frequency, etc. Whatever it is, there is a difference that makes a difference. This is the one spot where the advanced threat cannot hide because it must at some point do something across the network. 

The deal is this: The only reason the advanced persistent threat can operate on our networks is because it can remain undetected for quite some time. Why? Because organizations either try to capture all of their traffic via packet capture and quickly figure out that this does not scale, or they simply don’t know about unsampled flow data.

The real key to anomaly detection, or as I like to call it, “advanced persistent detection,” is unsampled flow data in the form of NetFlow and IPFIX. These protocols are already available to most organizations via existing routers, switches, firewalls, etc. By capturing unsampled (meaning the full record of) network flows via a technology like Lancope’s StealthWatch System, organizations can obtain the network visibility and security intelligence needed to detect unusual behaviors and advanced threats within their networks. In other words, they can find the difference that makes a difference.

Advanced, flow-based detection is the heart and soul of what we do here at Lancope. Click here for further details on identifying advanced threats using NetFlow.