Detecting Insider Threats and APTs by Alicia Butler

Detecting Insider Threats and APTs

The 2013 Verizon Data Breach Investigations Report points out that 14% of breaches were perpetrated by insiders, and 19% were attributed to state-sponsored actors (aka the Advanced Persistent Threat, or APT). These two types of attackers are very difficult to detect with conventional perimeter- or signature-based security controls.

Insiders are already trusted entities on your network, and don’t need to bypass any traditional security measures. Access to trade secrets and the ability to do bad things to your infrastructure are right at their fingertips. Meanwhile, state-sponsored attackers or APTs, are penetrating the network without even using malware that would be detected by conventional defenses (e.g. New York Times and South Carolina Department of Revenue breaches). In fact, 76% of the breaches analyzed by Verizon used weak or stolen credentials to gain network access, and 29% used social engineering tactics.

Though it can be very difficult to detect these types of attacks using conventional defenses, there are monitoring tactics you can adopt to help protect your network from insider attacks and APTs.

Targeted monitoring

One of the functionalities provided by Lancope’s StealthWatch System is targeted monitoring, e.g., of disgruntled employees on the HR radar. Though they may not have the technical prowess to pull off a hack or something of that nature, they could download your trade secrets to sell to the highest bidder. With StealthWatch, you can fine-tune the monitoring capabilities for a specific individual so that you get alerted if they do anything slightly out of the norm.

Access times

Often underrated, access times are very telling.  If Bob from Finance, for instance, is downloading a 5G file from the network after hours, you may want to check it out.

Access after termination

 If an account belonging to a former employee is not disabled, you can use StealthWatch to correlate user information and NetFlow data to see if he/she is still on the network after being terminated.

Monitoring access to specific parts of the network

With StealthWatch, you can create Host Groups that allow you to monitor access from certain areas of a network to others. For example, if Marketing is attempting to access the PCI environment, you need to be alerted.  While there may not be a physical security control in place, you can use StealthWatch to create logical security controls to monitor access to certain areas in the network.

Monitoring behavior that indicates malicious activity

Sometimes you have to deal with more sophisticated attack activity such as SYN floods and/or scanning. These two behaviors should never happen on the network, unless you are dealing with quarterly penetration testing, for which you would have been notified.  When these activities do happen, you want to be alerted immediately.  Once again, StealthWatch would allow you to see these activities.

The great thing about StealthWatch is that it leverages NetFlow data right from your existing infrastructure, such as routers. switches and firewalls,  to provide in-depth network visibility – essentially turning all of those devices into security reporting tools. StealthWatch detects and alarms on suspicious user activities in real time and preserves records on internal network traffic for investigations into past incidents, helping to keep enterprise networks safe from advanced attacks.

For further details on leveraging StealthWatch and NetFlow for network visibility and security intelligence, go to

Follow Alicia Butler on .