When APTs (Advanced Persistent Threats) are discovered, network security operations professionals are instantly under pressure to explain and resolve the problems swiftly. Without a robust understanding of the context, network traffic and content, SecOps professionals are often left to rely on informed guesses and not verifiable facts.
FREE Download: Discover How Hackers Use AETs To Execute APT Attacks
Perpetrators of APTs use unexpected and diverse attack vectors to target nations, industries, organizations and individuals in order to gain long-term access into and control over a company’s IT infrastructure. Managing such threats without affecting the organization’s performance is an extremely difficult task, so it is pragmatic to accept the fact that APTs might happen and to quickly remediate them if and when they are identified. But how fast can one react to a suspected APT security anomaly as it traverses a network? And more importantly, are SecOps professionals doing the best they can to ensure that their actions are informed, appropriate and effective?
Here are some points to consider:
– The skills of the security analyst: Those responding to APTs need to know how to use the tools they have to quickly and accurately analyze the attack. They must also possess a baseline understanding of the network’s topology and the events shaping it. Thorough testing and documentation of how applications use a network, including a transaction-by-transaction understanding of how they work across the production network, is ideal. In cases where this is not practical, live data from the production network though less predictable is the next best thing, for real-time statistical analysis of network connections makes it easier to spot variations from the norm. Lastly, miscommunication between team members and delays can be minimized with effective workflow and processes.
– Evidence collected around a suspected network event: Captured packet data provides irrefutable evidence of what occurred. And the examination of network traffic before, during, and after an event can provide the clarity needed to gain an understanding of what happened and to enable professionals to make a truly informed response plan, all of which increases the likelihood of an effective outcome.
Unfortunately, human capabilities and solid data alone are not enough to effectively combat APTs. To decode packets and gain actionable insight requires appropriate analysis tools. Some tools operate autonomously and are invaluable for automation of specific processes but are limited to a single method of interpreting data. APTs, by their very nature, are tailored and unique, so automated analysis alone will never be completely effective. Truly confident, fact-based decision-making is only possible when an iterative interpretation of captured packet data and post-event analysis occurs.
By asking themselves if they are appropriately equipped with the right human and technological resources, security teams can determine if they are prepared to effectively execute their roles in the face of APTs. Network packet capture makes this appraisal possible by enabling teams to know what’s happening now and what occurred previously. With APTs, as with all threats, knowing exactly what you’re dealing with is invaluable.
By Matt Walmsley, Senior Marketing Manager, EMEA, Endace division of Emulex
About Emulex