The Advanced Persistent Threat (APT) is generally defined as a class of targeted attacks created by written by motivated, organized, and well-funded adversaries to penetrate specific networks and systems for the purposes of data collection and exfiltration or the establishment of remote command and control. APT threat actors seek long-term access to the target, so stealth is crucial as the attacks infiltrate endpoints and servers without notice and patiently perform malicious activity over an extended period.
Initially, the term advanced persistent threat was applied to attacks by enemy nation states against government targets such as the Department of Defense and intelligence agencies. APT actors often leveraged human intelligence gathering to provide behavioral insight to help build the attacks and target specific individuals and systems. Once the attack infiltrates the target, the APT delivers any number of malicious payload ranging from zero day attacks to well known malware.
With the discovery of attacks such as Operation Aurora (see a case studyhere) the term advanced persistent threat has been expanded by some to include commercial targets as well. The recently discovered Duqu attack, a derivative of the now famous Stuxnet code, demonstrated that attackers were now using sophisticated attacks to gather the data to launch future attacks, eliminating the need for human intelligence gathering.
Rapid Detection and Response
When considering the advanced persistent threat, Organizations must embrace the mindset that preventative software will be essentially defenseless against such attacks. In facts, organizations should be wary of any product that claims to prevent or block APT attacks. APT requires that organizations must adopt a new approach that rapidly detects when an APT attack has infiltrated organizational systems and provides the information necessary to swiftly and decisively respond. Triumfant calls this approach Rapid Detection and Response.
Rapid detection means that Triumfant will identify the attack within minutes of infection regardless of the attack vector, delivery method, or malware used. Triumfant requires no prior knowledge to detect an attack, and is therefore perfectly equipped to detect APT attacks. This capability differentiates Triumfant from all other solutions on the market. The use of change detection means that Triumfant will even see "low and slow" attacks that lie dormant before they begin to execute their malicious tasks.
Information is the key component to effectively responding to detected attacks and containing the damage caused by a long-term infiltration. A rapid detection and response solution must go beyond detecting the offending executable and deliver a comprehensive analysis of the associated damage to the machine. It makes perfect sense that an effective response is only possible through comprehensive knowledge. Finally, this knowledge is essential to overcoming the persistence mechanisms designed to help the attack survive attempts to stop it.
Triumfant: Detection, Analysis, and Remediation
Triumfant represents a significant advancement in detecting the advanced persistent threat. Unlike traditional defensive tools that rely on prior knowledge, Triumfant identifies malicious activity by detecting, correlating, analyzing and classifying changes to host machines. Even attacks that start entirely in memory have persistent artifacts that fall into the broad scan scope of Triumfant Resolution Manager. It is the changes to these persistent artifacts and the analysis of these changes against the context created by Triumfant's patented analytics that enable Triumfant to detect and diagnose the attack.
To read more about how Triumfant detects malicious attacks, you can access the White Paper on Malware Detection and Remediation, or details about Triumfant Resolution Managerhere. You can also view a brief video demonstration of Triumfant detecting and remediating an attack created using Poison Ivyhere.
Won’t My Existing Tools Detect APT?
The answer is: not likely. Traditional defenses were designed to defend against broad opportunistic attacks that leverage known vulnerabilities or weaknesses, and are heavily dependent on prior knowledge for detection. They are also designed to detect attacks inbound to the network or host machine, and not designed to detect attacks once they actually infect a machine. Even more advanced tools will miss attacks delivered by means other than the network, such as the delivery of Stuxnet via USB storage devices.
