Advanced Packaging Tool

Describe how machine learning and data analytics could have detected and/or prevented the APT you analyzed had the victim organization deployed these technologies at the time of the event. Be specific. APT attacks are unique and traditional security measures are ineffective against them. APT attackers are not fearful of taking time to spread malicious attacks. Therefore, the focus should shift to full-packet, deep-packet inspection and big data analytics using more advanced algorithms for analysis. APT attacks take longer because the attacker needs extra time to explore the network to access as they continue to extract data. Big data analytics could prevent this with dynamic data from network traffic while detecting anomalies (Virvilis, et. al., 2014).

Modern businesses generate massive amounts of data daily from active users, file transfers, network traffic, and other digital transactions. Within these digital transactions, patterns develop, and unusual digital behavior can be observed within normal patterns. Traditional intrusion detection will not be enough for IXSHE attacks as not all malicious network traffic happens post-infection, but rather complete system monitoring is necessary to include machine learning and data analysis (Avelino, et. al., 2017). Machine learning can process big data in a very short amount of time with the ability to change and evolve according to the input data instances with various approaches to use for network data. Using machine learning would allow security teams to speed up the process of threat detection and respond to incidents more rapidly along with enabling preventative measures in advance (Johnson, 2018). Machine learning uses self-learning analytics detection by monitoring activity across the network in real-time without knowing signatures. Data analytics detect anomalies in flow of network traffic and data.

Cyber threats today are very sophisticated and change rapidly and identify them in a timely manner can be accomplished much easier with data analysis of big data (Dickerson). Ensure the network has comprehensive logging in place across a multitude of layers within the network. Most network threats access is gained via malware, drive-by links or Web shells. To compare malware or drive-by links the security team must compare user behaviors against threats. This needs packet logging of ingress and egress track on the networks edge. To detect malware or rootkit to endpoint the security team needs anti-malware and endpoint protection systems.

The levels at which logging are configured is critical for visibility into APT traffic entering and leaving the network. Additionally, ensuring the network has no blind spots that traffic can bypass security controls (Rice, Ringold, 2015). Machine learning may or may not be the cure all for common security threats, but it does help with many scenarios such as Spear Phishing, Watering Hole, Lateral Movement, Covert Channel Detection, Ransomware, Injection Attacks, Reconnaissance, Webshell, Credential Theft, and Remote Exploitation (Zadeh, 2017). Spear Phishing is the most common and most successful means for cyber -attacks. These take advantage of social media and email with attachments of embedded links.

This attack misleads end users who click or download malicious payloads which bypass internal controls. This could be prevented by capturing big data traffic from emails. Machine learning could have prevented these types of attacks by reviewing email headers and subsampling body of email by identifying algorithm patterns for malicious emails (Zadeh, 2017). Watering Hole present fake websites and web applications to the unsuspecting end users. These sites or apps are designed very well and fully functioning for end user and once activated, serve exploits. Machine learning could prevent exploitation by analyzing data like path/directory traversal statistics identifying common attacker interactions. Machine learning could have also monitored behaviors searching for unusual patterns to and from host site (Zadeh, 2017). Lateral movement attacks across the network looking for vulnerabilities with various techniques to exploit those vulnerabilities. This works well along the kill chain when the attacker is moving from reconnaissance to data extraction. Input logs indicate visitors’ interactions with a website.

Machine learning-informed contextualization could have helped by providing a dynamic view of normal traffic data information detecting potential threats (Zadeh, 2017). Covert Channel Detection are often used by attackers to transfer information on secret channels not normally used for communication. Using covert channels allows attackers to keep control of compromised assets undetected. Machine learning could ingest and analyze data in those rarely used domains (Zadeh, 2017). Ransomware wipes drives and holds infected devices ransom in exchange for user’s encryption key with threat to publish the key. Machine learning could have tracked micro-behaviors such as entropy statistics or processes that interact with the entire file system in question. Machine learning algorithms can be focused on initial payload to find evidence (Zadeh, 2017). Injection attacks are quite possibly the number one web security risk by allowing attackers to supply malicious input into a program. For example, inputting a line of code into a database that modifies data on a website. Machine learning could build algorithms of statistical profiles of groups of database users (Zadeh, 2017).

Reconnaissance involves probing target networks for vulnerabilities, near perimeter or within the LAN. Machine learning could prevent this by training algorithms graphing topology identifying new patterns. Machine learning also reduces false positives (Zadeh, 2017). Web shell allow remote authorization of a machine form uploaded scripts to a web server. Attackers initiate database dumps, file transfers, and malicious software installation. These attacks are often done through backend eCommerce platforms where shoppers personal information is stored. Machine learning could prevent this with focused statistics on shopping cart activity identifying customer behaviors (Zadeh, 2017). Credential Theft is usually done using phishing or watering holes where attackers get login information from victims. Websites and applications track locations and login times. Machine learning could prevent this by tracking patterns of data compromise learning which user behavior is normal and which behaviors are potentially harmful activity (Zadeh, 2017). Remote exploitation is often used by attackers to identify vulnerabilities in a target system with a series of malicious events loaded to exploit those vulnerabilities by executing code within the system. Machine learning could prevent this by identifying instances with unrelated sequential behaviors within normal network behavior over time and send alerts to security analysts (Zadeh, 2017).

Machine learning is showing tremendous potential in network security applications yet translating traffic to a usable format is still challenging. Using a raw byte system, with input from data and clustering malicious network flows seems to show promising insights on various network patterns depicted from malicious traffic. Machine learning will dramatically improve the speed that such data can be organized providing critical information to show the spreading or recognizing a peculiar vulnerability used in a unique way in other malware campaigns (Avelino, et. al., 2017).

References

• Avelino, J.N., Balaquit, J.P., Mora, A.L. (2017). Trend Micro Incorporated. Trend Labs. Ahead of the Curve: A Deeper Understanding of Network Threats Through Machine Learning.
• Retrieved from:https://documents.trendmicro.com/assets/white_papers/wp-ahead-of-the-curve.pdf. Dickerson, Ben. How Predictive Analytics Discovers a Data Breach Before It Happens.
• Retrieved from: https://techcrunch.com/2016/07/25/how-predictive-analytics-discovers-a-data-breach-before-it-happens/. Johnson, Kate. (26 Nov. 2018). Machine Learning Algorithms in Cybersecurity Solutions.
• Retrieved from: https://spinbackup.com/blog/machine-learning-algorithms-cybersecurity/. Rice, A., Ringold, J. (2015). Defend Against APTs with Big Data Security Analytics.
• Information Security: Defending the Digital Infrastructure. Search Security.
• Retrieved from: https://searchsecurity.techtarget.com/feature/Defend-against-APTs-with-big-data-security-analytics. Virvilis, N., Serrano, O., Dandurand, L. Big Data Analytics for Sophisticated Attack Detection. ISACA Journal, vol3, 2014.
• Retrieved from: https://www.isaca.org/Journal/archives/2014/Volume-3/Pages/Big-Data-Analytics-for-Sophisticated-Attack-Detection.aspx Zadeh, Joe. (5 Oct. 2017). 10 Cyber Attacks Machine Learning Can Help Prevent. SC Magazine.
• Retrieved from: https://www.scmagazine.com/home/opinion/executive-insight/10-cyber-attacks-machine-learning-can-help-prevent/.

Cite this page