Overview of APT Defense
This section describes basic concepts of APT attacks and APT defense.
What Is APT?
- Persistence
An attacker often spends a lot of time on tracing and collecting information about network operating environments of the target system as well as exploring vulnerability in the trusted system and application programs of the attacked. The attacker may not break through the defense system of the target within a short period of time, but he or she may discover vulnerability in the target or find the opportunity to attack the target as time goes by, especially when the devices are upgraded or applications are updated in the defense system.
- Terminal
The attacker does not directly attack the target. Instead, the attacker first compromises a terminal device (such as a smartphone or PAD) related to the target system to steal the user account and password. That is, the terminal device serves as a transfer station for the attack to the target system.
- Pertinence
Based on the collected information about frequently used software, defense policies and products, and internal network deployment of the target system, the attacker establishes a specific environment to discover vulnerability and test whether there are methods to bypass inspections.
- Unknown
Traditional security products defend against attacks based only on known viruses and vulnerability. APT attackers may exploit 0-day vulnerability to launch attacks, which can easily pass through the defense system.
- Concealment
Upon the access to an important asset, the attacker makes use of a controlled client to steal information through a validly encrypted data channel. In this case, the audit system and anomaly detection system cannot detect the attack.
With the previous attack features, APT attacks are more advanced, concealed, and devastating. Thank to these features, they have become a major network security threat nowadays.
How Does the FW Interwork with the Sandbox?
The defense procedure against APT attacks is as follows:
- An external attacker initiates an APT attack towards the enterprise network. Attack traffic matching the APT defense profile is restored to a file.
- The FW sends the restored file to the sandbox for threat analysis.
The FW periodically obtains the file detection result from the sandbox.
If the sandbox detects malicious traffic, it FW updates the cached malicious file and malicious URL lists based on the detection result. If subsequent traffic matches the malicious file or malicious URL list, the block or alert action is performed to protect the enterprise intranet from attacks.
Differences Between the Sandbox and Antivirus Technologies
The antivirus system usually compares file signatures with the virus signature database to identify virus files. The limitation is that this defense mode cannot identify unknown attacks.
The sandbox technology is different from the antivirus system. APT defense uses the sandbox, which is a virtual detection system that simulates actual networks, to run unknown files. A collection program in the sandbox records the behavior of the files. By matching the file behavior with an exclusive behavior signature database, the sandbox determines whether a file is malicious. The sandbox builds the behavior signature database by analyzing the signatures of a large number of viruses, vulnerabilities, and threats, extracting the patterns of the malicious behavior, and forming a set of judging rules.
In a word, the antivirus system identifies attacks based on signatures, whereas the sandbox technology based on behavior.