Detecting APT Activity with Network Traffic Analysis
Today's targeted attacks use a combination of social engineering, malware, and backdoor activities. With the success of these targeted attacks, many seem more concerned with debating whether they are "advanced" or not from a technical perspective, instead of focusing on the attack methods and steps to improve network defenses.
Careful monitoring and investigation can help security researchers learn from the mistakes attackers make, allowing us to get a glimpse into malicious operations. In fact, we can track campaigns over time by relying on a combination of technical and contextual indicators. This paper focuses on:
- Leveraging threat intelligence to detect APT activity;
- Using advanced detection techniques to identify covert communications to command and control (C&C) servers;
- Illustrating how even the most high-profile and successful attacks of the past few years could have been discovered.