Obviously, the closer to the beginning of the chain that one can detect and stop an attack, the better. Damballa's Foster says attackers "leave a trail of breadcrumbs that can lead right to the infected system. Understanding and analyzing this kill chain can be the key to implementing the appropriate defense controls at the necessary stage."
4. Look for indicators of compromise (IOCs)
This is connected to "kill chain" understanding. No organisation can stop every attack, so the IT team needs to know how to look for symptoms — or breadcrumbs. "This includes looking for the unique ways that an APT might communicate out of the network. Any unique DNS queries or websites it contacts are common IOCs," Williamson says.
"APTs will often customize their tools to their own needs, which will often provide the anomalies needed to distinguish an APT from normal traffic," he says. "They will also use a variety of common applications like remote desktop applications, proxies or encrypted tunnels to communicate.
Unusual use of these and other applications can be key to finding a true APT. This, of course, requires IT to have a very solid baseline for what is normal in their networks."
Williamson says tracking user anomalies can help as well. "For example, users talking to an SQL server may be normal on the network, but very abnormal for a particular user."
5. Test your network
This can include active analysis or sandboxing. "One of the best ways to determine if something is bad is to actually run it and see if it behaves badly," Williamson says.
Blogger Krebs adds that while there are vulnerability management tools to help close obvious holes, "there is no substitute for periodically hacking your own networks (or paying someone else to do it) to find out where you are vulnerable. As the saying goes, everyone gets pen-tested, whether or not they pay for it."
Krebs says he leans toward hiring someone from the outside. "To use a tired but apropos analogy, it is often quite difficult to see the forest for the trees when you are standing on the forest floor. Often, it takes an outsider who has a more holistic — and perhaps unbiased and APT-trained — view of things to spot a more systemic problem."
6. Support more training for APT hunters.
Edwin Covert, a cybersecurity analyst and subject matter expert at Booz Allen Hamilton, argued recently in a post on Infosec Island that the industry needs a "new training model" for APT hunters, since the standard skills of an information security specialist are not enough.
"APT mitigation requires the ability to see things that are not readily apparent," he writes. "The CISSP [Certified Information Systems Security Professional] was designed for technical managers, not APT hunters."
Sign up for Computerworld eNewsletters.