While it isn’t exactly groundbreaking news that malware attackers are using social media to control their botnets, certain aspects are notable:
In each of these cases, the attackers’ remote activity looked like normal SSL-encrypted traffic to popular Internet sites, making it nearly impossible for packet inspection and netflow anomaly analysis tools to differentiate the malicious from benign activity.
If you can’t read the packet because it’s encrypted, it is very difficult to detect what it is doing.
Prevention efforts will typically not work against APT, Mandiant said. Instead of trying to stop APT intruders from using legitimate sites to compromise their networks, organizations should make it difficult for the APT intruders to stay in the breached network, ultimately making them “too expensive” to attack, according to Mandiant.
This is achieved when the security team can determine what the attacker is doing and to anticipate what the attacker will do next, Mandiant said. Organizations need to increase visibility across the enterprise by incorporating specialized monitoring systems that provide host- and network-based visibility, increased logging, and log aggregation, Mandiant said.
Host-based detection tools look for indicators that the host had been compromised as well as signs of the tools, tactics and procedures used by the attacker. These tools can find unknown malware because they aren’t looking for actual signatures like a traditional anti-virus, the researchers said. Network-based tools do the same search on network traffic. Mandiant researchers listed nine different logs security managers should be looking at regularly, including internal DNS server logs, DHCP logs, internal Web proxy logs, firewall logs with ingress/egress TCP header information, and external Webmail access logs. Log aggregation tools help managers correlate information from numerous sources, highlight critical information and indexes all information for easy searching. The security team can use all the information to effectively detect and remove the compromised host, repeatedly forcing the attacker to start over to regain control, Mandiant said.
Anton Chuvakin was right about logs all along!