How do you detect an APT?By Phil Cox

This is the question of the day, and one that I have done a lot of thinking about. I have come up with the following straightforward, yet non-trivial to implement process that I feel would best allow an organization to detect an APT occurring within their IT environment.

While the list is short, it is non-trivial to execute. It would take a decent amount of resources and time. I am convinced, that if “completeness” is not the rule, then the goal of detecting APT is unrealistic. You’d be better saving time and effort and relying on luck. I am GUESSING (absolutely no empirical evidence to support) that even following this process you are only 60% likely to detect an APT. Which is significantly better than my other gut feeling that you are < 10% likely without it.

I base some of this on the OCTAVE methodology (from CMU) for Risk Management, as I think it can get people through step 3 with modification.

1. Identify and document the top 5 high target business processes
   a. Note I say High target, not critical. While they may coincide, I won’t make the leap that they are guaranteed to be the same. If we are looking at APT, we want to look at what it most likely going to be the target
2. Identify all operational and business workflows for the top 5
   a. This would include network traffic/flows
   b. Rank each in terms of effect if breached
3. Identify all information assets that are included in or used by those high target processes
4. Identify what an anomaly would look like if a 2.a occurred
5. Instrument SIEM to identify those anomalies
6. Perform a complete investigation, through remediation, of any alert from 5