Advanced Persistent Threats are able to slip past even the most cutting-edge security defenses thanks in large part to a diabolically clever strategy. The threat actors behind successful APTs research the employees, practices and defenses of the organizations they want to attack. They may try to breach the defenses hundreds or thousands of times, then learn from their mistakes, modify their behavior, and finally find a way to get in undetected.
Once a network is breached, most APTs go into a stealth mode. They move slowly, laterally compromising other systems and inching toward their goals. Post-mortems from successful attacks often show that the time an APT breached a system to the time it was detected could be anywhere from six months to a year or more. And, they are often only detected after making that final big move where there is a huge exfiltration of critical data.
But what if you could turn the tables on APTs? Instead of focusing on your perimeter defenses, what if you assumed that APTs were already hiding in your network and you launched software specifically designed to hunt down these active, but hidden threats before they can do real damage?
For this review, we tested threat hunting systems from Sqrrl, Endgame and Infocyte. Each program was tested in a large demo environment seeded with realistic APTs which had bypassed perimeter defenses and were hiding somewhere within the network of virtualized clients and servers. We also snuck active threats past perimeter defenses to see how these threat hunting programs detected, caught and killed the current breed of apex predators of the threat landscape.