SP-025: Advanced Monitoring and Detection


Your browser does not support SVG files! We recommend you upgrade to the latest version of Firefox so you receive patterns with hyper-linked controls.


If your business operates in certain verticals, you may be the target of an Advanced Persistent Threat. The merits of this classification have been debated elsewhere, we use the term here as an archetype of all advanced attacks executed by skilled attackers who use social engineering, malware and 0-day exploits as the primary entry point into a target organisation. Persistence is the key differentiator, you were chosen not because you were the low hanging fruit in a vulnerability scan of your IP neighbourhood, but because you have assets of significant value to your agressor, and they will plan, attack and persist for as long as it takes.

Your response to this threat may have already included enhancing your technnical and procedural preventative control capabilities in an effort to reduce the probability of a security breach, but you know it only takes one vulnerability to be exposed, and at some point the persistence of your attacker will pay off. With this in mind, this pattern focuses on three objectives that will enable you to minimise the impact of a breach:

  • Find any bad guys who have breached your security as early as possible
  • Be prepared to combat them with advanced incident response capabilities
  • Define targets, test and continuously improve your readiness

The pattern is based on the CSA Critical Controls for Effective Cyber Defense with it's core principle that 'prevention is desirable, detection is a must'. Like all OSA patterns, we've strived to simplify the complexity inherent in a detailed design to provide the architectural insight necessary to execute, and to enhance its use and provide traceability we've linked the controls in this pattern to the CSA Critical Controls in the accompanying worksheet via each of the numeric indicators on thr right.

The perimeter is representative of any logical boundary so you may choose to implement all or parts of this pattern in any environment with high security requirements

As the pattern has a heavy dependence on the integrity of network flow data and infrastructure event logs, it is important that logged events are transmitted via a secure management network, shown in blue on this diagram. While this will not prevent local tampering it should reduce the potential for snooping and in-flight modification or filtering.

Key to the detection of an advanced attacker typified by APT is the ability to detect unauthorised changes to your environment, and to do this you must first establish precisely what you've built and deployed, and then be able to track all authorised and unauthorised changes to the state of that system over time. To meet the performance targets of the critical controls that relate to this objective will require significant maturity and collaboration between business application support, IT operations and your security function to create a strong configuration management culture.

When responding to a real or potential APT incursion, one of the unique perspectives is captured in this excerpt of an arcticle posted on the Cisco CSIRT Blog (link below):

During the aftermath of the public release of information about this intrusion (Aurora), many CSIRT team members discussed the impacts to their constituents and the appropriate actions for moving forward.  In one discussion, one of the attendees offered, "we have always sent infections to be re-imaged to mitigate risk/impact.  Now I am concerned that we may have been destroying the only link or evidence of a much deeper systemic problem that, until fixed, will be reused over and over again.  How can I tell the difference between an APT infection that I should monitor and investigate forensically versus the normal malware I send to have reloaded?"

This is a question which you will need to answer based on your assessment of the risk as part of implementing these controls. You may decide to implement and use gateway based Network Based Anomaly Detection as a correlation test, looking for signs of Command and Control egress activity. If you have the data you may use Network Security Monitoring techniques to analyse the compromised system's historical interactions with other systems in it's host environment to identify subsequent malicious activity inititated by the infected host. Another option is to live with the incusrion and put the system on a network monitoring watch list for a pre-agreed period before you reimage it. You have to decide the appropriate response based on your risk appetite, where you are on your security roadmap  and your team's skills, but what is certain is that in response to real or potential APT, 'clean and reimage' may no longer be the best response.

Assumptions: This pattern assumes that primary defensive layers have failed, and a malicious attacker has entered the environment and established an initial foothold.

Typical challenges: This pattern leverages many common controls, however it requires a considerable increase in operational maturity to reach each of the target control objectives outlined in the CSIS Critical Controls for Effective Cyber Defense.

Indications: You should apply this pattern if you believe you organisation may be likely target of a sophisticated blended attack charateristic of Advanced Persistent Threats.

Contra-indications: You should not attempt to implement all elements of this pattern unless your organisation has high operational maturity with respect to change and configuration management. Key detective controls in this pattern are dependent on accurate configuration management data.

Resistance against threats: This pattern can assist in limiting the spread and impact of an advanced breach through early detection and response.

Related patterns: Any other OSA patterns that are relevant

Classification: Module | Industry sector | Threat | Infrastructure area

Release: e.g. Draft 1 for review

Authors: Vinylwasp

Reviewer(s): Spinoza, Tobias


CSIS: 20 Critical Security Controls Version 4.1

  • Critical Control 1: Inventory of Authorized and Unauthorized Devices
  • Critical Control 2: Inventory of Authorized and Unauthorized Software
  • Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • Critical Control 4: Continuous Vulnerability Assessment and Remediation
  • Critical Control 5: Malware Defenses
  • Critical Control 6: Application Software Security
  • Critical Control 7: Wireless Device Control
  • Critical Control 8: Data Recovery Capability
  • Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
  • Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  • Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
  • Critical Control 12: Controlled Use of Administrative Privileges
  • Critical Control 13: Boundary Defense
  • Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
  • Critical Control 15: Controlled Access Based on the Need to Know
  • Critical Control 16: Account Monitoring and Control
  • Critical Control 17: Data Loss Prevention
  • Critical Control 18: Incident Response and Management
  • Critical Control 19: Secure Network Engineering
  • Critical Control 20: Penetration Tests and Red Team Exercises

Cisco: Cisco CSIRT on Advanced Persistent Threat
Mitre.Org: Threat Based Defense
Damballa: In the Absence of an APT Silver Bullet, Practice Defense in Depth
Tripwire:  Intrusion detection and the kill chain
Lockheed Martin: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
Open-Source Security Tools: Fighting APT with Open Source Software
My open-source toolbox: NSM With Bro-IDS Part 1: First, you ...
Microsoft: Ten Immutable Laws Of Security (Version 2.0)


Control details:

AC-02 Account Management
AC-04 Information Flow Enforcement
AC-17 Remote Access
AC-18 Wireless Access Restrictions
AC-20 Use Of External Information Systems
AT-01 Security Awareness And Training Policy And Procedures
AU-01 Audit And Accountability Policy And Procedures
AU-02 Auditable Events
AU-06 Audit Monitoring, Analysis, And Reporting
AU-09 Protection Of Audit Information
AT-01 Security Awareness And Training Policy And Procedures
CA-02 Security Assessments
CM-01 Configuration Management Policy And Procedures
CM-02 Baseline Configuration
CM-03 Configuration Change Control
CM-05 Access Restrictions For Change
CM-06 Configuration Settings
CM-09 Configuration Management Plan
CP-10 Information System Recovery And Reconstitution
IR-01 Incident Response Policy And Procedures
IR-03 Incident Response Testing And Exercises
IR-05 Incident Monitoring
IR-08 Incident Response Plan
PM-06 Information Security Measures of Performance
RA-01 Risk Assessment Policy And Procedures
RA-02 Security Categorization
RA-03 Risk Assessment
RA-05 Vulnerability Scanning
SA-03 Life Cycle Support
SA-06 Software Usage Restrictions
SA-07 User Installed Software
SA-08 Security Engineering Principles
SC-07 Boundary Protection
SI-03 Malicious Code Protection
SI-04 Information System Monitoring Tools And Techniques
SI-06 Security Functionality Verification
SI-07 Software And Information Integrity
SC-26 Honeypots