- HERMES: Threat Intelligence, Automated Analysis, Correlation
- APTSim: Advance Persistent Threat Simulation
We all know by now that most of today's defenses are designed to defend against auditors and penetration testers. We also know that penetration tests do not reflect what today's attackers actually do.
AR has decided to try to address this problem and change the way active defense security is currently done. This diagram roughly represents the current process.
At each stage of the current process there is a problem.
* Vendor signatures are broad and cover millions of threats, exploits and malware, causing tons of false positives and can only detect what is broadly "known".
* Penetration testing only occurs once or twice a year and is essentially patch verification at this point.
* Patching does nothing against 0days, configuration and design flaws or lateral attack with valid credentials.
* Real attacks are not being prevented or detected and few organizations have what's needed to address the problem once they have been compromised.
* Attackers change IPs constantly, its a solved problem for them.
* Orgs are buying every tool out there but have no qualified staff to implement and maintain them.
Here is AR's proposed process:
NOTE: We must give a nod here to Mandiant and their IOC concept, which is brilliant.
In this process HERMES covers the first three points. HERMES performs ongoing intelligence collection of APT tools and activities. HERMES also conducts automated dynamic, static, network, and forensic analysis which in turn generates reports, indicators of compromise and defensive signatures. Unlike other products, HERMES can use your companies standard build image for dynamic testing, so you know exactly how the threat affects your environment rather than just a stock WinXP or Win7 image. HERMES replaces much of the expensive and time consuming reverse engineering process.
AR analysts then add in notes concerning actors, victim industries, targeted data, etc. Finally HERMES back end big data system provides correlation so you can see and track connections between attacks, actors, malware and IP a year ago and attacks today.
Once the defenses for these highly tactical, targeted IOCs have been put into place, APTSim comes into play. AR takes the tools and techniques used by APT actors and creates custom applications that do exactly what they do. We SIMULATE the exact APT attack, seen elsewhere against your colleagues and competitors, in your environment to assure you don't fall victim to it as well.
These tools are run on your network, in an ongoing, subscription basis rather than a monolithic once a year event. AR provides your security and IT staff with frequent, small 1-3 page APTSim notifications of what was done, when, how, how it should have been detected and all the information necessary to detect it in the future if it wasn't. This is in stark contrast to the 40 page "here is what isn't patched" reports that traditional penetration tests generate.
All if this means that your organization is in an ongoing circular process of constantly being notified, defended and tested against up to the minute APT attacks, rather than simply scanned and exploited for old memory corruption and XSS bugs.
If you are an organization who has suffered losses from targeted attacks, are wrestling with staffing problems, and know your expensive defenses have proven inadequate, this is what you have been looking for.
Contact info [at] attackresearch.com for more information.