Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Security Infrastructure

Sophisticated Threats Require An Advanced Persistent Response

Advanced Persistent Response

Defenders have to step up and employ advanced response techniques to stop attackers from taking over their IT environments, according to a Trend Micro executive.

Advanced Persistent Response

Defenders have to step up and employ advanced response techniques to stop attackers from taking over their IT environments, according to a Trend Micro executive.

While organizations are concerned about Advanced Persistent Threats, the bigger worry is what the attacker is doing once inside the network, Tom Kellermann, vice-president of cyber-security at Trend Micro, wrote in a whitepaper released Aug. 14. Once inside, the adversary can do more than receiving and executing instructions from a remote command-and-control center. That intruder is spreading through the network, stealing data, and taking careful steps to remain hidden, Kellermann explained.

The attackers are employing a number of steps to remain hidden, such as patching the actual vulnerability that was exploited in the first place to prevent anyone else from coming in and reducing the frequency of contacts back to the C&C server, Kellermann said. Organizations would need to rapidly detect when there are intruders and act to remove the threat.

“This is a new and sophisticated threat which requires and advanced persistent response,” Kellermann said.

Detecting the intruder doesn’t mean immediately taking action, though. The IT department has to monitor the environment to identify all malicious parties, know what path they took within the environment, and understand exactly what the damage is. It requires patience, but it is critical to ensure the organization has the complete picture of what the current situation is, Kellermann said.

Security Analytics

Organizations need to shift some of their defensive energies towards diagnosis, Joe Gottlieb, president and CEO of Sensage, told SecurityWeek. In many cases, the evidence of the breach and the steps the attackers took are all in the logs the organization collected, but no one was paying attention, Gottlieb said. If there is no concerted effort to understand the information being collected and there is no situational awareness, then the organization is crippled in its response.

Logs are often used reactively, once the incident has happened, but they can also be used to see attacks as they develop, Gottlieb explained.

Advertisement. Scroll to continue reading.

“This is not a time to go in all guns blazing,” Kellermann wrote.

Instead, the defenders need to be able to correlate what is happening to other organizations with what is happening inside the network, Kellermann said. Finding commonalities such as IP addresses, users, domains, and networks, give the defenders information necessary to act.

“Firms need to increase the level of discomfort to the point where the adversary flees in search of easier prey,” Kellermann wrote.

Defenders are often focusing on known infections and not looking at what is in the network, Andrew Brandt, director of threat research at Solera Networks, told SecurityWeek. Instead, they need to be looking for “tendrils of connections” to other servers and applications to track down what attackers are doing within the network, Brandt said.

Trend Micro research has found that over 90 percent of enterprise networks contain active, malicious malware with one new threat created every second, Kellermann said. Just focusing on the malware is no longer enough, and traditional defenses have been “rendered obsolete,” he concluded.

Related Reading: The Value of Security Event Correlation

Related ReadingEffective Security Requires Context

Related ReadingAttackers Place Command and Control Servers Inside Enterprise Walls

Related ReadingAttacks Using Command & Control Servers Inside Compromised Networks

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture


Identity and access governance vendor Saviynt has closed a $205 million financing round.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.


Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Identity & Access

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).