Everything comes from APT.
APT (Advanced Persistent Threat) attack is a specific attack, which is the whole process of a series of targeted attacks to obtain important information of an organization or even a country. APT attacks use a variety of attack methods, including the most advanced methods and social engineering methods, to gain access to organizations step by step. APT often uses people inside the organization as a springboard for attacks. Sometimes, the attacker will write a special attack program for the attacked object instead of using some general attack codes. In addition, APT attacks are persistent, even for years. This persistence is reflected in the attacker's constant attempts at various attack methods, long-term dormancy after infiltrating into the network, and continuous collection of various information until important information is collected. More dangerously, these new attacks and threats are mainly aimed at important national infrastructures and units, including network infrastructures related to the national economy and people's livelihood, such as energy, electricity, finance and national defense, or the core interests of the country.
Why did the existing technology fail?
First look at two typical APT attack cases and analyze where the blind spots are:
1, RSA SecureID stealing attack
1) The attacker sent two sets of malicious emails to four employees of EMC, the parent company of RSA. The title of the email is "20 1 1 recruitment plan", the sender is webmaster@Beyond.com, and the text is very simple, saying "I will forward this document to you for review. Please open it. " ; There is an EXCEL attachment named "2011recruitmentplan.xls";
2) Unfortunately, one of the employees was interested in this email and took it out of the spam to read, but I didn't know that this spreadsheet actually contained the latest 0-0day vulnerability of Adobe Flash (CVE-20 1 1-0609). After this Excel is opened, there is nothing in the first grid of the form except an "X" (cross). And this fork is actually an embedded Flash;;
3) The host computer is implanted with the notorious poison vine remote control tool, and downloads instructions from the C & ampc server of the botnet (located in good.mincesur.com) to perform tasks;
4) The first victims were not "high-level" people, and then related personnel including IT and non-IT server administrators were hacked one after another;
5) RSA found that the Staging server was invaded, and the attacker immediately evacuated, encrypted and compressed all the data (all in rar format), and sent it to the remote host through FTP, and then quickly moved away from the host again to remove any traces;
6) After the attacker got the information of SecurID, he began to attack companies that use SecurID (such as the above-mentioned national defense companies).
2. Stuxnet attack
In fact, the computer system of the nuclear power plant attacked by the super factory virus is physically isolated from the outside world, and theoretically it will not be attacked by the outside world. A strong fortress can only be broken from the inside, and the super factory virus makes full use of this. The attackers of the super factory virus did not spread the virus on a large scale, but launched infection attacks on computers connected to the Internet, such as home computers and personal computers, of the relevant staff of nuclear power plants, as the first springboard to further infect the USB flash drives of relevant personnel. The virus entered the "fortress" with the U disk as a bridge, and then lurked down. The virus spread patiently and gradually, using various vulnerabilities, including a 0day vulnerability at that time, to destroy it bit by bit. This is a very successful APT attack, and the most terrible thing is that it controls the attack range very skillfully and the attack is very accurate.
From the above two typical APT attack cases, we can see that the modern security defense methods of APT attacks mainly have three blind spots:
1 0 vulnerability and remote encrypted communication
The most important theoretical basis supporting modern network security technology is feature matching, which is widely used in various mainstream network security products, such as antivirus, intrusion detection/defense, vulnerability scanning, deep packet detection and so on. Both Oday vulnerability and remote encrypted communication mean that there are no features or features have not been accumulated, which is difficult for border protection technology based on feature matching to deal with.
2. Long-term sustained attack
Modern network security products regard real-time as an important index to measure the system capability, and the pursuit goal is to accurately identify threats and block them in real time. For salami attacks like APT, the detection technology based on real-time points is difficult to deal with.
3. Intranet attacks
Any defense system will divide the security domain, and the intranet is usually divided into the trust domain. The communication in the trust domain is not monitored and becomes a blind spot. It is necessary to strengthen the security scheme of the access terminal, but this is beyond the scope of this article.
How does big data solve the problem?
Big data can be summarized as data mining based on distributed computing, which can be understood by comparing with traditional data processing modes:
1, data sampling->; Complete set of raw data (raw data)
2. Small data+-> algorithm->; Big Data+Small Algorithm+Context Association+Knowledge Accumulation
3. Model-based algorithm->; Mechanical failure (no hypothesis)
4. accuracy+real-time-> process prediction
Using the idea of big data, modern network security technology can be improved as follows:
1, specific protocol message analysis->; Full stream raw data capture (raw data)
2. Real-time data+complex model algorithm->; Long-term full traffic data+multiple simple mining algorithms+context correlation+knowledge accumulation
3. real-time and automation-> early warning in process+manual investigation
Traditional security defense measures are difficult to detect advanced persistent attacks. Enterprises should first determine the normal behavior patterns of users and business systems in daily networks, so as to determine whether their networks and data are attacked as soon as possible. Security vendors can use big data technology to deal with the pattern of events, the pattern of attacks, the characteristics of time, space and behavior, and summarize and abstract some models to become big data security tools. In order to accurately describe the threat characteristics, the process of modeling may take months or even years, and enterprises need to spend a lot of manpower, material resources and financial resources to achieve the goal. However, by integrating big data processing resources, coordinating big data processing and analysis mechanisms and sharing key model data among databases, the modeling process of advanced sustainable attacks can be accelerated, and the harm of advanced sustainable attacks can be eliminated and controlled.