Mittwoch, 11. Juli 2012
In the past week one of the most exciting(*) news was the (more or less) final detection of the Higgs boson. So far so good, but what does it have to do with digital security? Well, the existence of the Higgs boson was predicted many years ago and physicists knew much about the particle without having seen it. And at least from my perspective an APT attack is something very similar. You somehow know that a successful intrusion into your network might exist but it's very hard to detect it. If this comparison is true then there might be something that security professionals can learn from physicists.
Let's therefore see what the researchers did in order to detect the Higgs boson.
First of all physicists knew that if the particle really exists than it must have some special relatively well known properties. Starting from the assumption of the existence of a particle with these properties they analyzed what kind of reactions (incidents) should be observable. For sure the Higgs boson itself cannot be seen directly but only secondary so called decay products could be observed. Therefore the scientists build detectors especially designed for the purpose of measuring and identifying these decay products. It's important to mention that at least most of the detector parts where not newly invented but just existing detector concepts were rearranged in order build larger detector arrays.
What does did mean now for APT "scientists"?
Just like the Higgs boson the primary APT attack itself will not be observed directly e.g. by an IDS or AV signature. So if we want to detect it we must focus on trying to observe secondary reactions. What could these secondary reactions be, what could they look like? Is it necessary to invent new detectors? I think it's not! Just like the large detectors at CERN are built of rearranged standard detectors we can make use of existing detection technologies like IDS alarms, firewall logs or netflow traces and make them work together as a kind of detector array. That's not really something brand new, we call it network security monitoring (NSM) and e.g. at TaoSecurity you can read much about it. Nevertheless it might be worth to take a closer look at the methods and techniques nuclear physicists use and see what we can learn from it.
Does that seem strange to you or do you also see the analogy? If you are interested in further details then stay tuned, there's more to come ...
(*) Believe it or not: For some physicists it would have been even more exciting if the Higgs boson was not detected.