Can't find what you need?

Detecting APT Activity with Network Traffic Analysis

Serguei Tchesnokov

Serguei Tchesnokov

Serguei Tchesnokov

Serguei Tchesnokov

Sergei Tchesnokov is a Senior SIEM Consultant at ScienceSoft. Serguei is an IBM certified Security Professional with an 11-year background in security information and event management and a 17-year work experience in information technology. Sergei’s portfolio includes projects on architecture design, integration, and deployment of security solutions based on IBM Security QRadar SIEM, IBM TSIEM/TCIM and IBM Security Identity Manager (SIM) for healthcare, banking, financial and governmental organizations.


The advanced persistent threat (APT) continues expanding the geography of conquest and targets not only large-scale organizations but also small companies. As an indicator of that phenomenon, APT protection market continues to grow. According to The Radicati Group report, the annual revenue from APT protection solutions will reach a $7.5 bn point by 2021.

Detecting APT activity with network traffic analysis

For timely APT detection, a company should employ a combination of methods, such as SIEM solutions, IPS/IDS systems, antiviruses, firewalls and network traffic analysis. The latter is considered a mandatory element of APT protection with its basic mission to differentiate between legitimate and illegitimate traffic. This can be done with an array of methods, which vary in their application spectrum.

This article introduces a series of issues concerning the role of network traffic analysis in the APT resistance crusade.

Malware communication with a C&C server: how to identify?

Check IP address

Having infiltrated a network, malware communicates with a Command and Control (C&C) server. It is possible to identify this communication with the help of IP address blacklists. Many information security resources (for example, IBM X-Force) publish the ranges of botnet IP addresses on the internet. Check if there are any suspicious communications with IP addresses from C&C blacklists in your network.

Pay attention to IRC and P2P signatures

Botnets communicate using certain protocols. The protocol type serves as a criterion for botnet classification:

  • IRC (Internet Relay Chat) protocol-based – 1st generation.
  • P2P (Peer to Peer) protocol-based – 2nd generation.
  • HTTPS (Hyper Text Transfer Protocol Secure) protocol-based – 3rd, the most advanced and hardly identifiable botnet generation due to traffic encryption.

Some SIEM systems have integrated components (for example IBM® QRadar® QFlow Collector) that analyze network packets and identify IRC and P2P signatures.

Use behavioral analysis

Three-vector network behavioral analysis comprises traffic pattern analysis, system activities analysis and sandboxing. In this article we will concentrate on traffic pattern analysis.

SIEM systems build a baseline of network traffic that reflects normal communicative patterns of primary network servers. Any deviation from the traffic pattern is a warning sign, and the SIEM system reacts by generating an offense.

Opt for traffic pattern analysis

Traffic pattern analysis is widely applicable for the following purposes:

To detect unknown threats

Among the variety of threat detection techniques, traffic pattern analysis proves to be the most effective tool, which can be employed to detect unknown threats (a.k.a. zero-day exploits). Usually, security administrators configure the range of IPs for every server within their local network. When a server starts communications outside this range, it may be a signal that the unknown IP address belongs to a botnet.

The success in zero-day exploit detection largely depends on the ability of security software to extrapolate the identification methods of known APTs to the unknown ones. Typically, malware is able to do at least one of the following: spread in the network, infect files, conceal itself, transmit data out of the affected environment, communicate to C&C, and make use of polymorphic techniques. Thus, malicious software varies in functions, but it has common traits that can be traced in zero-day malware.

To detect internal C&C server

Botnets can be organized right inside a private network. Placed at the perimeter, network defenses are unable to detect suspicious traffic, as communication occurs internally. In such a case, we can’t resort to external IP address identification, because there is no communication with external servers.

SIEM systems get information about internal traffic from network switches. To notice deviations from the baseline of internal network traffic, security administrators employ traffic pattern analysis. Another way to identify a connection to the internal C&C server is layer 7 application traffic analysis. It includes signature and payload analysis of a network packet. If IRC or P2P communications forbidden by the private network policies are detected, it may indicate that someone has organized an internal botnet.

To detect a malware communication with trusted sources

A classic example is Trojan malware communications, when malicious data from what is believed to be a trusted source disguises as a legitimate communication and penetrates into your network. In the case of Trojan.Gmail targeted attack, the email from a spoofed e-mail address had a malicious PDF attachment. This PDF file exploited Adobe Reader vulnerability, injected malware into the targeted system and modified Internet Explorer browser. Every time the web browser was opened, the malware logged into a Gmail account. In this case, with the help of traffic pattern analysis, security administrators can observe a spike in network traffic to e-mail hosts, which serves as a starting point for further network inspection.

To detect malware communications via HTTPS

As mentioned above, HTTPS generation of botnets is the most advanced due to the protocol encryption. Today, to decrypt HTTPS without a decryption key is hardly possible. Nevertheless, even in the case of HTTPS communication, we can resort to traffic pattern analysis. Based on traffic patterns, it allows identifying traffic deviations within a certain timeframe as well as estimating traffic volume and the number of connections from one IP address.

No universal cure

As there is no universal cure for all diseases, there is no one-size-fits-all method to combat advanced persistent threats. Network traffic analysis (in particular traffic pattern analysis) is a useful technique, but it doesn’t guarantee 100% malware detection. Yet, it is possible to maximize your APT protection with the help of information security consultants who will configure custom traffic analysis rules for a particular environment.

Do you want to keep your business data safe? We offer information security consulting services that address security challenges of any complexity.