Mandiant's "Indicator of Compromise" (IOC) -- Part 2

Well, lots has happened since my last blog post. I'll try to focus on the things about APT and IOC that might interest you.

Mandiant had some interesting presentations about IOC and released the free tool IOCe to create them. There's also a forum about OpenIOC.

• State of the Hack: ABCs of IOC (May 24, 2010)

• Fresh Prints of Mal-ware: 0x1,0x2,0x3s of IOC (Aug 26, 2010)
  

So there's the long overdue update on IOC.

Lots of other interesting things to talk about... as soon as I find time to write more :-)

Are all these APT?

Would you agree, that all the following are connected to the APT? What else is missing?

• Operation Aurora
• Mariposa Botnet
• GhostNet
• Shadow network

Here are some interesting posts, articles and papers supporting this:

More than 100 companies targeted by Google hackers
The attack was larger than initially thought

"ISec Partners has published technical recommendations for companies to follow in order to mitigate the Aurora risk."

Security industry faces attacks it cannot stop
Analysis: Today's security products not much help for advanced persistent threat attacks

Update: Researchers track cyber-espionage ring to China
'Shadow' network detailed in report Tuesday by the Information Warfare Monitor
>>> http://shadows-in-the-cloud.net/ <<<

Targeted cyberattacks test enterprise security controls
Instead of prevention, the real focus should be attack mitigation

After Google-China dust-up, cyberwar emerges as a threat
The episode highlighted cyberthreats facing the U.S., but it's not a war -- yet

Update 24/04/2010:

Thanks Richard for the correction in your comment. I think I was mislead by the mention of Mariposa Botnet and APT in the same paragraph on several posts. But when re-reading it again, it does not make a connection between the two (except maybe that the usual security devices failed on both).

http://www.cio.com/article/574563/Security_Industry_Faces_Attacks_it_Cannot_Stop

http://www.blackhatsolutions.com/companynews/update_security_industry_faces_attacks_it_cannot_stop/

"The big news at the show had to do with the takedown of the Mariposa botnet -- a massive network of hacked computers that has infectedhalf of the Fortune 100 companies. So-called advanced persistent threat (APT) attacks, such as the one that compromised Google systems in early December, were another hot topic.

Both Mariposa and the Google attacks illustrate the same thing, however. Despite billions of dollars in security spending, it's still surprisingly hard to keep corporate networks safe."

Mandiant's "Indicator of Compromise" (IOC)

There's another interesting approach from Mandiant:

Combat the APT by Sharing Indicators of Compromise (IOC)

"At DoD CyberCrime 2010 MANDIANT will formally release this format and tools to leverage it in your investigations today. We’ll have full coverage of the release on M-unition – stay tuned."

There's also a Google Group about IOC. But are there any tools available yet, or any IOC's?

I'll update when I find out.

Commercial products against APT -- useful or useless?

If money is not an issue to your company...

Here are some commercial products that could help in identification (and possibly remediation) of APT infections:

• Mandiant Intelligent Response
• HBGary - Responder Professional
• Damballa's Failsafe Solution and APT-Audit

If you have experiences with these products or know other solutions along this line, please contact me.

In this blog I would like to explore how to identify APT infections with freely available tools (like the one's from Mandiant and others) and maybe custom scripts.

Mandiant's webinar "Fresh Prints: Malware Behaving Badly" covers some details that I would like to dive into. The "Malware Rating Index" (MRI) in the free software Audit Viewer sounds interesting.

*** Disclaimer: I'm not affiliated with any of the companies linked in this blog ***

how do you un-bunch your panties?

Here's a funny (in some ways) post on ZDnet from Matthew Olney:
Advanced Persistent Threats: Should your panties be in a bunch, and how do you un-bunch them?

2. Your APT definition should be:
   “APT: There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that.”

Enjoy!

First blog, first post...

This is yet another blog about APT (if you don't know what this stands for, you're in the wrong place or need to read on).

It's dedicated to share interesting (in my opinion) links to APT resources, and some of the most interesting facts of each link (only when I have spare time).

The blog title should be a word game from "capture the APT". The main topic will be how to be able to identify (and maybe remediate) APT infected systems.

If you have suggestions for additional resources or if you find incorrect facts on here, please email me (toms.security.stuff@gmail.tld -- you should know the TLD of gmail, starts with a 'C' and ends with 'OM').

Here's an interesting paper from Deloitte:
Cyber crime: a clear and present danger -- Combating the fastest growing cyber security threat

One of my favorite sites is the one from Mandiant (not just because of the great free IR tools they offer). They also have services about APT and the M-Trends report is a good read, too. I can also recommend their M-unition blog and their presentations, especially the latest one "State of the Hack: Silent But Deadly" from March 11 (slides, video, audio available).

Another blog I like to read is from Damballa: The Day Before Zero
The post "The Truth About Two Malware Families Related to Operation Aurora" makes a connection from Fake-AV Malware to Operation Aurora. I see lots of Fake-AV events from infected websites and Blackhat SEO Google redirects. Should I be worried now?

I don't want to spill all the best links at once, so I will write more later...

Thanks for stopping by and please come back again :-)

*** Disclaimer: I'm not affiliated with any of the companies linked in this blog.
I won't tell you what company I work for, unless you find out yourself. ***