Sunday, March 28, 2010

Commercial products against APT -- useful or useless?

If money is not an issue to your company...

Here are some commercial products that could help in identification (and possibly remediation) of APT infections:

If you have experiences with these products or know other solutions along this line, please contact me.

In this blog I would like to explore how to identify APT infections with freely available tools (like the one's from Mandiant and others) and maybe custom scripts.

Mandiant's webinar "Fresh Prints: Malware Behaving Badly" covers some details that I would like to dive into. The "Malware Rating Index" (MRI) in the free software Audit Viewer sounds interesting.

*** Disclaimer: I'm not affiliated with any of the companies linked in this blog ***

Friday, March 26, 2010

how do you un-bunch your panties?

Here's a funny (in some ways) post on ZDnet from Matthew Olney:
Advanced Persistent Threats: Should your panties be in a bunch, and how do you un-bunch them?

  1. Your APT definition should be:
    “APT: There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that.”


First blog, first post...

This is yet another blog about APT (if you don't know what this stands for, you're in the wrong place or need to read on).

It's dedicated to share interesting (in my opinion) links to APT resources, and some of the most interesting facts of each link (only when I have spare time).

The blog title should be a word game from "capture the APT". The main topic will be how to be able to identify (and maybe remediate) APT infected systems.

If you have suggestions for additional resources or if you find incorrect facts on here, please email me (

Here's an interesting paper from Deloitte:

Cyber crime: a clear and present danger -- Combating the fastest growing cyber security threat

One of my favorite sites is the one from
Mandiant (not just because of the great free IR tools they offer). They also have services about APT and the M-Trends report is a good read, too. I can also recommend their M-unition blog and their presentations, especially the latest one "State of the Hack: Silent But Deadly" from March 11 (slides, video, audio available).

Another blog I like to read is from Damballa: The Day Before Zero
The post "The Truth About Two Malware Families Related to Operation Aurora" makes a connection from Fake-AV Malware to Operation Aurora. I see lots of Fake-AV events from infected websites and Blackhat SEO Google redirects. Should I be worried now?

I don't want to spill all the best links at once, so I will write more later...

Thanks for stopping by and please come back again :-)

*** Disclaimer: I'm not affiliated with any of the companies linked in this blog.
I won't tell you what company I work for, unless you find out yourself. ***