Mandiant released its second M-Trends report ("when prevention fails"), also mentioned onBusinesswire. There were also some new, interesting "State of the Hack" and "Fresh Prints of Malware" presentations.
And most recently, there was lots of news about the "Operation Shady RAT". Read Ira Winkler's article about it and make your own opinion. I'd like to cite one paragraph of it:
"This is the root of the problem with how security vendors are dealing with the chronic issue of APT. They treat their customers' misery as their own intellectual property. Companies that investigate APT-related attacks rarely share their findings. They don't exchange information about the most recent malware obfuscation techniques, the best methods to identify compromised systems, the newest malware signatures, etc. Instead, they keep most of the information to themselves and treat it as a competitive advantage. What sharing there is falls far short of what would be required to encourage a robust response capability."
So what are Indicators of Compromise (IOCs) good for? Well, if they only get used by one security company, they can't reach the full potential. Or are IOCs widely used and shared and I just don't know about it? Please let me know.
And then there's yet another interesting paper linked in there, which I've previously found, but haven't fully read yet.
Thanks Richard for the correction in your comment. I think I was mislead by the mention of Mariposa Botnet and APT in the same paragraph on several posts. But when re-reading it again, it does not make a connection between the two (except maybe that the usual security devices failed on both).
"The big news at the show had to do with the takedown of the Mariposa botnet -- a massive network of hacked computers that has infectedhalf of the Fortune 100 companies. So-called advanced persistent threat (APT) attacks, such as the one that compromised Google systems in early December, were another hot topic.
Both Mariposa and the Google attacks illustrate the same thing, however. Despite billions of dollars in security spending, it's still surprisingly hard to keep corporate networks safe."
"At DoD CyberCrime 2010 MANDIANT will formally release this format and tools to leverage it in your investigations today. We’ll have full coverage of the release on M-unition – stay tuned."
There's also a Google Group about IOC. But are there any tools available yet, or any IOC's?
If you have experiences with these products or know other solutions along this line, please contact me.
In this blog I would like to explore how to identify APT infections with freely available tools (like the one's from Mandiant and others) and maybe custom scripts.
This is yet another blog about APT (if you don't know what this stands for, you're in the wrong place or need to read on).
It's dedicated to share interesting (in my opinion) links to APT resources, and some of the most interesting facts of each link (only when I have spare time).
The blog title should be a word game from "capture the APT". The main topic will be how to be able to identify (and maybe remediate) APT infected systems.
If you have suggestions for additional resources or if you find incorrect facts on here, please email me (toms.security.stuff@gmail.tld -- you should know the TLD of gmail, starts with a 'C' and ends with 'OM').
I don't want to spill all the best links at once, so I will write more later...
Thanks for stopping by and please come back again :-)
*** Disclaimer: I'm not affiliated with any of the companies linked in this blog.
I won't tell you what company I work for, unless you find out yourself. ***
