Friday, April 9, 2010

Are all these APT?

Would you agree, that all the following are connected to the APT? What else is missing?
  • Operation Aurora
  • Mariposa Botnet
  • GhostNet
  • Shadow network
Here are some interesting posts, articles and papers supporting this:

More than 100 companies targeted by Google hackers
The attack was larger than initially thought

"ISec Partners has published technical recommendations for companies to follow in order to mitigate the Aurora risk."

Security industry faces attacks it cannot stop
Analysis: Today's security products not much help for advanced persistent threat attacks

Update: Researchers track cyber-espionage ring to China
'Shadow' network detailed in report Tuesday by the Information Warfare Monitor
>>> http://shadows-in-the-cloud.net/ <<<

Targeted cyberattacks test enterprise security controls
Instead of prevention, the real focus should be attack mitigation

After Google-China dust-up, cyberwar emerges as a threat
The episode highlighted cyberthreats facing the U.S., but it's not a war -- yet

Update 24/04/2010:

Thanks Richard for the correction in your comment. I think I was mislead by the mention of Mariposa Botnet and APT in the same paragraph on several posts. But when re-reading it again, it does not make a connection between the two (except maybe that the usual security devices failed on both).

http://www.cio.com/article/574563/Security_Industry_Faces_Attacks_it_Cannot_Stop

http://www.blackhatsolutions.com/companynews/update_security_industry_faces_attacks_it_cannot_stop/

"The big news at the show had to do with the takedown of the Mariposa botnet -- a massive network of hacked computers that has infectedhalf of the Fortune 100 companies. So-called advanced persistent threat (APT) attacks, such as the one that compromised Google systems in early December, were another hot topic.

Both Mariposa and the Google attacks illustrate the same thing, however. Despite billions of dollars in security spending, it's still surprisingly hard to keep corporate networks safe."


Mandiant's "Indicator of Compromise" (IOC)

There's another interesting approach from Mandiant:

Combat the APT by Sharing Indicators of Compromise (IOC)

"At DoD CyberCrime 2010 MANDIANT will formally release this format and tools to leverage it in your investigations today. We’ll have full coverage of the release on M-unition – stay tuned."

There's also a Google Group about IOC. But are there any tools available yet, or any IOC's?

I'll update when I find out.