SecurityCertified

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, January 20, 2010

Is APT After You?

Posted on 7:02 PM by Unknown
Jeremiah Grossman made the following request via Twitter today:

@taosecurity blog post request. Signs that an individual or organization is or may be an APT target. + other threat naming conventions

Tough but great questions. I better answer, or Jeremiah will find me and apply Brazilian Jiu Jitsu until I do. Let me take the second question first.

As I mentioned in Real Threat Reporting in 2005, "Titan Rain" became the popular term for one "intrusion set" involving certain actors. DoD applies various codewords to intrusion sets, and Titan Rain became popular with the publication of the Time article I referenced. If you read the Time article again you'll see at least one other reference, but I won't cite that here.

Some of you may remember "Solar Sunrise" from 1998 and "Moonlight Maze" from 1998-1999. Open reporting links the former to Russia and the latter to an Israeli named Ehud Tenenbaum. These are other examples of "intrusion sets," but they are not related to the current threat.

As far as other names for APT, they exist but are not shared with the public. Just as you might maintain code names for various intrusion sets or campaigns within your CIRT, various agencies track the same using their own terms. This can cause some confusion when different CIRTs try to compare notes, since none of us speak of the private names unless in an appropriate facility. The Air Force invented "APT" as an unclassified term that could be used to quickly keep various parties on the same page when speaking with defense partners.

Regarding who may be an APT target, I liked Steven Adair's Shadownserver post. The way most organizations learn that they have a problem is by receiving an external notification. The FBI and certain military units have been fairly active in this respect for the previous three years. This marks quite a change in the relationship between the US government and private sector, and it's not limited to American companies. A little searching will reveal reports of other governments warning their companies of similar problems.

If your organization has not been contacted by an external agency, you might want to look at the potential objectives that I posted in What is APT and What Does It Want? Does your organization possess data that falls into one of the political, economic, technical, or military categories that could interest this sort of threat? Overall, my assessment of APT progress can be summarized this way:

  • Phase 1, late 1990s: mainly .mil

  • Phase 2, 2000-2004: .gov added to target list

  • Phase 3, 2005-2009: cleared defense contractors, research institutes, political and infrastructure added to target list (significant expansion)

  • Phase 4, 2010- ? : expansion only limited by resources?


Probably the next best way to determine if you are a target is to join whatever industry groups you can find and network with your peers. Develop relationships such that your peers feel comfortable sharing threat information with you. Do the same with government actors, especially the FBI. Many times these agencies are just sitting on data trying to figure out the right contacts.

I would beware of organizations that claim any product they sell will "stop APT" or "manage APT" or act as another silver bullet. We're already seeing some vendors jump on the counter-APT bandwagon with little clue what is happening. There's a couple consultancies with deep knowledge on this topic. I'm not going to name them here but if you review the Incident Detection Summit 2009 agenda you can find them.

The degree of counter-APT experience on the speaker list varies considerably, but you can try using that list to validate if Company X has any relationship whatsoever to this problem. That doesn't mean companies or organizations not listed as speakers are "clueless;" a lot of counter-APT activity is simply "good IT." However, you shouldn't expect a random consultant to be able to sit down and explain the specifics of this problem to your CIO or CEO. Incidentally this is NOT a commercial for my company; I run an internal CIRT that only protects our assets.
Email ThisBlogThis!Share to XShare to Facebook
Posted in apt, threats | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • DojoCon Videos Online
    Props to Marcus Carey for live streaming talks from DojoCon . I appeared in my keynote , plus panels on incident response and cloud secur...
  • Bejtlich Speaking at TechTarget Emerging Threats Events in Seattle and New York
    I will be speaking at two events organized by TechTarget , for whom I used to write my Snort Report and Traffic Talk articles. The one-da...
  • SANS WhatWorks Summit in Forensics and Incident Response
    I wanted to remind everyone about the SANS WhatWorks Summit in Forensics and Incident Response in DC, 8-9 July 2010. The Agenda looks gre...
  • A Book for the Korean Cyber Armies
    I've got a book for the Korean cyber armies, North and South. That's right, it's my first book , The Tao of Network Security Mo...
  • Sguil 0.7.0 on Ubuntu 9.10
    Today I installed a Sguil client on a fresh installation of Ubuntu 9.10. It was really easy with the exception of one issue I had to troubl...
  • Microsoft Updates MS09-048 to Show XP Vulnerable to 2 of 3 CVEs
    Microsoft published a Major Revision of MS09-048 to show that Windows XP Service Pack 2 and Windows XP Service Pack 3* are now Affected So...
  • Understanding Responsible Disclosure of Threat Intelligence
    Imagine you're hiking in the woods one day. While stopping for a break you happen to find a mysterious package off to the side of the t...
  • Embedded Hardware and Software Pen Tester Positions in GE Smart Grid
    I was asked to help locate two candidates for positions in the GE Smart Grid initiative. We're looking for an Embedded Hardware Penetr...
  • BeyondTrust Report on Removing Administrator: Correct?
    Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis . The report offers several interesting ...
  • Human Language as the New Programming Language
    If you've read the blog for a while you know I promote threat-centric security in addition to vulnerability-centric security. I think ...

Categories

  • afcert
  • Air Force
  • analysis
  • announcement
  • apt
  • attribution
  • bestbook
  • blackhat
  • books
  • breakers
  • bro
  • bruins
  • certification
  • china
  • cisco
  • cissp
  • cloud
  • clowns
  • commodore
  • conferences
  • controls
  • correlation
  • counterintelligence
  • cybercommand
  • cyberwar
  • dfm
  • education
  • engineering
  • feds
  • fisma
  • freebsd
  • GE
  • ge-cirt
  • hakin9
  • history
  • impressions
  • information warfare
  • ipv6
  • law
  • leadership
  • malware
  • mandiant
  • microsoft
  • mssp
  • nsm
  • offense
  • oisf
  • packetstash
  • philosophy
  • pirates
  • powerpoint
  • press
  • psirt
  • reading
  • redteam
  • reviews
  • russia
  • sans
  • sec
  • sguil
  • snorby
  • spying
  • threat model
  • threats
  • Traffic Talk
  • training
  • tufte
  • tv
  • ubuntu
  • usenix
  • verizon
  • vulnerabilities
  • wisdom
  • writing

Blog Archive

  • ►  2013 (16)
    • ►  September (1)
    • ►  August (1)
    • ►  June (2)
    • ►  April (2)
    • ►  March (1)
    • ►  February (3)
    • ►  January (6)
  • ►  2012 (60)
    • ►  December (4)
    • ►  November (5)
    • ►  October (3)
    • ►  September (10)
    • ►  August (2)
    • ►  July (6)
    • ►  June (6)
    • ►  May (4)
    • ►  April (2)
    • ►  March (9)
    • ►  February (6)
    • ►  January (3)
  • ►  2011 (108)
    • ►  December (3)
    • ►  November (7)
    • ►  October (11)
    • ►  September (9)
    • ►  August (18)
    • ►  July (10)
    • ►  June (5)
    • ►  May (4)
    • ►  April (13)
    • ►  March (17)
    • ►  February (2)
    • ►  January (9)
  • ▼  2010 (193)
    • ►  December (14)
    • ►  November (11)
    • ►  October (6)
    • ►  September (16)
    • ►  August (15)
    • ►  July (26)
    • ►  June (15)
    • ►  May (15)
    • ►  April (15)
    • ►  March (16)
    • ►  February (19)
    • ▼  January (25)
      • Two Dimensional Thinking and APT
      • Example of Threat-Centric Security
      • Mandiant M-Trends on APT
      • Review of Professional Penetration Testing Posted
      • Energy Sector v China
      • Look Beyond the Exploit
      • Review of Network Maintenance and Troubleshooting ...
      • Submit Questions for OWASP Podcast
      • Sguil 0.7.0 on Ubuntu 9.10
      • Attribution Using 20 Characteristics
      • Help Bro Project with Short Survey
      • Attribution Is Not Just Malware Analysis
      • Is APT After You?
      • Review of Inside Cyber Warfare Posted
      • Bejtlich Teaching at Black Hat EU 2010
      • What Is APT and What Does It Want?
      • Why Google v China is Different
      • Security Team Permissions
      • Friday is Last Day to Register for Black Hat DC at...
      • Why Would APT Exploit Adobe?
      • Has China Crossed a Line?
      • Mechagodzilla v Godzilla
      • Google v China
      • Happy 7th Birthday TaoSecurity Blog
      • Excerpts from Randy George's "Dark Side of DLP"
  • ►  2009 (123)
    • ►  December (10)
    • ►  November (17)
    • ►  October (21)
    • ►  September (13)
    • ►  August (20)
    • ►  July (21)
    • ►  June (21)
Powered by Blogger.

About Me

Unknown
View my complete profile