MemeStreams | MemeStreams Discussion

Create an Account

This page contains all of the posts and discussion on MemeStreams referencing the following web page: VRT: APT: Should your panties be in a bunch, and how do you un-bunch them?. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

VRT: APT: Should your panties be in a bunch, and how do you un-bunch them?
by Security Reads at 5:08 pm EST, Mar 10, 2010

Tuesday, March 9, 2010
APT: Should your panties be in a bunch, and how do you un-bunch them?
There is no more predictable group of people than marketers. Once a term reaches a certain tipping point, they grab onto it for dear life and choke it until it means nothing. Apparently, the Advanced Persistent Threat (APT) hit that point somewhere around December. Despite the term being used by the defense industrial base for years, it wasn’t until this year that firms really started pounding the “Come to us my children, only we can save you from death by APT” drum.

I agree with the first portion re: marketing. The rest is kinda, blah.

RE: VRT: APT: Should your panties be in a bunch, and how do you un-bunch them?
by Rattle at 7:09 pm EST, Mar 10, 2010

I agree with the first portion re: marketing. The rest is kinda, blah.

Actually, I thought it was dead on...

The part about having to ditch the testing cycle and patch immediately is no bullshit. When I was at XCon in Beijing, almost the entire speakers track was about fuzzing and diffing binaries. APT is extremely good at going from patch to exploit, very, very fast.

I've commented here fairly often about how APT will work around whatever security solutions you deploy. I've seen it. They've clearly got a playbook of sorts when it comes to adapting beacon and c&c techniques based on different kinds of IDS/IPS/egress-control deployed.

They deploy several different stub malware variants within the enterprises they infect. They are extremely agile. They take alot of effort to be like ghosts. If they think you've detected the stub variant they are using as their primary method of doings things, they usually take action to make it nuke itself.... Then something using a completely different control/beacon method will come online sometime over the course of the next week or so.

And if you are successful in blocking all their short term beaconing malware, they just come back in the front door again, which tends to be quite easy because they've already got examples of signatures, writing styles, and documents being passed back and forth to use in a spearfishing attack.

There is reason for some of the hyperbole coming out of people dealing actually dealing with APT...