 |
RE: VRT: APT: Should your panties be in a bunch, and how do you un-bunch them? |
|
| RE: VRT: APT: Should your panties be in a bunch, and how do you un-bunch them? by Rattle at 7:09 pm EST, Mar 10, 2010 | |||
Actually, I thought it was dead on... The part about having to ditch the testing cycle and patch immediately is no bullshit. When I was at XCon in Beijing, almost the entire speakers track was about fuzzing and diffing binaries. APT is extremely good at going from patch to exploit, very, very fast. I've commented here fairly often about how APT will work around whatever security solutions you deploy. I've seen it. They've clearly got a playbook of sorts when it comes to adapting beacon and c&c techniques based on different kinds of IDS/IPS/egress-control deployed. They deploy several different stub malware variants within the enterprises they infect. They are extremely agile. They take alot of effort to be like ghosts. If they think you've detected the stub variant they are using as their primary method of doings things, they usually take action to make it nuke itself.... Then something using a completely different control/beacon method will come online sometime over the course of the next week or so. And if you are successful in blocking all their short term beaconing malware, they just come back in the front door again, which tends to be quite easy because they've already got examples of signatures, writing styles, and documents being passed back and forth to use in a spearfishing attack. There is reason for some of the hyperbole coming out of people dealing actually dealing with APT... RE: VRT: APT: Should your panties be in a bunch, and how do you un-bunch them? | |||
| Thread [2] - Reply | |||
