Skip to main content

Posts

Showing posts from June, 2012

APT and Incident Response

State sponsored cyber espionage attacks are both the least understood and most difficult issues to deal with within an enterprise. We've dealt with several situations where internal IT or even externally contracted security companies failed to mitigate an APT compromise situation. Fighting an APT actor is an ongoing intelligence game, simply playing whack-a-mole removing compromised systems from a network is like treating the symptoms of the problem, but not the root cause, persistence.
Phases of state sponsored intrusions:Stage 0 - Initial attacks - email attachments or links - PDF/MS Office, disguised executables (password protected archives, right to left shift etc), SQLI, web apps, seeded websites/adsStage 1 - Basic implants - initial recon and assessmentStage 2 - Better implants - exfiltration, multiple backdoors, remote shell, RDP, domain controllers/password hashes exfiltratedStage 3 - Network persistence - legitimate access as admin, passive backdoors usually not resolving…