informa
2 min read
article

Disclosure In The APT Age

Yet another widespread advanced persistent threat-type campaign has hit the federal government -- this one aimed at civilian agencies
The attackers used sophisticated malware and an SSL-encrypted connection for siphoning information from the civilian agencies and sending it back to their home servers. "I think they knew the networks better than the agencies do," the source said. "It was a heavily funded group or a nation-state," possibly China, the source said.

While most cyberespionage campaigns are persistent, not all are necessarily advanced like this one. According to one forensics expert, if it's advanced, you're less likely to catch it. "Most APT guys want to be in and out and not want you to know they've been there," he says.

David Amsler, president and CIO of Foreground Security, says his firm sees plenty of attacks that are persistent but not advanced. "They continuously knock down doors, and if they do get in, they create five different backdoors to make sure they are consistently there," Amsler says.

Says one forensics investigator, who requested anonymity: "We've seen organizations owned 50 layers deep by APTs. In one case, they had to throw it all away and start over."

For forensics investigators, the tricky part is to gather intelligence on what the attackers are doing without letting them know they are there. That means letting them continue with their attack in order to analyze what kinds of data they are going after and siphoning out of the victim organization.

"The key thing for organizations is not to overreact and unplug or turn off the devices because that lets the adversary know you're there," Foreground's Amsler says. It can also corrupt any evidence that hasn't already been gathered, he says.

"You leave it online as long as you can to gather as much relevant information as possible. In incident response today, you don't just take the computer and do forensic analysis: You need full packet capture analysis. And not just on one system," he says.

"[Those] attackers [who] are more persistent and continuous" is what concerns me, he adds.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.