The Advanced Persistent Threat (APT) is an advanced persistent reality! It's all over the news. Everyone seems to be either talking about it or affected by it. MANDIANT defines the APT as a group of sophisticated, persistent, and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years. The vast majority of APT activity observed by MANDIANT has been linked to China.
MANDIANT has over seven years experience conducting Advanced Persistent Threat (APT) intrusion investigations for the U.S. government, the defense industrial base and commercial organizations. During that time, we've learned many things, and we want to share our lessons learned with the security community. A team of our APT experts has been working diligently on a report that we call "M-Trends." M-Trends focuses on what the APT attackers do and how they do it.
Some highlights from "M-Trends" include:
- The APT isn't just a government problem; it isn't just a defense contractor problem; and it isn't just a military problem. The APT is everyone's problem.
- No target is too small, or too obscure, or too well-defended. No organization is too large, too well-known, or too vulnerable. It's not spy-versus-spy espionage. It's spy-versus-everyone.
- Classic "prevent and detect" techniques do not effectively counter the APT. The attackers can easily defeat normal defenses. They successfully evade anti-virus software, network intrusion detection and under-equipped incident responders. They use sophisticated techniques to conceal their presence: hiding malware on their target's own hosts and exfiltrating data in its own network traffic. A staggering 100% of APT malware identified by MANDIANT made ONLY outbound connections from victim networks, 83% of which used TCP port 80 or 443.
- The APT's goals are twofold:
- to steal information to achieve economic, political and strategic advantage.
- to establish and maintain an occupying force in their target's environment, a force they can call on at any time. When the APT wants additional data from a target, they don't need to re-establish a presence. They simply call on their existing assets, locate, steal and exfiltrate the data they need.
We will introduce "M-Trends" at a launch party during the 2010 DoD Cyber Crime conference in St. Louis, MO. The report authors will be there to answer your questions and share their knowledge. If you'll be in St. Louis stop by and see us on Wednesday, January 27 from 6- 9 in the Crystal Ballroom at the Renaissance Grand.