Friday, February 12, 2010

Advanced Persistent Threat Part II

These thoughts occur to me this week in reading the numerous blog posts on APT  and the Mandiant Report. Somehow my research made me think of  the bane of Othello the Moor ( "Iago" ). Very loosely translated from Latin, "Iago"  might mean "I am nothing". Often it is  more commonly translated as "supplanter" or "heel grabber".

(1) I don't have a binary, technical threat analysis, disassembled stub, class diagram or detection method for APT.
(2) I don't know any host based security products that would block "illegitimate APT" (outgoing traffic) on ports 80 and 443 from a legitimate user space request.  How would developers even implement such a service? If you could trace all events to an un-hijacked input device, you could block any events that are not desktop based.  This would probably put updates,software installations,sandbox scripts in a pickle. Therefore, is this a problem in search of a network based solution?
(3) I propose we solve the debate about how "APT style" threats can be distinguished from other threats by

  • (a) ranking the level of resources needed to complete them or
  • (b) the level of functional immunity granted their perpetrators

(4) I don't know yet how to prototype or replicate an APT in my lab.  Therefore, How do I know it exists outside of the conceptualization of others?
(5) Ten years ago last August I received this comment while working with an IDS developer: "This product will stop the script kiddies and most of the uber-hackers.  Then there's the "Men in Black".  I have no idea how we stop them."

- "Iago"

No comments:

Post a Comment