My article Understanding the Advanced Persistent Threat provides an overview of APT . It’s the cover story in the July 2010 Information Security Magazine . From the article: The term advanced persistent threat, or APT, joined the common vocabulary of the information security profession in mid-January, when Google announced its intellectual property had been the victim of a targeted attack originating from China. Google wasn’t alone;... 

Today the Ponemon Institute announced results of a survey they conducted titled Growing Risk of Advanced Threats: Study of IT Practitioners in the United States . Unfortunately, this survey looks like it is mainly the blind asking the blind to describe a threat neither really understands. For example, the survey states: While the definition of what constitutes an advanced threat still varies within the industry, for purposes of this research... 

Does anyone remember this story from April 2009? Computer Spies Breach Fighter-Jet Project Computer spies have broken into the Pentagon’s $300 billion Joint Strike Fighter project — the Defense Department’s costliest weapons program ever — according to current and former government officials familiar with the attacks… In the case of the fighter-jet program, the intruders were able to copy and siphon off several... 

Please stop what you’re doing and read Mike Cloppert’s latest post Security Intelligence: Defining APT Campaigns . Besides very clearly and concisely explaining how to think about APT activity, Mike includes some original Tufte-esque figures to demonstrate APT attribution and moving up the kill chain. Copyright 2003-2010 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)  Read More →

A few people sent me a link to Dan Geer’s article Advanced Persistent Threat . Dan is one of my Three Wise Men, along with Ross Anderson and Gene Spafford. I’ll reproduce a few excerpts and respond. Let us define the term for the purpose of this article as follows: A targeted effort to obtain or change information by means that are difficult to discover, difficult to remove, and difficult to attribute. That describes APT’s... 

My friend Rocky DeStefano from Visible Risk posted the video (streaming) and audio (.mp3, 124 MB) of a discussion he hosted on advanced persisten threat. Myself, Mike Cloppert, Rob Lee, and Shawn Carpenter discussed APT for about an hour on video and about an hour and a half on audio. Let Rocky know what you think as a comment here or via Twitter to @visiblerisk . One comment — slightly before the 24:00 mark, Rob made a remark about “what... 

Intel is the latest U.S. corporation to acknowledge that it was hacked in January in a sophisticated attack that occurred at the same time that Google, Adobe and others were targeted. The giant California-based chipmaker was rumored to have been among some 34 companies that were targeted, but said on Tuesday there was no evidence to tie its hack to the attack on Google and others. “We did not see the kind of broad-based attack as described... 

Some of you may remember me mentioning the 2008 SANS WhatWorks in Incident Response and Forensic Solutions Summit organized by Rob Lee. I provided the keynote and really enjoyed listening to the presentations, which Rob has graciously made available at http://files.sans.org/summit/forensics08/ . One of the presentations, by Mandiant consultant Wendi Rafferty and then-Mandiant consultant (now GE-CIRT incident handler) Ken Bradley, was titled... 

There’s finally some good reporting on advanced persistent threat appearing in various news sources. A new Christian Science Monitor story, one by Federal Computer Week , and one by Wired are making progress in raising awareness. Unfortunately, there’s plenty of Tweeting and blogging by people who refuse to understand what is happening or are not capable of understanding what is happening. From now on, rather than repeat myself trying…  Read More →

In December 2007 I wrote Predictions for 2008 . They included 2) Expect greater military involvement in defending private sector networks; 3) Expect increased awareness of external threats and less emphasis on insider threats; and 4) Expect greater attention paid to incident response and network forensics, and less on prevention. All three of those predictions are being fulfilled by the Google v China incident as demonstrated by this Washington... 

I expect many readers will recognize the image at left as representing part of the final space battle in Star Trek II: The Wrath of Khan. During this battle, Kirk and Spock realize Khan’s tactics are limited. Khan is treating the battle like it is occuring on the open seas, not in space. Spock says: He is intelligent, but not experienced. His pattern indicates two-dimensional thinking. I though this quote could describe many of the advanced... 

In my last post I mentioned the need to take threat-centric approaches to advanced persistent threat . No sooner than I had posted those thoughts do I read this: Beijing ’strongly indignant’ about U.S.-Taiwan arms sale The Obama administration announced the sale Friday of $6 billion worth of Patriot anti-missile systems, helicopters, mine-sweeping ships and communications equipment to Taiwan in a long-expected move that…  Read More →

If you want to read a concise yet informative and clue-backed report on advanced persistent threat , I recommend completing this form to receive the first Mandiant M-Trends report. Mandiant occupies a unique position with respect to this problem because they are one of only two security service companies with substantial counter-APT consulting experience. You may read blog posts and commentary from other security service providers who either... 

The aftershocks of Google v China continue to rumble as more companies are linked to the advanced persistent threat . Mark Clayton from the Christian Science Monitor wrote a story titled US oil industry hit by cyberattacks: Was China involved? I found these excerpts interesting. At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a... 

The post One Exploit Should Not Ruin Your Day by Dino Dai Zovi made me think: Finally, the larger problem is that it only took one exploit to compromise these organizations. One exploit should never ruin you day. [sic] No, that is wrong. The larger problem is not that it “only took one exploit to compromise these organizations.” I see this mindset in many shops who aren’t defending enterprises on a daily basis. This point of...