Argus detecting historical APT1 activity
Carter Bullard
carter at qosient.com
Tue Mar 19 11:18:48 EDT 2013
Gentle people,
Mandiant published a paper, " APT1 Exposing One of China's Cyber Espionage Units ",
and if you haven't seen it, grab it from there home page http://mandiant.com.
This paper describes a single group's behavior, and presents a good deal of methodology,
so its a good read, for most cyber security people.
Base on the " APT1: Attack Lifecycle " method descriptions, its clear that Argus data
can support detection of most of the network methodology described in the report,
especially if a site has been inserted into the APT1 infrastructure. 98.2% of
direct access to " hop point " machines, nodes that APT1 uses as stepping
stones, are / were from a small set of Chinese registered IP addresses, using a small
number of applications, notably Remote Desktop, HTRAN, FTP etc...
Now that the report is out, we should all expect APT1 to change its methods.
But Argus is the single technology that can support detection this type of
intrusion, historically, so we should be able to tell you if you've been attacked,
and what nodes, and APT1 infrastructure, were involved.
Argus has always captured the data needed to detect APT1 network activity,
as described in the document. If you are maintaining a good argus archive, you
should be able to detect if your infrastructure has been affected by APT1, either as a
" hop point ", which is the easiest to detect, of if you have interacted with known
APT1 infrastructure.
I am going to put up a full description of how Argus can detect APT1, historically,
which is really much more important than detecting if you will be affected in the future.
I had thought about breaking it down by " hop point " detection, which is the biggest
problem, due to the increased corporate data loss liability issues, and then describe
" attack lifecycle " detection, for the targeted attacks, focusing on APT1
infrastructure associations, such as DNS lookups of APT1 FQDNs, Command
and Control channel activity, backdoor activity, and data exfiltration detection.
If you want to be involved, please give a holler. Read the document, and lets talk
about what you think is the most important part of the " Attack Lifecycle ", and
how Argus data can be used to detect it.
Looking forward to the discussion,
Carter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130319/55357b9e/attachment.bin>
More information about the argus
mailing list