Argus detecting historical APT1 activity

Dave Edelman dedelman at iname.com
Tue Mar 19 21:37:49 EDT 2013 

I am very interested but I have to admit that I hate the term APT.

--Dave

> -----Original Message-----
> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu]
> On Behalf Of Carter Bullard
> Sent: Tuesday, March 19, 2013 11:19 AM
> To: Argus
> Subject: [ARGUS] Argus detecting historical APT1 activity
> 
> Gentle people,
> Mandiant published a paper, " APT1 Exposing One of China's Cyber
> Espionage Units ",
> and if you haven't seen it, grab it from there home page
> http://mandiant.com.
> This paper describes a single group's behavior, and presents a good deal
of
> methodology,
> so its a good read, for most cyber security people.
> 
> Base on the " APT1: Attack Lifecycle " method descriptions, its clear that
> Argus data
> can support detection of most of the network methodology described in the
> report,
> especially if a site has been inserted into the APT1 infrastructure.
98.2% of
> direct access to " hop point " machines, nodes that APT1 uses as stepping
> stones, are / were from a small set of Chinese registered IP addresses,
using
> a small
> number of applications, notably Remote Desktop, HTRAN, FTP etc...
> 
> Now that the report is out, we should all expect APT1 to change its
methods.
> But Argus is the single technology that can support detection this type of
> intrusion, historically, so we should be able to tell you if you've been
> attacked,
> and what nodes, and APT1 infrastructure, were involved.
> 
> Argus has always captured the data needed to detect APT1 network activity,
> as described in the document.  If you are maintaining a good argus
archive,
> you
> should be able to detect if your infrastructure has been affected by APT1,
> either as a
> " hop point ", which is the easiest to detect, of if you have interacted
with
> known
> APT1 infrastructure.
> 
> I am going to put up a full description of how Argus can detect APT1,
> historically,
> which is really much more important than detecting if you will be affected
in
> the future.
> I had thought about breaking it down by " hop point " detection, which is
the
> biggest
> problem, due to the increased corporate data loss liability issues, and
then
> describe
> " attack lifecycle " detection, for the targeted attacks, focusing on APT1
> infrastructure associations, such as DNS lookups of APT1 FQDNs, Command
> and Control channel activity, backdoor activity, and data exfiltration
> detection.
> 
> If you want to be involved, please give a holler. Read the document, and
lets
> talk
> about what you think is the most important part of the " Attack Lifecycle
",
> and
> how Argus data can be used to detect it.
> 
> Looking forward to the discussion,
> 
> Carter

More information about the argus mailing list