How to spot APT attacks
Posted on 22 January 2013.
With the proliferation of Advanced Persistent Threats (APTs), it's paramount for those who are charged with defending the systems and networks of likely targets to know that these attackers often utilize legal and common tools whose use is more difficult to spot by forensic investigations.

FTP applications, data compression tools, tools used for file manipulation and for creating scheduled tasks, password recovery apps and user account clone tools are all types of software that can be legally bought from companies that make them, and are regularly used for making users' life and work easier.

Trend Micro Threat Researcher Roland Dela Paz helpfully offered a few good tips on what kind of things security administrators should be on the lookout for.

He says that most of the aforementioned tools are either command line tools or run both in command line and via GUI, so suspicious instances of command shell process could be one way to spot their use, and by using process utilities that task can be made easier.

Occasionally checking what tools are installed on a system you are responsible for, as well as for unusual file names and bogus file extensions, is also a simple way of spotting things that have no business being there.

"It may be tedious, yes, but being vigilant to files present in your system could spell the difference between mitigating an APT compromise and mass pilfering of your organization’s classified documents," Dela Paz points out.

Don't forget to occasionally review scheduled jobs, as they are a common auto-start method both for APTs and malware infections. By doing this, you could spot both the existence of an attack attempt and discover how the attack is supposed to unfold.

Finally, keeping an eye on FTP connections in the network logs is a simple way to spot APT attacks.

"In a corporate setting, FTP sites are usually Intranet sites. Thus, it is easier to sort out legitimate FTPs from malicious ones," explains Dela Paz. "FTP transactions are significantly smaller than other type communications in the network, which may allow you to identify a breach faster. Furthermore, checking for archive files or files with odd file names being uploaded to a remote site may also suggest compromise."


Pen-testing drone searches for unsecured devices

You're sitting in an office, and you send a print job to the main office printer. You see or hear a drone flying outside your window. Next thing you know, the printer buzzes to life and, after spitting out your print job, it continues to work and presents you with more filled pages than you expected.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Oct 9th