How to spot APT attacks
Posted on 22 January 2013.
With the proliferation of Advanced Persistent Threats (APTs), it's paramount for those who are charged with defending the systems and networks of likely targets to know that these attackers often utilize legal and common tools whose use is more difficult to spot by forensic investigations.

FTP applications, data compression tools, tools used for file manipulation and for creating scheduled tasks, password recovery apps and user account clone tools are all types of software that can be legally bought from companies that make them, and are regularly used for making users' life and work easier.

Trend Micro Threat Researcher Roland Dela Paz helpfully offered a few good tips on what kind of things security administrators should be on the lookout for.

He says that most of the aforementioned tools are either command line tools or run both in command line and via GUI, so suspicious instances of command shell process could be one way to spot their use, and by using process utilities that task can be made easier.

Occasionally checking what tools are installed on a system you are responsible for, as well as for unusual file names and bogus file extensions, is also a simple way of spotting things that have no business being there.

"It may be tedious, yes, but being vigilant to files present in your system could spell the difference between mitigating an APT compromise and mass pilfering of your organizationís classified documents," Dela Paz points out.

Don't forget to occasionally review scheduled jobs, as they are a common auto-start method both for APTs and malware infections. By doing this, you could spot both the existence of an attack attempt and discover how the attack is supposed to unfold.

Finally, keeping an eye on FTP connections in the network logs is a simple way to spot APT attacks.

"In a corporate setting, FTP sites are usually Intranet sites. Thus, it is easier to sort out legitimate FTPs from malicious ones," explains Dela Paz. "FTP transactions are significantly smaller than other type communications in the network, which may allow you to identify a breach faster. Furthermore, checking for archive files or files with odd file names being uploaded to a remote site may also suggest compromise."


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th