Throughout 2011, I am sure that you have heard of the compromise of RSA, in which the stolen data regarding RSA’s Secure ID appears to have been used in subsequent attacks and that there were many more victims other than RSA. You’ve probably also heard of ShadyRAT, which demonstrated the longevity of command and control infrastructure as well as Nitro and Night Dragon which showed that some attackers focus on specific industries.
You’ve probably also heard of Trend Micro’s research of the Lurid attacks which showed that the attackers are interested in non-US targets but more importantly, such attacks should be seen as “campaigns” and not isolated attacks.
But what about all the great APT related research that you probably haven’t heard about?
Here is my personal Top
- The “Contagio Dump” and “Targeted Email Attacks” Blogs – Mila Parkour and Lotta Danielsson-Murphy have been posting information that fuels much of the research in this area. While malicious binaries are often available for analysis, the content of the socially engineered email is often elusive. These blogs have been providing a unique insight into the realm of targeted attacks.
- The CyberESI Blog – The team at CyberESI has been posting detailed analysis (and I mean detailed) of some of the most prolific malware families. In my view, their analysis has set the bar for reverse engineering in this area.
- Htran –Joe Stewarts research on Htran was over shadowed by the ShadyRAT report but I think it was the most innovative research papers this year because it tackled the attribution problem by looking behind the source IP’s of attacks to reveal the actual location of the attackers.
- Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains – Hutchins, Cloppert, and Amin explain how to track the phases on an attack and group multiple incidents into a “campaign”. This is a must-read for anyone tracking APT.
- “1.php” – This report by Zscaler on a particular campaign thoroughly maps out and analyzes the command and control infrastructure (C&C) and presents the results in a way that is actionable for defenders. Moreover, it contains insightful commentary on information disclosure in this area.
- APT Secrets in Asia – Xecure’s presentation at this year’s BlackHat demonstrated their research in clustering malware into groups based on common attributes. I really like the clustering technology they are working on as well as the term they introduced “NAPT” (Non-Advanced Persistent Threat).
- M-Trends – This report by Mandiant is an excellent overview of the attackers’ methodology as well as remediation strategies. In addition, it contains Mandiant’s work on investigating persistence mechanisms, particularly “DLL search order hijacking.”
- Sykipot – AlienLabs documented the trends in targeting (UCAVs) surrounding the Sykipot campaign as well as exploits, malware and command and control infrastructure used by the attackers.
- “What is an APT without a sensationalist name?” – Seth Hardy’s presentation at SecTor provided a much needed critical look at the hype surrounding APT along with a detailed technical analysis of a particular malware “SharkyRAT”.
- “Moli Hua” – Greg Walton documented an attack on journalists that leveraged Facebook and an MHTML exploit for Gmail that allowed attackers to add their own email addresses as “delegated accounts”.
- “My Lovely Wood” – This paper by Frankie Li provides a detailed technical analysis of malware used in a targeted attack.