Jeremiah Grossman prefabricated the following letter via Twitter today:@taosecurity journal place request. Signs that an individual or methodicalness is or haw be an APT target. + added threat denotive conventionsTough but enthusiastic questions. I meliorate answer, or Jeremiah will encounter me and apply Brazilian Jiu Jitsu until I do. Let me verify the ordinal discourse first.As I mentioned in Real Threat Reporting in 2005, "Titan Rain" became the favourite constituent for digit "intrusion set" involving destined actors. DoD applies different codewords to intrusion sets, and satellite Rain became favourite with the business of the Time article I referenced. If you read the Time article again you'll wager at small digit added reference, but I won't advert that here.Some of you haw advert "Solar Sunrise" from 1998 and "Moonlight Maze" from 1998-1999. Open news course the former to Russia and the latter to an Israeli titled Ehud Tenenbaum. These are added examples of "intrusion sets," but they are not attendant to the current threat.As farther as added obloquy for APT, they subsist but are not mutual with the public. Just as you might maintain code obloquy for different intrusion sets or campaigns within your CIRT, different agencies road the aforementioned using their possess terms. This crapper cause whatever fault when different CIRTs try to compare notes, since hour of us intercommunicate of the clannish obloquy unless in an pertinent facility. The Air Force invented "APT" as an nonsensitive constituent that could be used to apace ready different parties on the aforementioned tender when speech with accumulation partners.Regarding who haw be an APT target, I likeable Steven Adair's Shadownserver post. The artefact most organizations see that they hit a difficulty is by receiving an outside notification. The FBI and destined military units hit been evenhandedly astir in this respect for the previous three years. This marks quite a modify in the relationship between the US polity and clannish sector, and it's not restricted to dweller companies. A little intelligent will expose reports of added governments warning their companies of kindred problems.If your methodicalness has not been contacted by an outside agency, you might poverty to look at the possibleness objectives that I posted in What is APT and What Does It Want? Does your methodicalness possess accumulation that falls into digit of the political, economic, technical, or military categories that could interest this sort of threat? Overall, my assessment of APT progress crapper be summarized this way:
- Phase 1, New 1990s: mainly .mil
- Phase 2, 2000-2004: .gov additional to direct list
- Phase 3, 2005-2009: cleared accumulation contractors, investigate institutes, semipolitical and infrastructure additional to direct itemize (significant expansion)
- Phase 4, 2010- ? : treatment only restricted by resources?
Probably the incoming prizewinning artefact to watch if you are a direct is to join whatever business groups you crapper encounter and network with your peers. Develop relationships such that your peers see easy sharing threat information with you. Do the aforementioned with polity actors, especially the FBI. Many times these agencies are just movement on accumulation trying to figure discover the correct contacts.I would watch of organizations that verify whatever creation they delude will "stop APT" or "manage APT" or behave as added silver bullet. We're already seeing whatever vendors move on the counter-APT bandwagon with little clue what is happening. There's a couple consultancies with unfathomable noesis on this topic. I'm not feat to study them here but if you analyse the Incident Detection Summit 2009 itemize you crapper encounter them. The honor of counter-APT undergo on the utterer itemize varies considerably, but you crapper try using that itemize to reassert if Company X has whatever relationship whatsoever to this problem. That doesn't stingy companies or organizations not traded as speakers are "clueless;" a aggregation of counter-APT state is simply "good IT." However, you shouldn't wait a random consultant to be able to sit downbound and explain the specifics of this difficulty to your CIO or CEO. Incidentally this is NOT a advertizement for my company; I run an internal CIRT that only protects our assets.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
0 komentar:
Post a Comment