Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Black Hat: Remediating Attacks in the Age of APTs

Black Hat 2012 News

Black Hat 2012 News

Roughly two months ago, the now-notorious Flame malware burst into the public consciousness, marking another example of a sophisticated threat launched out of the arsenal of nation-states or those working on their behalf. From espionage to data theft by cyber-gangs, there is no shortage of attackers looking to stay under the radar while they pilfer data or cause disruption for the long haul.

Investigating and remediating these types of targeted attacks, argues Jim Aldridge of Mandiant, requires a different kind of approach than when facing more opportunistic hackers. At the upcoming Black Hat conference in Las Vegas, Aldridge plans to take a look at what organizations should be doing in the aftermath of a targeted breach, and how some forethought and planning could make a difference.

“The essence of the talk is really that when you are dealing with a targeted, persistent adversary…remediating that type of an intrusion [requires] a different approach than what most organizations are used to in terms of remediating a quote unquote security incident,” he said.

One of the keys for organizations is understanding the attack lifecycle – the phases of an advanced persistent threat (APTs) campaign as they tend to unfold.  There are several stages, ranging from reconnaissance to the initial compromise to moving laterally across the network to compromise systems and steal data. Understanding the lifecycle of APTs allows companies to plan their response more effectively while they are under attack and offers a guide for those not under attack to plan security initiatives ahead of time, he said.

Enterprises need to focus on making their environment “investigation ready,” he said.

“Think about if I were to have an intrusion right now, how would I be able to respond to that, and then start filling in the gaps in visibility,” he explained.

There are a number of logs organizations should pay attention to so they are ready to assist or conduct an investigation into a breach. Two key examples are DHCP logs and DNS logs, which he said could be critical. 

Advertisement. Scroll to continue reading.

“Do you have the DHCP logs so that if your investigation team identifies communication related to a particular IP address that happened maybe five days ago, do you know what host that equates to on the network? Are you going to be able to figure that out? If not, it can really hamper the investigation,” he said.

DNS logs can likewise help with tracing the steps of an attack.

“(For example,) law enforcement contacts you and tells you that they observed three of your IP addresses communicate with a particular domain that is associated with known state-sponsored attacker activity,” he said. “This occurred six months ago. If you had DNS logs, you could quickly go determine which systems resolved that domain name and use that as a starting point for an investigation. These may be more useful than firewall logs, as the IP address to which the domain name points may have changed. Without DNS logs, you can’t quickly identify the infected systems. If the attacker has changed malware since then, and is using new command-and-control domains, you may never see resolution of the old ones.”

Aldridge added that organizations should also pay attention to logs related to authentication, and take preventive measures such as removing local administrator rights from users who do not need them. The idea is for organizations to look for ways to inhibit attackers as much as possible and detect them when they have found their way inside.

 “I call it inhibit not prevent, because in the end if the adversary has the will and the means they are going to eventually get through some of the defenses,” he said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.