Ira Winkler recently wrote an article about McAfee's latest report on Shady Rat. This brings about the buzz word Advanced Persistent Threat (APT) out again. Its always interesting to see this word being tossed around. What is it really? It's just putting a fancy name to something which has been around since goodness knows when. Ira breaks down the attacks as generally how all attacks are, except APT tends to have a bit more sophisticated malware than your standard drive-by exploit.
Delivery is never complicated, because generally it doesn't have to be. Sending phishing emails with malicious links/attachments, sometimes spoofed, sometimes not. You only need one user to click on a link to gain access to a system. It is of course always better to gain access to an executives computer/account, but not always necessary.
The shady RAT malware used steganography, something I personally have never seen in the field. APT generally uses something more devious than stand drive by exploits: rootkits, infected MBR's, and even patching holes that other malware utilizes.
Personally- I think the main difference between APTs and other nefarious actors is that nefarious actors are usually after two things: money or CPU time (for botnets etc). APTs are generally after information, and willing to go low and slow to get in, establish persistence (backdoor), and exfilrate data in a secure manner. The other guys don't really care about that because if 5 out of 50 computers get hijacked, its good enough for them (that any they just blast out e-mails/infect websites like crazy).
Regardless of my opinion, Ira makes a good point: Why do vendors over-exaggerate claims and their competitors come out with rebuttals saying it really is no big deal and here's why. Shouldn't collaboration be a better buzzword to be dropping? If we had better dialogue between vendors and security teams from various fields (private and public), maybe we could help the community as a whole.
No comments:
Post a Comment