SANS Digital Forensics and Incident Response Blog

SANS Digital Forensics and IR Summit 2010: Advanced Persistent Threat Panel Questions Released!

The 2010 Digital Forensics and Incident Response Summit's focus this year is examining and advancing the digital forensic professional to deal with advanced threats such as the APT and organized crime. Understanding how many of these crimes take place is crucial to creating lethal forensicators armed with the knowledge and skills to analyze complex cases. REGISTER NOW!!

These questions are selected initially by the panelists to kick the panel off. Each panelist will choose one question initially and answer it. Once the initial questions are completed, additional questions will be taken from the attendees at the event.

Advanced Persistent Threat Panel Discussion

Panelists will discuss the Advanced Persistent Threat. What is it? How to combat it? What are the biggest challenges in dealing with it? These experts have all actively worked cases involving the Advanced Persistent Threat and have the knowledge and experience to tell you first-hand what they know and what you should do if the APT infect your network.


Questions/Topic Areas

  1. Finish this scenario: You were just notified that your organization has been infected by the APT. Your first three steps to investigate the breach should be:
  2. What can organizations do immediately to put them in a better position to investigate an APT breach?
  3. How has the APT evolved over the years? What makes them better now?
  4. What is the earliest known intrusion by the APT? How do you know?
  5. Are anti-forensic techniques utilized by the APT? Specifically which ones are the most effective?
  6. Which malware persistence mechanisms have the APT utilized recently?
  7. How is the APT currently breaking into networks? Is it still spear phishing? Why is this hard to defend?
  8. Explain how the APT has changed the way we accomplish investigations? Is this for the better?
  9. Which APT technique is the hardest to investigate? What is it?
  10. Which stupid-simple technique does the APT utilize with the most damaging results?
  11. Is the U.S. government responding correctly at a policy level? What can be accomplished better?
  12. How do you effectively share indicators of APT compromise? Should these be classified?