SANS Digital Forensics and Incident Response Blog: Tag - APT

APT Malware and Memory Challenge

The memory image contains real APT malware launched against a test system. Your job? Find it. The object of our challenge is simple: Download the memory image and attempt to answer the 5 questions. DOWNLOAD LINK FOR MEMORY IMAGE:http://dfir.to/APT-Memory-Image Questions: What is the Process ID of the rogue process on the system? Determine the name … Continue reading APT Malware and Memory Challenge


New Advanced Persistent Threat Based - FOR508 Released in On-Demand

It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don't ask us how we know, but you should probably check out several of your systems. You are compromised by the APT. Most organizations are left speechless as 90% of all intrusions are … Continue reading New Advanced Persistent Threat Based - FOR508 Released in On-Demand


Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results

One of the biggest complaints that many have in the DFIR community is the lack of realistic data to learn from. Starting a year ago, I planned to change that through creating a realistic scenario based on experiences from the entire cadre of instructors at SANS and additional experts who reviewed and advised the attack … Continue reading Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results


Why Stuxnet Isn't APT

Stuxnet has become so buzz-worthy that I almost feel like an article relating it to "APT" is the epitome of anecdotal industry naval-gazing. Making a qualitative assessment of each can be a useful exercise in classifying and understanding the threat landscape, however. This in turn helps clarify risk, driving resource allocation, investment, and R&D. Even more important than the conclusions presented herein, I want to elucidate some of the analysis that goes into threat assessments so that others might be empowered to do the same. Continue reading Why Stuxnet Isn't APT


Security Intelligence: Defining APT Campaigns

In the three previous installments of this series, I introduced security intelligence and how to begin thinking about sophisticated intrusions. In this entry, I will discuss how my team at Lockheed Martin defines the adversaries that we track using the definitions covered previously, with a particular focus on the kill chain. As always, credit for these techniques belongs to my team and the hard work of evolutionary CND we've done over the past 6 years.

The "persistence" in APT intrusions is manifested in two ways: maintaining a presence on your network, as well as repeatedly attempting to gain entry to areas where presence is not

...