I was recently at a very interesting conference. They discussed the risk of advanced persistent threats also known as (APT). Advanced persistent threats are basically threats that bypass your security and can constantly talk to the attacker.

I am going to walk you through a quick example of how this works. The Chinese government has state sponsored hackers that go after valuable targets. These hackers are required to be fluent in the English language. The first thing they do is use google to find out who the important people in the company are and who the direct reports are. They then do either spearfishing email attempting to get you click or open an email with a link to spyware or malware. Once you click on this and download it, you have the malware on your machine creating a back door for them to get access to. Since more firewalls limit inbound connections, this malware calls out to a server waiting for commands.

They can tell the malware to sleep, log key strokes or various other options. They can even export emails from your outlook mail program. Their goal is not to get credit card information, but to get trade secrets or intellectual property. Once in the network they are usually in for a minimum of 256 days with a maximum of 7-8 years.

The reason they remain undiscovered is the attack is advanced and most virus scanners will not pick the attack up. The reason is the attack is customized for that specific hack and not deployed in mass. Current virus scanning technology while good, needs a mass infection with numerous people reporting it before a signature is written. If you don’t have this mass infection, you will not detect the virus. These attacks are also hiding the file type by either encrypting part of the program or changing it using a simple xor algorithm. So if you are looking to block by file type, it will circumvent that.

This is a new type of attack and only a few companies can discover and stop it. One company is Fireeye. Fireeye has an advanced technology that runs this type of attacks within various virtual machines. If it finds one, it distributes a signature to everyone in the network. It has a high success rate of finding and blocking this type of attack.

These threats are becoming common and traditional security solutions will not help you. What are you doing to protect yourself against these types of threats?

For more an interesting read on this type of attack, read the Mandiant APT1 report located here APT Report.

If you would like more information about this type of Threat, email james@tbjconsulting.com or call 262-373-9070