Tuesday, April 17, 2012

one does not simply scan for APTs

from here

nevermind the fact that APT is people, not software, and so doesn't actually exist within the computer; this experiment where anti-virus was tested against a simulated APT attack seems rather absurd. algorithmic defenses will always be weak against non-algorithmic threats. machines can always be outsmarted by people. take a page out of seussian security and use the right countermeasures for the threat in question.


Rob Lee said...

The point of the exercise was to create forensic and IR case data to analyze not to evade A/V. We installed A/V to mimic a real network. We actually hoped some of the public and free utilities commonly used by the APT (such as Poison Ivy) would trigger A/V so we could have the log files to catch it as well. Unfortunately, what we discovered is that even on the simple malware and utilities used; A/V didn't give us a flare. It wasn't an A/V test, but one that was intentionally designed for forensicators to track APT through multiple systems. The output of the test seemed to indicate that A/V is pretty useless against any adversary using basic skills taught in any penetration testing class.

kurt wismer said...


obvious conclusion is obvious.

it follows from the nature of the actors. blacklists and anything derived from them are mostly useful after non-algorithmic/non-deterministic influences have been catalogued and accounted for. not unlike a random number being difficult to determine right after it's generated but much easier after it's published in a book.

APT, like soylent green, is people. they represent a non-algorithmic/non-deterministic influence. any APT that would use known malware without modification would be a moron and not deserving of the title of APT. when (not if) they perform a transformation on a piece of existing malware, the transformation function may be algorithmic and deterministic, but the selection of the transformation function is not.

all of which is a long way of saying that when it comes to APT, AV is not the defense you're looking for. only people can defend you against other people.