State of the Hack Webinar – Thursday March 11th

Written by Christopher Glyer

Michael J. Graven and I will be presenting MANDIANT’s State of the Hack webinar titled “Silent But Deadly” this Thursday, March 11th at 2PM EST.

I’ve had the opportunity to lead a number of MANDIANT’s APT investigations recently, and am looking forward to sharing some of my experiences with our audience. One common thread in many of the investigations I have worked is that the APT will use simpler malware, methods, and techniques – until it no longer works and they are forced to break out something a little more advanced from their arsenal.

The attackers will use more sophisticated methods as needed, and can get incredibly advanced and inventive and just “disappear” from the radar of responders if they really have to.  There has been a lot of chatter on the Internet lately about recent attacks and how the malware and the Command and Control channels aren’t very sophisticated.  But why use sophisticated techniques if you don’t have to?

Think about it – if you are a car thief and the car you are going to steal is not locked and has the key in the ignition – why pick the lock and hotwire the car? It doesn’t mean that the thief can’t pick the lock; it just means they don’t need to.  That same thief may be capable of breaking in to a car that has a locked door, a car alarm, the club, and low-jack – and still get away with it if they are advanced enough and really want the car bad enough (think “Gone in 60 seconds“) .  We have seen everything from the very simple – placing malware in a user’s start-up folder (yes, I actually saw this on one of my engagements) – to the pretty advanced – malware that dropped an NDIS driver capable of monitoring and modifying network traffic at the kernel level, implementing its own TCP/IP stack in the kernel, and providing remote access to a machine that would bypass host-based firewalls, IPS…etc.

During the webinar we will talk about the techniques the attackers use and will go into more depth on a few of the case studies in our recently released M-Trends report.

Oh, and you may be asking yourself what the link is between the name of the webinar “Silent But Deadly”, and what we will be discussing.  We have seen evidence of the APT active and undetected in many victim networks for very long periods of time – up to years in some cases.  Hence, the “silent”.  And, while the result of these prolonged intrusions may not be deadly, they can often be costly, which is very bad for business.

We hope to see you on Thursday!

Tags: Advanced Persistent Threat, Case Study, M-Trends, State of the Hack, webinar

Recent Posts

• Stuxnet Memory Analysis and IOC creation
• Malware Persistence without the Windows Registry
• State of the Hack: M-Trends: State of Remediation
• Memory acquisition and the pagefile(s)
• Web Historian: Reloaded

Follow us on Twitter

• Mandiant: Security on ATMs needs to be revisited http://bit.ly/aPfu48 @jamierbutler #blackhatevents -hb
• Mandiant: RT @kanyewest It is even better than I could have imagined. -mjg
• Mandiant: Thanks for hitting the M party last night, y'all. See you next year and next webinar. http://bit.ly/aGfY6q mjg #blackhatevents

MANDIANT News

• Advanced Persistent Threat – Intelligence Brief
• Oktoberfest - The MANDIANT Incident Response Con (MIRCON)
• Fresh Prints Webinar Series
• Don’t Believe the APT Hype: Incident Detection and Response That Works