I’ve had the opportunity to lead a number of MANDIANT’s APT investigations recently, and am looking forward to sharing some of my experiences with our audience. One common thread in many of the investigations I have worked is that the APT will use simpler malware, methods, and techniques – until it no longer works and they are forced to break out something a little more advanced from their arsenal.

The attackers will use more sophisticated methods as needed, and can get incredibly advanced and inventive and just “disappear” from the radar of responders if they really have to.  There has been a lot of chatter on the Internet lately about recent attacks and how the malware and the Command and Control channels aren’t very sophisticated.  But why use sophisticated techniques if you don’t have to?

Think about it – if you are a car thief and the car you are going to steal is not locked and has the key in the ignition – why pick the lock and hotwire the car? It doesn’t mean that the thief can’t pick the lock; it just means they don’t need to.  That same thief may be capable of breaking in to a car that has a locked door, a car alarm, the club, and low-jack – and still get away with it if they are advanced enough and really want the car bad enough (think “Gone in 60 seconds“) .  We have seen everything from the very simple – placing malware in a user’s start-up folder (yes, I actually saw this on one of my engagements) – to the pretty advanced – malware that dropped an NDIS driver capable of monitoring and modifying network traffic at the kernel level, implementing its own TCP/IP stack in the kernel, and providing remote access to a machine that would bypass host-based firewalls, IPS…etc.

During the webinar we will talk about the techniques the attackers use and will go into more depth on a few of the case studies in our recently released M-Trends report.

Oh, and you may be asking yourself what the link is between the name of the webinar “Silent But Deadly”, and what we will be discussing.  We have seen evidence of the APT active and undetected in many victim networks for very long periods of time – up to years in some cases.  Hence, the “silent”.  And, while the result of these prolonged intrusions may not be deadly, they can often be costly, which is very bad for business.

We hope to see you on Thursday!