This week the RSA FirstWatch team released research that explores the
realities associated with long-term Advanced Persistent Threat (APT)
analysis.
The report, The Cyber Espionage Blueprint Understanding Commonalities in Targeted Malware Campaigns, is the culmination of a year’s worth of research from the RSA FirstWatch team. In that time they collected approximately 2400 samples that span 60 different families of Trojans (including first-stage Remote Access Tool (RAT) and second stage backdoors) used in Cyber Espionage campaigns.
The malware collected were assembled from a variety of sources including but not limited to, current events and media, global data mining of open source intelligence, public information sharing groups and private information sharing groups.
Every sample identified and analyzed in the report was used in a targeted attack and we matched all associated Cyber Espionage attacks forensically matched for accuracy. What we found is that there are many commonalities in Cyber Espionage malware that help form an attacker “blueprint“ for these advanced campaigns.
By understanding this Cyber Espionage attacker “blueprint” organizations can craft effective best practices for detection and response at both the host and network level. Through doing so, the playing field can be leveled to put defenders at less of a disadvantage relative to attackers.
So what are some of these commonalities? When looking at over 2000 malware samples we found that:
We will be presenting these findings at the RSA booth at BlackHat this week, and if you aren’t in Las Vegas to hear from us first hand, we urge you to read the research and share it with others in the trenches.
The report, The Cyber Espionage Blueprint Understanding Commonalities in Targeted Malware Campaigns, is the culmination of a year’s worth of research from the RSA FirstWatch team. In that time they collected approximately 2400 samples that span 60 different families of Trojans (including first-stage Remote Access Tool (RAT) and second stage backdoors) used in Cyber Espionage campaigns.
The malware collected were assembled from a variety of sources including but not limited to, current events and media, global data mining of open source intelligence, public information sharing groups and private information sharing groups.
Every sample identified and analyzed in the report was used in a targeted attack and we matched all associated Cyber Espionage attacks forensically matched for accuracy. What we found is that there are many commonalities in Cyber Espionage malware that help form an attacker “blueprint“ for these advanced campaigns.
By understanding this Cyber Espionage attacker “blueprint” organizations can craft effective best practices for detection and response at both the host and network level. Through doing so, the playing field can be leveled to put defenders at less of a disadvantage relative to attackers.
So what are some of these commonalities? When looking at over 2000 malware samples we found that:
- 54% percent of cyber espionage malware sample files used random or nonsensical filenames
- 68% percent of cyber espionage malware samples used standard ports to communicate
- 67% percent of cyber espionage malware samples were installed in the user profile directory
We will be presenting these findings at the RSA booth at BlackHat this week, and if you aren’t in Las Vegas to hear from us first hand, we urge you to read the research and share it with others in the trenches.
No comments:
Post a Comment