Security Suites vs Advanced Persistent Threats (APTs)

Discussion in 'other anti-virus software' started by Mover, Feb 17, 2013.

Thread Status:
Not open for further replies.
  1. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    180
    Has anyone come across any material on personal commercial security suites being tested against APTs and how they stack up ?

    Whats your opinion on personal security suites vs APTs ?

    As for me, I tend to favour a suite that runs software (browser) in a sandbox. Theoretically, your computer can`t get infected that way even if the AV misses the infection.
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    APT's are usually used in targeted attacks so then it is likely the attackers now which suite is being used and evade it. Also keep in mind while they are more sophisticated than standard run-of-the-mill malware, APT has become a buzzword which many security companies use for advertising and FUD.
     
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I'm not sure what you're asking. An APT is a targeted attack in which a group is actively and persistently working to get access to systems on a particular network for business or political purposes. In such cases they eventually find a way past defenses because they're going to adapt to your defenses and work around them. So if your work uses Norton, then they may intercept a personal email and insert malware that specifically evades Norton. Stuxnet would be an example of an APT.

    https://www.damballa.com/knowledge/advanced-persistent-threats.php
     
  4. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    180
    I agree that APTs are usually aimed at businesses or government institutions for a political/financial reason, however, there is no set rule that says an individual can't be the target of an APT.

    I have come across the occasional article showing this to be the case which is why I raised this question.
     
  5. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    180
  6. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    "In 2007, I opened an email from an unknown sender. The message greeted me by a nickname known only to family and close friends....

    ...At the time, I was the chairman of a company that was building shopping centers in China. The company was a partnership of three entities: a major U.S. bank, a Chinese state-owned enterprise, and my firm. We were building centers in third- and fourth-tier cities."


    That sounds a lot like a targeted attack, don't you think?
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Classic spear phishing example.
     
  8. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Apparently a targeted attack at an individual is not considered an APT, although individuals will be targeted as a part of an APT. That's really just semantics, though. The point is that the word "persistent" is key; whatever defenses you have, they're going to find a way to work around. They can put together malware with the combination of evasion techniques that would be needed to get past your AV (in no small part due to being a unique piece of malware).

    Mostly, though, the likelihood of a targeted attack is very low unless you have or have access to sensitive or valuable data; it's pretty much just the same as the real world.
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I wouldn't read much into what people call APTs until reading closer about a specific threat. I've seen some places describe a threat which does nothing more than add a registry run key pointing to itself and show a couple ads as an APT... o_O
     
  10. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I think the point some people are trying to make here (but maybe I'm wrong), is that these are "targeted" attacks. Meaning the mark has been staked out, so to speak, and they probably know what suite/AV they'd be running, rendering that moot. That's kinda the whole point... what it is.

    But yeah, there's definitely a lot of benefit there in running anything facing the net sandboxed. If such an app is their vector of attack, it would be nearly impossible to circumvent a restricted box no matter what. But then again, if it's an APT, again... they'd KNOW this, and would be coming at you from another angle. So again, moot. Otherwise it wouldn't be much of an APT.

    And it could happen against an individual if you pissed the wrong person/people off. And I think it's faulty logic to think a group of hackers can't pull the type of intel together necessary to pull off such an attack. Just from reading people's posts about their security setups in here, via the "what is your security setup these days" thread, for instance... one could acquire a wealth of info. on a user. People practically break down their entire approach, hardening tweaks and all there. Or even just by looking at our sigs... Match such info. up with a WAN IP address, and it doesn't take an entire government against you at all to pull such a thing off.
     
    Last edited: Feb 19, 2013
  11. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    Replace the word 'Norton' with 'your favorite AV/IS product'.
     
  12. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    180
    So if your browser is sandboxed and you use webmail, you are protected from email threats infecting your computer.

    Any thoughts on this ?
     
    Last edited: Feb 22, 2013
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Security suites are generally useless. There are very few products out there that are viable for APT. I actually can't think of a single one.
     
  14. Totally agree.

    There are even such things called sandbox bypass. So I wouldn't rely on that technology to protect you.

    Yes it's good intelligence to scour those threads, but anything important should be kept offline on a separate system or done with a LIVECD.

    I have seen LIVECD's compromised though, very spooky stuff. The only good thing about it, is that once you shut down the malware is hopefully gone.
     
  15. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    APT says absolutely nothing about the nature of the malware itself. It simply defines the attacker's characteristics:


    “-Advanced means the adversary can operate in the full spectrum of computer intrusion......

    -Persistent means the adversary is formally tasked to accomplish a mission......

    -Threat means the adversary is not a piece of mindless code......."



    http://threatpost.com/en_us/blogs/advanced-threats-are-not-all-apt-072011
     
  16. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
  17. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    Most (maybe all ?) sandboxes, protect against WRITING to sensitive areas. They do not protect against READING FROM sensitive areas, which is what APTs try to do when stealing info.
     
  18. adrenaline7

    adrenaline7 Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    128
    This was my hunch too.

    So what is the solution to prevent reading sensitive areas? Encryption, EMET and DEP, Limited User Account, UAC, 2 way firewall, AV with web/network filter? All the above?
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Chrome's sandbox should prevent reads.

    Sandboxie can be configured to do so as well.

    Anyways, Security Suites almost always rely on detection. And when they don't they rely on the user. So they're guaranteed failures.
     
  20. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    180
    How so ? Could you elaborate a bit on why Chrome's sandbox prevents reads?

    Another thing to note is that it seems that sandboxes work better on a 32 bit OS compared to 64 bit OS for some reason.
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    32bit vs 64bit really depends on the sandbox and its mechanics.

    Chrome's sandbox uses various tokens that prevent reading files of higher integrity levels. An analysis of its sandbox has shown no read or write access to the file system/ registry.
     
  22. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    180
  23. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    How about encryption of sensitive data and advanced Firewall/HIPS that monitors all suspicious behaviour and connections? There are also ways of masking your presence online.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.