In the past couple of years there has been a shift in the infosec landscape. The shift has been caused by a style of attack that some companies have been dealing with for years before the shift. It has been labeled targeted attacks or Advanced Persistent Threat (APT). In a lot of ways the shift has been a good thing for the infosec community. Companies are starting to adapt new security technologies, methodologies and building out teams to do analysis. Many large organization are trying to implement internally what the anti-virus companies have in house. They want automation, classification and intelligence of malware. They want to use the data so they can create their own campaigns and mitigations to thwart this style of attack. Due to the limited number of targeted attacks against organization many anti-virus companies will not be able to detect the samples. Targeted malware differentiates from commercial grade malware, banking trojans and other malware cruft because the sample count. It's not as widely distributed as other forms of maware. Many anti-virus companies will never see targeted attack samples.
are three things that are needed to battle targeted attacks. The first
is detection, the second is mitigations to remove and prevent the attack
and the third is intelligence of previous attacks. Anti-virus engines are
designed for detection, blocking and removal. They are very powerful
tools against known samples or known malicious behavior. In order to
prevent targeted attacks organization have to had to have intelligence
about their adversaries. Since targeted companies have not been able to
rely on one technology, they have created a defense based off of
intelligence. For more information on how the intelligence is used to
prevent attacks please see Intelligence-Driven Computer Network Defense
. The intelligence comes from analyzing previous successful and
unsuccessful attacks. The analyzed data is kept private. If the
adversaries were aware of the mitigations taken against them they would
shift infrastructure and tactics.
an intel perspective the release of the data could be perceived as good
for the community. Other intel analyst can cross reference the data for
building out and linking campaigns against their organization. It can
also hold individuals targeting organizations accountable for their
actions. This is very important when individuals are being targeted for
their political, religious or other beliefs. From a defense perspective
public intelligence has an estimated life cycle value of 24 hours. This of course depends
on the sophistication of the adversaries. After which the adversaries will abandon infrastructure making the indicators from intelligence analysis of dated value. Which leads us to the elephant in the room.
intelligence around targeted attacks is posted publicly, the data is of
little value for people who use the data to protect their
network. This is why the organizations that are commonly targeted do not
share samples. The intelligence gathered from previous attacks is more
valuable for protecting a network than the detection of the samples. By
not sharing samples, organizations protect themselves by preventing intel
and indicator leakage from antivirus companies and other third parties.
With the rise of security companies joining in the intel field there
needs to be a more subtle way of sharing intelligence around targeted
attacks. Posting analysis and intelligence publicly alerts the
adversaries and devalues intelligence.
I’m not involved in the intel community.
This isn’t singling out any companies, organizations or individuals.
Don't worry this won't be a common topic here. I'd rather write about reverse engineering and malware.
 Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and ntrusion Kill Chains