12

This question about Advanced Persistent Threats (APT) was posted by Rich Mogull on twitter. I copied it here because I'm curious too.

Rich posted these follow-up tweets:

And by APT I mean real APT.... China specific stuff.
Netwitness/Mandiant/HBGary type stuff.
Really specialize in this. Most of what I've seen is very custom.

nealmcb
  • 20,693
  • 6
  • 71
  • 117
Tate Hansen
  • 13,794
  • 3
  • 41
  • 84
  • 1
    Original twitter post is: http://twitter.com/#!/rmogull/status/22019761063854082 – Steve Jan 03 '11 at 22:06
  • 2
    Perhaps amending "dealing with APT" to "dealing with the possibility of APT" would qualify more answers--it's my understanding that most security professionals who are actually dealing with APT have some very strong NDEs about it. – user502 Jan 04 '11 at 15:19
  • The APT I know is Automatic Programmed Tool - What does this acronym stand for? – Dave Jan 04 '11 at 17:08
  • I'm guessing, like user502 there, that people really doing this work can't talk about it, due to NDAs or something stronger. DAve, he's talking about the Advanced Persistent Threat (http://en.wikipedia.org/wiki/Advanced_Persistent_Threat). – Bill Weiss Jan 04 '11 at 23:04
  • 1
    I know the bits I have done in the past on this, but am interested in anything that can be disclosed, under an anonymous user ID if need be. Popped a wee bounty up to see if it will spur anyone on. – Rory Alsop Jan 06 '11 at 00:13
  • Can the question be edited to explain the terms a little more? There is no twitter URL or quote in the question and it is all abbreviations. Should I (we) know these abbreviations? I might be the only one confused, but I doubt it. – Bradley Kreider Jan 09 '11 at 09:17

3 Answers3

7

Due to the sensitive nature of APT and that it is closely aligned to espionage, the only real way to get a suitable feed will be through Government or National Law Enforcement agencies.

The difficulty will be in establishing a level of trust to enable the sharing of information.

For organisations within the USA, the advice is to contact your local FBI field office and arrange for a threat briefing on the subject.

For organisations within the UK, then making contact with CPNI (Centre for the Protection of National Infrastructure) would be the best option. CPNI hold a number of industry specific 'Information Exchange' forums that may be of help. However it is worth noting that CPNI has a focus on the critical national infrastructure for the UK and if your organisation falls outside of this may impact on access to that.

David Stubley
  • 2,896
  • 1
  • 18
  • 28
3

I don't know whether they have specific SIEM/IDS feeds, but a good intelligence source historically has been iDefense (now part of Verisign - http://labs.idefense.com/).

Historically (prior to the security research they're more well known for now) iDefense were a commercial intelligence organisation, and spent a lot of time tracking organised crime and malware groups on behalf of their clients.

Justin Clarke
  • 453
  • 2
  • 5
1

Post HBGary getting owned, it appears that endgames.us offers these services.

Personally, I would go with combining DShield with SHODAN data and start building your own.t

atdre
  • 18,945
  • 6
  • 59
  • 108