Saturday, February 06, 2010

APT Presentation from July 2008

Some of you may remember me mentioning the 2008 SANS WhatWorks in Incident Response and Forensic Solutions Summit organized by Rob Lee. I provided the keynote and really enjoyed listening to the presentations, which Rob has graciously made available at One of the presentations, by Mandiant consultant Wendi Rafferty and then-Mandiant consultant (now GE-CIRT incident handler) Ken Bradley, was titled Slaying the Red Dragon.

As you can see from the first two slides shown at left, this was presentation explicitly addressed advanced persistent threat. I didn't mention it originally because it discusses a specific attack vector. However, it's been over 18 months since the presentation was made. Therefore, to show that APT is "not a new term" but also to share some technical insights, I thought it acceptable to advertise this presentation.

By the way, the presentations from the 2009 event are posted at

I'm sure we will discuss this topic at the 2010 Incident Response Summit and the 2010 Incident Detection Summit.


Keydet89 said...


I remember attending the presentation, as well as the discussions afterward. There's nothing beyond the title of the presentation that mentions "Red Dragon" and nothing specific in the presentation that points to China.

Further, slide 19 points to a Registry artifact that, to me, looks like a mistake or something that when wrong. I mean, really...wouldn't HKLM\SYSTEM\CurrentControlSet\helloworld\ stand out to most as "odd". I'm sorry, maybe I've been snowed in for too long...I just don't see how this is "advanced".

Don't get me wrong here...I'm not criticizing APT or anything related to it. I'm simply asking questions to get an understanding. I'm not a critic, and I'm trying to avoid the "two dimensional thinking" mentioned in a previous post.

Can you tell me what the presentation had to do with China beyond the second slide?

Thanks...I greatly appreciate your time and effort in this...

Wendi said...


Thanks for the questions! I wanted to take the opportunity to answer your question regarding the registry artifact HKLM\SYSTEM\CurrentControlSet\helloworld\ listed in slide 19. The artifact listed was an example used to illustrate one type of data we recommend keeping in an indicator database. It was not related to any APT case we investigated nor is it indicative, as you highlighted, of the types of malware naming conventions typically utilized by APT attackers. We just made it up (and all the other data on slide 19) as an example for the slide.

The case study regarding VPN subversion, however, is APT related, and was used to articulate the types of techniques used by APT attackers.

Keydet89 said...


Thanks. That's kind of surprising, really.

Can you provide some insight as to how the rest of the presentation, beyond slide 2, applies to China?

Thanks, and I hope you're enjoying the snow as much as I am!

Nick Harbour said...


If you're expecting the presentation to contain "proof" that links the attacks we describe to china then you're going to be disappointed. So I will state that the presentation is a case study of a specific attack from a particularly tenacious set of actors from china that we have been following for the last 4 years through various government and defense contractors, and you can believe me or disbelieve as you wish.

With that being said, to answer your question of how the slides relate to china I would remind you that it is primarily a case study of a specific chinese attack along with our general recommendations for mounting an effective resistance.

Slide 7: This describes the history of egress techniques found in the malware used by the APT group. It explains how their techniques adapted only when our countermeasures improved.

Slide 8: We address here the game of "whack-a-mole" which is the ineffective knee-jerk remediation strategies employed by most victim organizations when they first deal with the APT. Specifically, in the case we are talking about we were playing whack-a-mole and lost track of the bad guys.

Slide 9: Why did we lose track of them? did they stop (nah), did their egress method improve beyond our monitoring capability (yeah).

Slide 10: describing VPNs in the enterprise (animated slide). Building up to the fact that APT attackers began subverting the VPN client to egress from remote employees cable modems.

Slide 11: Describes the MO of the attacker along with specific command line examples for installing the VPN subversion tools

Slides 15-17: Describe specific security areas that need to take priority. Might seem obvious to some but you have to remember there are still a lot of people that start deploying honeypots and other nonsense. Also addresses the need for a capability to search for indicators of compromise.

Slide 18: States the need to formalize your indicator tracking process. I still to this day know very few organizations that do this well and it is CRITICAL to handling an incident of APT scale.

Slide 19: an example indicator tracking spreadsheet. A primitive relic compared to what we now use at mandiant, but a good first start for any company. Not actual APT indicators as mentioned in the first couple slides.

Slide 21-end: Might seem like general security recommendations but again, the reaction of most organizations is to just "remove the virus" so it is worth restating that blocking and hindering the lateral movement of the attackers is worthy of your attention.

Keydet89 said...


If you're expecting the presentation to contain "proof" that links the attacks we describe to china then you're going to be disappointed.

Not to put too fine a point on it, but I never asked for proof of anything, just looking for some insight...which you've provided, thanks.

I and others had the same question at the time.