Martin Lee Symantec.cloud
Daren Lewis Symantec.cloud
download slides (PDF)
The advanced persistent threat is one of the most difficult challenges faced by the anti-virus community. These highly sophisticated, low copy number attacks are distinguishable from high copy number malware sent over email, but remain tricky to detect. Although such attacks are often talked about, they nevertheless remain exceedingly rare when compared with the ubiquity of other malware attacks.
However, for some individuals and organizations, being sent an advanced persistent threat malware over email is a frequent occurrence. Presumably these targets represent a valuable quarry to their attackers. Current research in advanced persistent threats tends to examine each attack in isolation and not to examine the broader pattern of activity.
In this paper we show that it is possible by using an undirected graph to associate attacks according to the targets shared between distinct attacks. From this information it is possible to build a map of advance persistent threat activity and identify clusters that may represent the activities of single teams of malware writers.