Re: APT definition

[rackow () mcs anl gov]

security curmudgeon made the following keystrokes:
> As is "persistent".. sending a couple PDFs to employees over a one day 
> period got the foot in the door of RSA. That is not "persistent" as far as 
> anything I have seen or done.
There are 2 ways this is persistent.
1st, they keep trying to get a foothold onto the victims machine.  Sending
the PDF is just one attempt.  How many infected web ads were stopped?  How
many "over quota" emails didn't succeed.    Just because they indicated
it was yet another hole in Adobe that allowed them to get on does not mean
they didn't have 100's of other attempts.

Next, and more importantly, once they got that foothold they kept it.  From
the stories out there, once they got the user level desktop they kept a
good hold on that system as they searched around til they found machines
or users with more and more access until they finally got the keys
to the kingdom.

I would hope that RSA is taking a serious look everywhere to see
what bits may have been left behind and where.  Nothing like finding
another timebomb custom backdoor malware package set to go off in
several months to make one realize what persistent really means.

The PDF wasn't infected with the ultimate in "Skynet" code that was
smart enough to take over the world all by itself.

--Gene
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.