Chasing APTs: How a Hunt Evolves
This post was last updated on August 10th, 2021 at 06:06 pm
Last week Infocyte was doing a product demo for a partner who wants to do compromise assessments (like these guys). They chose an existing client to do a limited scan using our product, selecting a handful of systems… and we found something interesting.
Now that’s not the interesting part; we find things all the time. In fact, more than half of organizations that our product is run on (i.e. compromise assessments) have some unauthorized or malicious code in their network. The interesting part here was the evolution of this particular assessment and follow on incident response engagement + the fact that they didn’t ask for privacy or an NDA (which we usually do), so I get to talk about it (which I usually don’t).
As with many incident response engagements, this one was full of audible facepalms, raised eyebrows, excitement, and then deflation… all in about a 4 hour period.