Chasing APTs: How a Hunt Evolves

Last week Infocyte was doing a product demo for a partner who wants to do compromise assessments (like these guys). They chose an existing client to do a limited scan using our product, selecting a handful of systems... and we found something interesting.

Now that's not the interesting part; we find things all the time. In fact, more than half of organizations that our product is run on (i.e. compromise assessments) have some unauthorized or malicious code in their network. The interesting part here was the evolution of this particular assessment and follow on incident response engagement + the fact that they didn't ask for privacy or an NDA (which we usually do), so I get to talk about it (which I usually don't).

As with many incident response engagements, this one was full of audible facepalms, raised eyebrows, excitement, and then deflation... all in about a 4 hour period.

Read the full post on CEO Chris Gerritz's blog Good Hunting