Google: The APT You Have
SANS San Francisco
Aug 2, 2012File: pdf
"Practice, practice, practice." That should be the subtitle for this presentation because it is about how to prepare yourself for the advanced threats that will inevitably make their way into your network. Google's software update process can make a good proxy for a Command & Control agent running inside your network, and this talk discusses our analysis of its activities. This presentation also looks at the history of intrusion detection in general, from the early days when everyone did anomaly detection and why it never caught on as it should have, to the advent of string-based matching in network connections (early use of indicators of compromise), and back to thinking "beyond signatures" as this detection strategy seems to be failing these days.
Download Apple's Keynote doc with animations: SANS_2012.key