RSA Admin

Advanced Persistent Threat detection

Discussion created by RSA Admin Employee on Mar 1, 2010

Curious how folks are leveraging enVision for visibility into Advanced Persistent Threats?


1. Reconnaissance.

2. Intrusion into the network

3. Establishing a backdoor

4. Obtaining user credentials

5. Installing multiple utilities

6. Privilege escalation

7. Maintaining persistence


IDS and firewall logs are helpful for #1 and #2 but appear to be less helpful in the other stages. 


How do folks detect connections to Command and Control sites, especially if those sites are hosted in the US (where I live)?