Previous month:
December 2011
Next month:
February 2012

January 2012

A Behavioral Analysis Unit assessment of a APT unsub

The US Federal Bureau of Investigation's National Center for Analysis of Violent Crime (NCAVC) has four Behavioral Analysis Units:

  • Unit 1 deals with counterterrorism, threat assessment;
  • Unit 2 handles crimes against adults; 
  • Unit 3 investigates crimes against children; and 
  • Unit 4 manages the Violent Criminal Apprehension Program-ViCAP.

An APT Unsub Profile

If the FBI were to create an APT behavior analysis Unit (5) dedicated to assessing APT actors, and on the extraordinarily small chance that the writers of Criminal Minds were to run out of horrible, real world crimes to base scripts on, the story writers just might profile "the APT unsub" as follows:

The APT unsub is a sponsored actor. We believe his sponsor is a nation state. He has ample funding and technology at his disposal. While not necessarily the author of malicious software, we believe he has knowledge of and access to executable code that exploits common vulnerabilities. 

He combines or modifies malicious software to penetrate network defenses, compromise hosts, monitor activity or exfiltrate information. The APT unsub's activities can persist without detection for long periods of time. He targets military, commercial, government, or critical infrastructure facilities and networks. The APT unsub deliberately seeks out and collects information that can offer a military, commercial, or similarly highly valued advantage for his sponsor. 

Photo by PopCultureGeek

He is patient and meticulous, willing to sift through and correlate information fromsurveillance conducted across many hosts over long periods of time.

 The APT unsub studies targets carefully before acting. He is skilled at disguising his intent. Through social engineering initiated via electronic mail, the unsub manipulates individuals within a targeted organization or agency by instilling such fear or uncertainty that the individual acts in haste and in so doing, introduces an infection that is designe to spread across the infected indvidual's network. Malicious code operating on the infected computers are remotely controlled and directed by the unsub to look for information of interest to the unsub's sponsors. This is not a single attack but an occupation.

Unit 5 would next explain what the investigating parties should look for as they pursue the unsub.

Photo by Christophe Verdier

Look for unusual traffic patterns on your networks. Client computers that usually generate "request traffic" outbound may begin to generate "response traffic", typically of much larger volume and most likely encrypted. Devices on your network may receive login requests from unauthorized systems. New application traffic and executing processes associated with remote control protocols may appear in event logs on your client computers. Your client computers may begin to resolve domain names using resolvers that are unfamiliar or unauthorized. Remember. You're looking for new or different activity: any network or host operating behavior that is "never before seen" should be carefully examined for possible malicious intent.

Lastly, Unit 5 might act in the interest of public safety by attempting to inform the public.

While we are taking measures to identify and apprehend the perpetrators, we advise the public to become familiar with the APT unsub and the threat he poses. Most importantly be vigilant in monitoring for signs of this threat. We are circulating a handout that summarizes what we've discussed here. The handout recommends measures you should implement to mitigate the threat this unsub poses.

The handout would look remarkably similar to Mitigation Guidelines for Advanced Persistent Threats.