Every piece of APT [Advanced Persistent Threat] malware cataloged by MANDIANT initiated only outbound network connections. No sample listened for inbound connections. So, unless an enterprise network is specifically monitoring outbound network traffic for APT-related anomalies, it will not identify the APT malware outbound beaconing attempts. -- Wendi Rafferty writing for the Mandiant Blog
Another item worth noting: 83% of APTs used TCP port 80 or 443 (i.e. looking like normal web browser activity)

Src: M-unition » Blog Archive » M-Trends: Advanced Persistent Threat Malware

No comments: