Following Symantec’s discovery of Strider, a previously unknown cyberesionage group, security experts commented below.

Leo Taddeo, Chief Security Officer at Cryptzone:

LeoTaddeo“The report issued by Symantec shows the benefits of sharing cyber threat intelligence.  By linking the behavior and characteristics of the malware deployed by the Strider group to previous malware examples deployed by Flamer, cybersecurity professionals are armed with more insights into the targets and tactics of their APT adversaries.  The Symantec report, however, also reveals that information sharing is not enough.  The four- year-interval between the discovery of Flame and Strider, a related tool, highlights the difficulty in uncovering stealthy APT activity.

“As the Symantec report states, the Strider malware contains a number of stealth features that allow it to avoid detection. Network defenders who rely heavily on detection remain one step behind in the cat and mouse game played by APT adversaries.

“More needs to be done to harden the interior.  The stealthy APT malware deployed by Flamer, Strider and others all appear to have at least one trait in common.  They each take control of an infected computer and use it to move laterally across the network  A proven countermeasure against this critical attack stage is microsegmentation.  Effective segmentation limits what the adversary can see and where he can go once inside the network.  This makes it harder for APTs to conduct reconnaissance, move laterally, and escalate privileges.  It also requires the APT to deploy more complex malware and take more steps within a network to achieve its objectives.  This gives detection tools more opportunities to spot anomalous code and behavior and raise an alert.”

Alex Mathews, Technical Manager EMEA at Positive Technologies:  

Alex Mathews“Many breaches and compromises that we hear about from the news headlines are often related to the tactical operations domain with a predefined scope. It could be cybercriminals who have stolen money from the banks, or defaced websites, or acquired leaked email and credentials.

“This case is definitely related to the strategic one where the actor was able to update operations scopes many times after it was launched. Total critical infrastructure assets’ compromises (including Domain Controllers and commonly used security tools such as AV and AV Management consoles) are often signs of such attacks.

“The actor deployed Low and Slow Strategy, and remained undetected for five years. According to Tools and Tactics and Procedures (TTPs), the actor spent a lot of resources during the preparation stage, that’s why due to possible aftereffects and consequences of detection, only high-profile and valuable victims were targeted.

“This also means that there are no reasons to use such a sophisticated arsenal against individual users, unless they are employed by high-profile organizations.

“Mitigation strategy and detection approach should rely on the fact that the actor watching you and your protection tools don’t work in the reliable manner. The knowledge of your own infrastructure specifics, customized tools for passive detection and forensics, along with the strong team of capable security experts who can proactively find possible attacks’ surfaces and vectors, detect and hunt suspicious host and network activity, are key how to combat sophisticated threats.”