APT ... doesn`t matter
I’ve done Proof of Concepts of Breach Detection Systems (BDS) or auditing of security in many companies and most of them wished, I would find nearly nothing. More time I had for hunting more security issues I had found. Security mindset (capability of generating attacks, not just detecting them) is absolutely essential. But the most important thing for finding any kind of APT was always, just time. I will try to show you what and how I was trying to find at customer networks, what to focus on and what kind of tools has been used. For example, what kind of capabilities sandbox has to have. What functionalities BDS need to have to find out some kind of APT, which nearly always exist in a network, but is hidden to customer. What is necessary to have on network and endpoint layer for basic forensic investigation of typical malware incident. Forensic investigation is most intensive for knowledge and time resources from all things company need to do after wakeup call from real APT findings. Why 0-day filters are really important in any IPS system, in other words protection for attacks where no patch exist yet on specific vulnerability. Why trained ethical hacker is still much better, than any kind of artificial (automatic) intelligence. With growing number of vulnerabilities every year, migration to THE CLOUD, encryption of EVERYTHING (even BBC.COM), new protocols like TLS 1.3, catching the bad guys is more and more difficult. Better fun it is! We say, if you like it, you are doing it right. And security is something you should like a lot! For your own sake…
Diploma Thesis: Securing Distributed Pee-2-peer file system (word CLOUD did not exist in those times). Worked in 3 companies within 20 years, always as a Security Engineer. Mostly working with products like Hardware Security Modules, authentication products, link encryptors, certification authorities, IDS/IPS, sandboxing, securing cloud, auditing firewalls, etc. Last 3 years working for Trend Micro, mainly securing data centers, cloud apps/servers, auditing networks with Breach Detection Systems and others. Dream: Forensic Investigator.