All,
Due to recent events, my company wants to expand LEM to notify our team when Advanced Persistent Threats (APTs)/Trojan-Ransom infect our network. Reading the following links gives a good high-level overview:
Handling Cybersecurity Threats
https://thwack.solarwinds.com/community/solarwinds-community/geek-speak_tht/blog/2013/05/13/handling-cybersecurity-threats
Cybercriminals infiltrate banks! Hundreds of Millions Lost! Lessons for the rest of us
https://thwack.solarwinds.com/community/solarwinds-community/geek-speak_tht/blog/2015/02/17/cybercriminals-infiltrate-banks-hundreds-of-millions-lost-lessons-for-the-rest-of-us
What is an APT?
https://thwack.solarwinds.com/docs/DOC-176021
Cybersecurity – A Practical Approach to Actionable Intelligence
http://web.swcdn.net/creative/pdf/Whitepapers/WP_FED_Cybersecurity-A_Practical_Approach_to_Actionable_Intelligence.pdf
However, I am looking for a more detail guideline. While I clearly understand each APT/Trojan could operate differently, I am looking for a more gradular guideline or whitepaper to set up LEM to notify my group an APT is on the network. After I installed LEM I watched the following great video posted by Nicole Pauls! Her video really helped. Is there one for setting up LEM to detect APTs? Or, are there other guidelines/white papers on setting up this listed feature of LEM?
Thank you,
T.J.
Check out the rules that came with LEM, some of them (especially the ones in the Security section) are oriented towards detecting APTs, for instance SQL injection.
I would like to hear opinion on this from advanced users as well, they might have something more important to share on this matter.
Rufat87,
Thanks for the tip!
