APT！APT！

But what about all the great APT related research that you probably haven’t heard about?
Here is my personal Top 10 11:
1.The “Contagio Dump” and “Targeted Email Attacks” Blogs Mila Parkour and Lotta Danielsson-Murphy have been posting information that fuels much of the research in this area. While malicious binaries are often available for analysis, the content of the socially engineered email is often elusive. These blogs have been providing a unique insight into the realm of targeted attacks.
2.The CyberESI Blog The team at CyberESI has been posting detailed analysis (and I mean detailed) of some of the most prolific malware families. In my view, their analysis has set the bar for reverse engineering in this area.
3.Htran Joe Stewarts research on Htran was over shadowed by the ShadyRAT report but I think it was the most innovative research papers this year because it tackled the attribution problem by looking behind the source IP’s of attacks to reveal the actual location of the attackers.
4.Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains Hutchins, Cloppert, and Amin explain how to track the phases on an attack and group multiple incidents into a “campaign”. This is a must-read for anyone tracking APT.
5.“1.php” This report by Zscaler on a particular campaign thoroughly maps out and analyzes the command and control infrastructure (C&C) and presents the results in a way that is actionable for defenders. Moreover, it contains insightful commentary on information disclosure in this area.
6.APT Secrets in Asia Xecure’s presentation at this year’s BlackHat demonstrated their research in clustering malware into groups based on common attributes. I really like the clustering technology they are working on as well as the term they introduced “NAPT” (Non-Advanced Persistent Threat).
7.M-Trends This report by Mandiant is an excellent overview of the attackers’ methodology as well as remediation strategies. In addition, it contains Mandiant’s work on investigating persistence mechanisms, particularly “DLL search order hijacking.”
8.Sykipot AlienLabs documented the trends in targeting (UCAVs) surrounding the Sykipot campaign as well as exploits, malware and command and control infrastructure used by the attackers.
9.“What is an APT without a sensationalist name?” Seth Hardy’s presentation at SecTor provided a much needed critical look at the hype surrounding APT along with a detailed technical analysis of a particular malware “SharkyRAT”.
10.“Moli Hua” Greg Walton documented an attack on journalists that leveraged Facebook and an MHTML exploit for Gmail that allowed attackers to add their own email addresses as “delegated accounts”.
11.“My Lovely Wood” This paper by Frankie Li provides a detailed technical analysis of malware used in a targeted attack.

Top APT Research of 2011 (That You Probably Haven't Heard About) - TrendLabs Security Intelligence Blog