Unlike conventional antivirus software, an APT scanner doesn’t look for fragments of malicious code, but for traces of an attack – indicators of compromise (IOCs) – like in a forensic examination.
To do this, the APT scanner uses a set of rules containing the IOCs.
This set of rules is applied to various artifacts in a system (files, folder structures, running processes, RAM content, log data, etc.) to look for traces of previous and ongoing cyber attacks.
Thanks to international cooperation in the cyber defense community, new cyber attacks are constantly being analyzed. The IOCs then derived are saved as new rules in the APT scanner.
This ensures that an APT scanner becomes ever more precise over time and, unlike conventional antivirus software, has an extremely high detection rate for compromised systems.
During a cyber attack, attackers or an APT group use various tools and techniques to achieve their goals. They inevitably leave detectable traces in the compromised systems. While smart attackers can cover their tracks to some degree, they can’t remove absolutely all traces of their presence!
Indicators of compromise (IOCs) can be derived by analyzing compromised IT systems and collecting evidence.
These IOCs are added to the set of rules for the APT scanner and are used in future scans.
The APT scanner can very efficiently detect attackers using similar tools and techniques and, in doing so, substantially speed up the complex forensic investigation.
