Endpoint Protection

Can SEP 12.1 detect attacks from the Grizzly Steppe campaign?

I have not yet seen a blog/response from their Security Response group. Not to say that they cannot detect it but there is nothing publicly available yet.

You may want to open a support ticket for verification. I expect something public soon though.

You should also look into implementing the recommendations by DHS, if you have not already done so.

Since the release of the report I bet all vendors can block the known samples from the Grizzly campaign. The problem is the unknown 0-day malware that we have not seen. It is highly unlikely that the samples listed in the report was ever reused. 

To block the new threats you need SEP 14 and the new machine learning capabilites. 

Symantec ATP:Endpoint would most likely also detect and flag these files as "targeted" attacks.

https://www.symantec.com/content/dam/symantec/docs/data-sheets/atp-endpoint-en.pdf

Hi ed16,

Symantec is aware of the Joint Analysis Report:

GRIZZLY STEPPE – Russian Malicious Cyber Activity
https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

Detection is in place for all samples listed in the IoC.  Detection names include PHP.Backdoor.Trojan, Trojan.Cozer.B and Trojan.Contwoo. We are continuing to montor the activities of the APT groups involved and will continue to update signatures in response to any new samples discovered.

Please take measures to ensure that your organization has robust defenses against these groups and and other threats! 

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Advanced Persistent Threats: How They Work
https://www.symantec.com/theme.jsp?themeid=apt-infographic-1

With thanks and best regards,

Mick