The Making of “The Advanced Persistent Threat You Have: Google Chrome”

Google’s software update system can serve as a model Advanced Persistent Threat (APT). APTs often embed programs in a penetrated system. These programs wake up from time to time, call home, download additional programs and instructions to carry out, and modify systems. Google’s software update performs all these steps too. Furthermore, because the Google Chrome browser is so widely used and updated so frequently, Google’s update process provides analysts ample opportunity to test their data sources, tools, and skills for their ability to detect and reconstruct the “attack”. The paper “The Advanced Persistent Threat You Have: Google Chrome” made the claim that if the analyst could not perform the analysis of Google’s update system, they were probably not prepared for malicious APTs. The paper then provided a partial reconstruction of the update activity. This paper describes how the analysis in that first paper was performed. It describes the computer system, data collection, and analysis tool. It then shows how the tool and data were used to reconstruct the “attack”.