Recently in APT

Jul20

Paranoia in APT Land posted by Rick Howard

Filed in:

APT2 - Smaller.pngI just visited the US International Trade Commission. They invited me to discuss what iDefense knows about intellectual property theft in cyberspace; in other words, what is going on with the "Advanced Persistent Threat" (APT)? Just this past year, it seems like the APT acronym has really emerged as the catch-phrase for the security industry. We use to call this activity "cyber espionage." I guess old-timers like me still call it that, but the cool kids call it APT.

This year there have been three very public demonstrations of large APT-styled attacks: Google, the Indian Government and the US Oil Industry. iDefense sources tell us that the actual target numbers, the ones that are not being reported, are in the thousands. The point I am trying to make is that, thanks to Google going public with its incident, a lot of organizations are now aware of this style of threat. They were ignorant about it before and didn't understand that these kinds of activities have really been going on for the past decade.


That's the good news. The more people that understand the threat, the better we can all protect our enterprises. The bad news is that there is not a lot of consensus about what we are supposed to do about it.

Some of my friends jump right to detection. They think the most important thing you can do to defend yourself against the APT is to detect and eradicate the activity on your network. I don't disagree that we all should be doing that, but I would like to make an argument for putting some significant effort into prevention. If it is true that the number of victims that have been penetrated by some APT group is in the thousands, shouldn't we pretty much assume that we can all be had by these players and that we all might have something useful that they want? If thousands of victims exist, doesn't that mean that our traditional cyber security defenses are not working?

Off the top of my head, here are some things network defenders should consider. Assuming that some APT organization is attacking your enterprise, what do they want? Two things come to mind: they want the secret sauce that makes your company unique and they want leverage in any contract deal that is currently underway. To protect both of these "crown jewels," here is a list of things I would add to my standard network defenses:

1. Physical separation between the corporate network, the secret sauce, any Merger & Acquisition (M&A) groups and any contract deals. I would go as far as physically separating each contract group and M&A group into its own network. Defend the walls of these networks rigorously.

2. Ruthlessly enforce the "Need to Know" rule for each separate network. If you do not need to know about an M&A Deal, you don't get into that network.

3. Encrypt everything in transit and at rest. This included data on your smartphone.

4. If you are traveling in foreign countries. Use throw-away laptops and phones (You still have to encrypt them though).

5. Label all documents and e-mail with the appropriate data classification. Do not allow designated classifications out of each separate network. For the exceptionally paranoid, install beacons in all documents; small snippets of code layered into headers or footers that call home every time a user opens them.

I know these remedies are not as sexy as catching the APT groups in the act. Sometimes, the least sexy remedies are the most effective. In addition, I'll admit, these remedies seem a little paranoid; however, if the victim list is in the thousands, isn't it time to be a little paranoid?


(1 Comment)

Main Index | Archives | Books »