Incident response security plans for advanced persistent threat

Dealing with advanced persistent threat (APT) presents unique challenges. Learn how an incident repsonse program can save your enterprise from APT.

Download the full interview

Download the full interview on advanced persistent threat with Michael Malin and Dave Merkel as an MP3.
This short Q&A is an excerpt of a recent podcast interview with Michael Malin, Executive VP and CFO for MANDIANT Corp., and Dave Merkel, VP of Products for MANDIANT Corp., focusing on advanced persistent threat and incident response security.

What can enterprises do to proactively defend against advanced persistent threat (APT)? What about after the APT has already struck?

Dave Merkel: That's a tough one. Let me describe what things I'm sure don't work: If your information security program is purely compliance-based, and you're trying to mark off checkmarks on some criteria from some entity, you're probably not going to be able to stop this kind of attacker. If you don't have a qualitative aspect to your security program with good, strong technologists managing that infrastructure and trying to improve it on an ongoing basis, if you find yourself talking about investing in prevention and detection so you never have to worry about response, you are a prime target and are probably going to have issues.

We find companies are most successful dealing with this kind of attack understand what level of security they actually get from their infrastructure, and therefore remain vigilant for the right kinds of things after the fact. How many companies buy an IDS and let it run and never look at the logs or think about analyzing the data, aren't doing any critical thinking about the information that their systems generate and they receive? That's pretty common.

We find companies that have been highly targeted. We've seen a lot of APT activity in the defense industrial base, understandably so, and look how that community now works: They share information between each other, they actively discuss the threats, they actively look for new streams of intelligence, and they are vigilant in their infrastructure, understanding that there's only so much stuff you can prevent outright. That mindset is exactly what you have to have to be successful in managing -- as you can never have perfect prevention with this kind of attack group -- [this risk] on an ongoing basis, like you would any other risk. Those companies are doing good things.

Mike Malin: And I think one of the things we also do, regardless of the APT, is deal with incident response. If APT has struck, ... some of the basics that we talk about are: Don't panic, Observe and act, Define the win. [Which means:] What do you truly want to accomplish with this reconnaissance? Is it at a micro-level of your enterprise, or do you actually want to scan the entire enterprise and really get a scope of what you're trying to do? And then lastly, back to basics: There is a lot to be said for having a robust security portfolio. ... What we're seeing is, you'd better be able to respond, because odds are, you're compromised.


This was first published in June 2010

Dig deeper on Emerging Information Security Threats

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close