What can enterprises do to proactively defend against advanced persistent threat (APT)? What about after the APT has already struck?
Dave Merkel: That's a tough one. Let me describe what things I'm sure don't work: If your information security program is purely compliance-based, and you're trying to mark off checkmarks on some criteria from some entity, you're probably not going to be able to stop this kind of attacker. If you don't have a qualitative aspect to your security program with good, strong technologists managing that infrastructure and trying to improve it on an ongoing basis, if you find yourself talking about investing in prevention and detection so you never have to worry about response, you are a prime target and are probably going to have issues.
We find companies are most successful dealing with this kind of attack understand what level of security they actually get from their infrastructure, and therefore remain vigilant for the right kinds of things after the fact. How many companies buy an IDS and let it run and never look at the logs or think about analyzing the data, aren't doing any critical thinking about the information that their systems generate and they receive? That's pretty common.
We find companies that have been highly targeted. We've seen a lot of APT activity in the defense industrial base, understandably so, and look how that community now works: They share information between each other, they actively discuss the threats, they actively look for new streams of intelligence, and they are vigilant in their infrastructure, understanding that there's only so much stuff you can prevent outright. That mindset is exactly what you have to have to be successful in managing -- as you can never have perfect prevention with this kind of attack group -- [this risk] on an ongoing basis, like you would any other risk. Those companies are doing good things.
Mike Malin: And I think one of the things we also do, regardless of the APT, is deal with incident response. If APT has struck, ... some of the basics that we talk about are: Don't panic, Observe and act, Define the win. [Which means:] What do you truly want to accomplish with this reconnaissance? Is it at a micro-level of your enterprise, or do you actually want to scan the entire enterprise and really get a scope of what you're trying to do? And then lastly, back to basics: There is a lot to be said for having a robust security portfolio. ... What we're seeing is, you'd better be able to respond, because odds are, you're compromised.
This was first published in June 2010