Home > Uncategorized > Advanced Persistent Threats: Part 3

Advanced Persistent Threats: Part 3

I don’t normally write and post a blog entry that is part of a series after the series has ended. I’ve already written parts 1 and 2 of the advanced persistent threats (APTs) series; earlier this week I moved on to a new topic. Sorry, but I forgot to write about something about APTs that is very important. I thus feel compelled to write a third part of the APT series out of order. I’ll go back and fix the order of the postings in a few days.

Too many people view APTs as “something out there,” but they are not. They are already “here,” so to speak. Your organization’s network almost certainly has systems and devices that are infected by malicious code installed by persistent attackers. Why hasn’t your organization detected them, then? The primary reason is that the attackers and the malicious code they write and use are light years ahead of today’s security technology. Some of this technology is better than others, and some vendors produce “best of class” products, but no matter what exceptions exist, the rule is that today’s security technology is just not up to the task when it comes to detecting (let alone repelling) APT-related attacks. Vendor hype concerning the highly embellished merits of this technology coupled with the fact that the presence attackers goes undetected unfortunately leaves people in a state of blissful ignorance.

Another reason that APTs are “here,” not “there” is that we keep using the “same-old-same-old” security strategies and approaches, assuming that “they” are somewhere outside of our networks and are being kept out by our use of controls such as firewalls at external gateways to our networks, in-line intrusion prevention tools, network segregation, and other controls that have generally served us well in the past. What if we found that a group of attackers had broken into our network and compromised dozens of machines? We would immediately shift our gears and devote massive amounts of time and effort into finding out which machines the attackers owned, expelling the intruders from them, and cleaning them up. But alas, we just go on assuming that all is quiet on the Western Front.

We need a radical shift in our attitudes about and strategies for dealing with APT-related attacks. We need to assume that we have already been conquered and the enemy now lives within. We thus also need to devote disproportional operational effort to discovering where perpetrators have succeeded and moving with great speed and diligence to ensure that compromised systems and devices are restored to their normal operational state. In terms of the widely embraced prevention-detection-correction model of information security, considerably more resources and effort must be devoted to detection and correction. Don’t get me wrong–we still need defense-in-depth with best-in-class controls, but we must quit thinking that preventative controls have worked as well as they did in the past.

This brings up another intriguing issue. What can we promise executive-level management and our stakeholders as far as what we can realistically deliver through our information security risk management efforts? In the past we’ve been able to give reasonable assurance that we could deliver a reasonably high or better degree of business process assurance through reduction of confidentiality, integrity and availability-related risk to an acceptable level. But now the bad guys own our systems and networks. Should we tell the whole story concerning the reality and pervasiveness of APTs? How will management respond if we tell them the truth, the whole truth, and nothing but the truth? Will they simply adjust their risk appetite level? Unfortunately, I currently have no good answers for any of these questions and issues. All I know that is that APTs call for a paradigm shift in the way we do our business in information security. The sooner we wake up to the new reality and adjust to it, the better our ability to deal with it in a manner that will truly benefit the organizations we serve.

–Gene Schultz, Ph.D., CISSP, CISM, GSLC
Categories: Uncategorized Tags:
Comments are closed.