Opinion: Prepare for advanced persistent threats, or risk being the next RSA

Roger A Grimes looks at the implications of the SecurID hack

Just a few years ago, the media was publishing daily stories about website defacements or even bank theft. How I wish for those halcyon days. Now APT (advanced persistent threat) attacks are grabbing media attention on a near-weekly basis -- and IT security teams must take heed and prepare. The APT attackers are not stealing money or passwords, even when they break into banks. They are stealing information. In a nutshell, APT attackers aim to take all valuable intellectual property from the victim and transfer it to their home safe harbor country, either to use for competitive advantage or for profit. Equal-opportunity threat

This spate of APT attacks started off with the January 2010 announcement of Google's APT experiences; more recently, RSA reported that some of its confidential data has been compromised — including information about the company's SecurID technology. That revelation has concerned users of the technology. Hacker group Anonymous's HBGary email leaks show that Dupont, Walt Disney, Johnson & Johnson, Sony, and General Electric have all been hit, along with law firms and insurance companies. Global powerhouse investing firms and banks such as Morgan Stanley have been exploited. McAfee revealed that the world's biggest oil and energy companies have been victimized [PDF]. Democratic Senator Sheldon Whitehouse said it best last year before the more recent round of revealed attacks: "We on the losing end of the biggest transfer of wealth through the theft and privacy in the history of the planet." Notably, American companies aren't the only victims of APT attacks. Canada suffered such a massive hacker hit that the government had to temporarily pull its largest financial departments off the Internet while the damage was repaired. Because APT focuses on the Fortune 1000, pretty much any company the attackers hit on that list is global. Sadly, in every case, the targeted organizations had actually been under siege for months or even years. I've been saying since July of last year to assume you've been hacked. APT action plan

The question, then, is what to do if your organisation is hit by an APT attack. Every case is different and depends upon the details of the exploit. But in general, the cleanup and defense techniques are the very same ones we security IT admins have been taught and preached for the past 20 years. However, the problems and neglect we've been living with are finally catching up with us. If there's any silver lining to your organization being hit by an APT attack, it's that the purse strings will probably starting loosening; at least you'll have the money to spend to clean up the mess and institute that real security you've been talking about for the past five years or more. But money is only one part of the solution. In a large environment, fixing everything at once is difficult. The best general approach is to identity your company's data crown jewels and to protecting that part of the network as the highest priority. From there, move out to less risky assets. Given that every APT attack varies, there's no single defense plan. Still, the following steps could provide a useful start. Begin by threat modeling the past attacks against the biggest weaknesses in the environment. Doing so will help you identify where to begin defending and cleaning up. Implement least-privilege authentication and access control. Don't give users access to any resource they don't use. This will help slow down damage from the next APT attack. Some of us at Microsoft (my full-time employer) are going so far as to tell people not to give anyone domain admin rights. Instead, use delegation. Harden computers following the vendor's recommended security settings. Make sure you're patching everything, especially popular browser add-ons. Implement application control whitelisting to stop new malicious programs from spreading around the environment. Implement strong password policies, with 12-character or longer complex passwords for standard user accounts. Elevated accounts should be even longer. Use two-factor authentication if long passwords are a problem or aren't secure enough. Implement an enterprisewide log management system, with comprehensive alerting and auditing. Isolate security domains and hosts. If computers shouldn't talk to each other, don't let them. Deploy an anomaly-detection product, such as HIDS (host-based intrusion detection systems) or NIDS (network-based intrusion detection systems). Make sure antivirus scanners check for updates every 24 hours or less and that they scan for hacking tools. Educate end-users about the biggest risks, such as Adobe Acrobat and Java exploits, fake antivirus warnings, phishing sites, and so on. There's much more to battling an APT attack, but the list above should provide a good start. If your company hasn't been hit by an APT, make sure it doesn't join that organisations that will be reporting that they're been compromised in a few months. If you've been hit by APT, I feel for you. Some of the ideas above should help. Grimes is contributing editor at the InfoWorld test centre and an IT security industry veteran

Join the newsletter!

Error: Please check your email address.

Tags SecurIDSecurity IDrsa

Show Comments