“The only thing worse than being the victim of an APT is *not* being the victim of an APT.”
Or, at least, that’s probably how Oscar Wilde would have seen it, had he been following the news recently.
(He rather famously said something similar when told that all of London was talking about him.)
There’s plenty of discussion about APTs and given the rate at which organizations are stepping forward to disclose that they have been hacked, it’s starting to look like there’s a certain rakish chic to being in the rapidly growing club of victims.
At this year’s RSA Conference, I had the good fortune to bump into SecurityWeek’s Fahmida Rashid and we fell into conversation about this very subject. We agreed APTs are, clearly, a problem. They’re just not a new problem. Nor, in reality, are they likely to be your main problem if you have information you need to keep secure.
As Matthew Schwartz said in InformationWeek,
“Don't worry about China. Worry instead if the pitiful state of your information security defenses will allow any attacker to wield nothing more than malicious email attachments to steal valuable intellectual property or even state secrets.”
Being the victim of an APT is obviously bad news, and for some organizations it can be extremely damaging. Yet hackers aren’t using sophisticated orbital lasers to burn a hole in your roof so they can steal your data. They are using basic vulnerabilities, human, technical and systemic, to get in and poke around. And if a state-sponsored hacker can do that, so can anyone else.
APTs are using email spear phishing, malware, and poorly configured systems to enter your network and establish a foothold – and while these are not always easy to deal with, they are essentially the same problems we’ve all been dealing with for a long time.
Ultimately, while an APT hacking scandal can put you under the spotlight, it’s probably not the type of publicity an organization really wants to be associated with (however fashionable at the moment.)
Good education will continue to be at the front-lines of fighting APTs, simply because so many breaches are initiated with socially engineered attacks. Yet at the same time, let’s all be realistic about the chances of keeping out APT’s for good. (The P is the important letter here – “persistence” is a powerful tool in hacking.)
So your best bet is to start the day making the same assumption about an APT as you would any other threat – “Someone is already in and doing harm. So, how will I find them and how will I limit the damage they do?”
Reduce the number of poorly configured systems (which allow attackers to strengthen their foothold and attack new systems) and improve your ability to monitor who’s doing what, where, and how. Implement good, data-centric security, encrypting what’s sensitive and keeping the keys secure, and limit the number of accounts with the privileges necessary to make dangerous changes.
Because in the end, that’s really the basics of what you have to do for any threat. Not just the “AP” kind.