Spencer Mott, VP, CISO and risk management at Electronic Arts; Michel Juvin, GISO at Lafarge; and Scott Crawford, managing research director at Enterprise Management Associates came together to give their practical insight on APT and AET at Infosecurity Europe in London. What was surprising was the degree of agreement, and the degree it diverged from received wisdom.
APT is not necessarily 'advanced', although it is certainly persistent; but perhaps the 't' should be changed from 'threat' to 'tactics'. APT is not a single attack, explained Scott Crawford; it is repeated probing until a point of entry is found. When that point of entry is found, advanced evasion tehcniques (AET) will allow the payload to be delivered without being detected.
The attack itself doesn't have to be advanced. It merely has to be effective. But the result, said Spencer Mott, is that "we cannot understate how serious the threat is, how successful it has become, nor how far behind the curve our defenses now are."
The result, everyone agreed, is that once targeted, no network can be defended against the combination of APT and AET. In fact, the advice is that companies should assume that they have already been compromised and should act accordingly. But all is not lost. Firstly, while we can no longer defend the network, we can defend the data. Secondly, the nature of APT gives us some time to react.
There was common agreement among the panel that APTs stem from nation states. It is not the the slash-and-burn and run approach used by industrial criminality. Once inside the network, APT will conceal itself, learn to understand the network, elevate its privileges slowly enough not to be noticed, and seek the precise information it is after.
There are several issues here. Firstly, by a thorough understanding of what we have that will be targeted, we know what we should be most defending – and where to look for evidence of a stealthy intrusion. Secondly, we must turn the light of visibility on inside the network rather than concentrating on just patrolling the perimeter. There will be a time-lag between the initial penetration and the destructive exfiltration. We have to use that time to recognize, locate and cleanse the intrusion.
The solution is two-fold: sharing and analytics. Both concepts are in their infancy but will evolve to provide the centerpoint of future security. Intel-sharing is necessary because risk exposure, said Crawford, "is wider than a single company. RSA showed us that last year." But there are problems in sharing that still need to be solved. There is a fear of brand damage when a breach is admitted. There are concerns over data protection issues. "It's early days," he said. "What we need is a normalized data language so that intel can be shared effectively and safely."
The second approach is the use of analytics software to detect the anomalous network behavior that might indicate an intrusion. Again, everyone agreed that this approach is in its infancy; but it might just provide the future defense against APTs and AETs.
| See Infosecurity magazine interview Spencer Mott outside the keynote theater at Infosecurity Europe 2012 |