Advanced persistent threats can be beaten, says expert

Officially, advanced persistent threats (APTs) from China are not even happening. But everybody in information security, especially those trying to protect enterprises from economic espionage, knows that APTs, typically originating in China, are a fact of life in the cyber world, government denials notwithstanding.

As Rob Lee, of the SANS Institute, describes it in a blog post: "It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don't ask us how we know, but you should probably check out several of your systems including You are compromised by the APT."

But, Lee insists that while the enemies are good and keep getting better, "we can stop them."

Lee, an entrepreneur and consultant with an Air Force intelligence and law enforcement background, has developed a curriculum for a six-day SANS Advanced Computer Forensic Analysis and Incident Response Course. He said the need for training is obvious, since 50% of Fortune 500 companies have been compromised by APTs.

More than 90% of intrusions aren't even discovered by the victims themselves, but through third-party notification. In many cases, the APT has been on the victim network for months or even years, exfiltrating intellectual property data plus economic and political information.

And detection is only half the problem, Lee said. "The second half is that now that you're a victim, how do you respond? What we've been trained to do doesn't match what you should do on the ground. You can actually make it worse," he said.

A company that is notified, or finds, that it has been breached and reacts immediately to shut down an intruder will notify that intruder, who may then be able to make changes in its code in other areas of the enterprise and remain hidden. "If you act too soon, you lose the chance to do some forensics, and your adversary will make the problem worse," Lee said.

This is one of the techniques Lee said he teaches in the course, which he is running this week in Austin, Texas, and will present starting July 5 at SANSFIRE in Washington, D.C.

The course, he said, is an effort to keep IT professionals from fighting the last war. It is now generally accepted that perimeter defenses are no longer effective, and that "weeds" are going to get into the enterprise garden. "It starts with an acceptance that weeds will happen," he said. "This is about building an IR (Incident Response) team so if a weed pops up, you aggressively counter it."

Ironically, an IR team can improve its detection capability by first being a victim of an attack, and not reacting too quickly. "You need to be a victim first, and that can help you not to be a victim again," he said.

While the gut response would be to eliminate the attacker's access immediately, Lee said there is much more to be gained by collecting threat intelligence. "If you get a call from the FBI, instead of reacting immediately with an antivirus, do a memory analysis," he said. "If you've been told to look for something on this IP address, start with your 'day zero machine' and look for any others that have that same signature. Scan though your environment to find other compromised code."

Once a company has been hit with an APT, it will be hit again, Lee said, but the good news for enterprises is that with good threat intelligence, there is something to fight back with. "You can predict the future based on the past," he said. "The enemy can't change all his techniques, and once you've learned about your adversary, you can deal better with the oncoming waves of attacks."

Threat intelligence becomes easier for an IR team once its members are trained in looking for indicators, Lee said. "It's looking for things that are slightly different, like everybody on the train looking the same except for the guy with the red tie. Or a cop on a beat, who can recognize from experience when something is out of place."

And a reverse-engineering team can provide threat intelligence that can create a signature and possibly decode traffic. "You might even be able to do host monitoring," Lee said.

Saad Kadhi, CTO of HAPIS, a French information security company, is one of the students in the current course in Austin. He said it has exceeded his expectations, calling it "a real eye-opener."

But he said to achieve significant results will take not only the expertise he is learning, "but the right tools, which means support from management. There has to be a dedicated team for this," he said. "A new methodology won't help if you don't know how to use it."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts