Last Updated on November 20, 2011
In these days many people are asking me what they can do to stop an Advanced Persistent Threat. Although security firms are running fast to develop new technologies to thwart these attack vectors (sophisticated SIEMs and a new breed of network security devices, the so called Next Generation IPSs), unfortunately I am afraid the answer is not so easy. I might spend thousands of words to figure out the answer, but I would not be able to give a better representation than this cartoon I found a couple of days ago in the Imperva Blog.
Intentional or unintentional the human error is always the first vector an Advanced Persistent Threat exploits to enter the organization: as a matter of fact all the APT attacks recorded in 2011 (and unluckily examples abound in the news), have a point in common: the initial gate which allowed the attack to enter, that is the user.
The last resounding example is not an exception to this rule: on Friday November, the 17th Norway’s National Security Authority (NSM) confirmed that systems associated with the country’s oil, gas, and energy sectors were hit with a cyber attack, resulting in a loss of sensitive information. If we look at the information available for this attack, it is really easy to find all the ingredients of a typical APT Attack: virus spread via malware-infected emails sent to “selected individuals”, sophisticated malware designed to avoid detection by anti-virus solutions, and, last but not least, sophisticated malware designed to steal information from the victim’s computer: documents, drawings, username and password.
So at the end which is the key to face an APT, before the technology itself is able to catch it? The answer (and the technology) spins around the user which is the first firewall, IPS, anomaly detector, who can stop an APT. Of course exactly like security devices must be configured to stop the intrusion attempts, analogously users must be configured educated not to accept virtual candies from strangers, hence acting as unintentional gates for the threats to enter the organizations. This often happens because of shallow behaviors or also because of behaviors in clear contrast with the internal policy (yes the infamous AUP). I use to say that security is a mindset, quite similar to distrust: you have it since you are naturally born with it, or you may simply be educated to embrace it.
Keep in mind the central role of the user inside the security process since 2012 will be the year of APTs… Would you ever buy (and heavily pay) an armored door for your home and give the key to people you do not trust?
Related articles
- Are You Ready For The Next Generation IPS? (paulsparrows.wordpress.com)
- Advanced Persistent Threats and Security Information Management (paulsparrows.wordpress.com)
The US DoD does that all the time. & they wonder why National Security has been breached. They can’t man up and take the blame for being such Idiots.. That’s what you get when you outsource all your work to people who you don’t REALLY KNOW… So I’d say the US Admin had and got what was coming for them in the first place… & that goes for a few other govs in the world… Even at current time. highly classified intel still gets out every 10 seconds 10 gb+ of data is breached. And the end user eg. DoD does not want to take the blame for all that has occurred… Seems like weakness and severe lack of common sense to me… Even the best Nuclear and Bio facilities are not safe electronically and by other means… See innocent man who gov blamed without proving by a shadow of a doubt he did anything except his job.. aka. Bruce Ivins. To them one life was worth keeping other things under wraps… All hypothetically speaking here for now.