Credit: Naomi Anderson
Advanced persistent threats have garnered a lot of attention of late, deservedly so. APTs are arguably the most dangerous security concern for business organizations today, given their targeted nature.
An APT attack is typically launched by a professional organization based in a different country than the victim organization, thereby complicating law enforcement. These hacking organizations are often broken into specialized teams that work together to infiltrate corporate networks and systems and extract as much valuable information as possible. Illegally hacking other companies is their day job. And most are very good at it.
[ Find out how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | It's time to rethink security. Two former CIOs show you how to rething your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
By all expert opinion, APTs have compromised the information infrastructure of any relevant company. The question isn't whether you've been compromised by an APT, but whether you've noticed it.
I've been helping companies fight and prevent APTs for nearly a decade. In that time I've amassed my share of war stories from the IT security trenches. Here are some of the better real-life tales, not just for the chase, but for the lessons learned.
APT war story No. 1: APT eyes are watching you
I once spent more than a year responding to an APT attack at a multinational company that was involved in everything from high-tech satellites and guns to refrigerators and education. When I got the call, the client had already been hit by two other APT attacks, which isn't unusual. Most companies that discover an APT usually figure out it's been there for years. One client I worked with has been compromised by three different APT teams over the past eight years -- not surprising in the least.
The multinational was finally serious about combatting the attack. The entire IT team was called together to respond; a large, single-purpose task force was created; all the relevant experts were brought in. It was decided that many months in the future all passwords would be reset.
You may wonder why the delay in resetting passwords. Password resets should always be pushed out far into the future in these situations because there's no use changing all the passwords to kick out an APT if you can't guarantee you can prevent the baddies from breaking right back in. Identify the most relevant weaknesses, fix them, then change the passwords. That's the best defense.
As in most companies I work with, everyone involved was sworn to secrecy. Code words were established, so the team could discuss various aspects of the project in (possibly monitored) emails without alerting intruders or employees not yet engaged.