You should assume that every server in your company is compromised, then build your security around that.
[...]
Don't assume you're safe. Assume you're not, and figure out now how to react when you are compromised.
The difficult thing about APTs is that they exploit employee knowledge gaps, process weaknesses, and technology vulnerabilities in random combinations. Patient, well-resourced, and highly skilled adversaries take their time to figure out where we are most vulnerable and then use this knowledge as a weapon against us. You could do 99 things right, and the bad guys will find and leverage the one thing you do wrong.
The days of the perimeter working as the sole defence mechanism are no longer with us.
[...]
Once hackers defeat the perimeter, they will make stealthy, pinpoint attacks from there.
This isn't an outbreak which shuts all the corporate machines down – it's about probing and searching for valuable data or other vulnerabilities.
Containment is the new prevention.
For years, security defenses have focused on keeping cybercrime and malware out. Organizations on the leading edge will implement outbound inspection and will focus on adapting prevention technologies to be more about containment, severing communications, and data loss mitigation after an initial infection.
The most advanced criminals are going to ride the waves of personal devices, personal social media use, and personal web activities of employees to create more advanced, social engineering attacks to get in. Many of the business and government attacks in the coming year won’t necessarily be about how complex the code is, but how well they can convincingly lure unsuspecting victims to click.
The most sophisticated, adaptive and persistent class of cyber threats is no longer a rare event.The report goes on to say:
In the few short months since this survey was launched on February 10, 2011, for example, leading organizations worldwide have been targeted by Advanced Persistent Threat attacks. These entities include national governments, nuclear laboratories, security firms, military contractors and an international organization that oversees the global financial system.Src: Global state of information security security 2012: PwC
Yet APT isn’t just a threat to the public sector and the defense establishment. It’s an increasingly urgent issue for the private sector as well.
You will be attacked. You will be exploited. It's not a matter of whether something will get in your system, but more how long you will continue to have them in your system.
The malware lifecycle has sped up dramatically. The 'time to market' difference between £1,000-plus innovative malware and £15 ready-to-run kit is now months, rather than years. Combine this with poor patching remaining prevalent in businesses of all sizes, and you have a lethal cocktail.
This means that any would-be hacker can cause thousands of pounds worth of damage with very little outlay or technical know-how. Using the same advanced tactics as big-time hackers, lower-level cyber criminals focus on stealing data or private information. Their methods are increasingly diverse and technically advanced, and this is one of the reasons APTs can be so damaging to small- and medium-sized businesses alike.
Four days after the Aurora hack on Google last January, the code used was available worldwide. Within 18 months, there had been 5,800 attacks using it. As time goes on, far from the code losing its potency, more people get hold of it.
Malware is a growing industry. The cliche that this was a couple of kids doing this in their parents’ basement was never true in the first place. Now it’s totally wrong, now the suits and the MBAs are peddling this stuff both to crooks and to wannabe Big Brothers.
One cannot stress enough the point about APTs being, first and foremost, a new attack doctrine built to circumvent the existing perimeter and endpoint defenses. It’s a little similar to stealth air fighters: for decades you’ve based your air defense on radar technology, but now you have those sneaky stealth fighters built with odd angles and strange composite materials. You can try building bigger and better radars, or, as someone I talked to said, you can try staring more closely at your existing radars in hope of catching some faint signs of something flying by, but this isn’t going to turn the tide on stealthy attackers. Instead you have to think of a new defense doctrine.
[...]
It is also important to note that just as stealth fighters evade radar instead of defeating it, APTs do not “defeat” security products. They just find ways to fly below the existing technology.
[...]
What we’re witnessing now are the early days. We’re now in 1939, and U-boats are an impossible menace. We’re now in 2004, and social engineering attacks get away with our customer’s money. We’re now in 2011, and the tidal wave of targeted attacks has reached our shores. It’s time to respond as an industry, define and execute a new defense doctrine based on information sharing, deep analytics and advanced threat management.
Most organizations are still not postured from a security or architecture standpoint to confine and limit the scale of the breach once an attacker has gained access to the internal network.
The distinction between insiders and outsiders is blurring. Sophisticated attackers infiltrate a network, steal valid credentials on the network, and operate freely - just as an insider would.
Cybercriminals have shifted their focus from physical assets to data driven properties, such as trade secrets or product planning documents. We’ve seen significant attacks targeting this type of information. Sophisticated attacks such as s Operation Aurora, and even unsophisticated attacks like Night Dragon, have infiltrated some of the of the largest, and seemingly most protected corporations in the world. Criminals are targeting corporate intellectual capital and they are often succeeding.
Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere. I imagine anybody in the global 2,500 has this problem.
[...]
It's fairly trivial to customize an exploit to bypass 70 percent of the time. I do it all of the time on engagements.
Botnets will be with us until the way computing works is fundamentally changed at the lowest level. Right now, we’re dealing with a legacy architecture that was invented back in the '70s. None of this was envisioned, so nobody designed any security into the lowest layers.
You could stop the rest of your IT, and put all of your resources into security for a year and still not be 100pc secure.
Recent information security breaches reflect a worrying trend of very targeted hacking. Hackers have business heads in their sights as it gives them access to the most sensitive information, such as intellectual property and investment plans.
[...]
Information security attacks are a very real threat – they happen daily and just because a business or a business leader was not on a hacker's radar yesterday does not ensure safety today.
Serious attacks are not stopped by running an anti-virus program, they are not stopped by having people change passwords, they are not stopped by firewalls, they are stopped by other means….The first and foremost thing is that diversity is good….From a network and systems perspective, I get a lot of sleep at night when there is an attack on an IP-based system knowing that it is not going anywhere near our TDM circuit-switched infrastructure; they are just separate. The technologies are different, the systems are different, and they are non-interoperable.
Stuxnet is like the arrival of an F-35 fighter jet on a World War I battlefield.
