The question of stopping targeted attacks has been on my mind for a while. Of course my partners and I have to suffer through far too many vendor briefings where they claim to stop an APT with fairy dust and assorted other black magic. But honestly, it is a legitimate and necessary question.
Ever since Google came clean a few years back about Aurora, and everyone then acknowledged the persistent, likely state-sponsored attacker as a class of adversaries, vendors have been APT-washing their stuff trying to convince anyone who would sit still that their run-of-the-mill IPS or endpoint protection product had a chance. Basically this rash act was necessary to keep the cash cow hemorrhaging money, even in the face of mediocre (or worse) efficacy of existing controls.
But here is the thing these vendors missed. Very few of the adversaries most organizations face are advanced or persistent. Most are today’s version of script kiddies trying to smash and grab their way out of the despondency of their existence. It’s much easier and more lucrative than robbing a bank, after all. So most existing controls still have some role to play in tomorrow’s defense. But we all know existing controls are not sufficient.
Yet targeted attacks do exist, and the legitimately advanced attackers are now targeting further afield to achieve their objectives. They are attacking the supply chains of their targets to gain deeper footholds, earlier. And now that we have a better idea of the tactics they are using, we start to see offerings built very specifically for these kinds of attacks. I won’t say we’re seeing real innovation yet, but lots of vendors are learning and evolving their offerings to factor in this new class of attacker. Unfortunately it’s still way too early to get a feel for whether real innovation is happening (or will happen), or whether this is just a classier version of APT-washing.
Regardless of what happens on the prevention side, you still need to monitor the hell out of your stuff. As Mandiant described in a blog post that has since disappeared from their site (wonder if they’re now doing work for Global Payments, hmmmm), the folks at Global Payments evidently found the first breach themselves by monitoring their egress traffic and seeing stuff they didn’t like leaving their network. Was it too late? Of course. But it’s a hell of a lot better to catch it yourself than to hear from your payment processor or the FBI that you have a ‘problem’.
We will see a lot of new stuff, as everybody tries to get ahead of attacks – even targeted ones. But it’s career-limiting to plan on stopping them; so we still push investment in monitoring, forensics, and response – even in the presence of new and innovative protections. Or is “Can you stop a targeted attack?” the wrong question to even ask?
Photo credit: “Bullseye” originally uploaded by bitsofreality