Now, all of that said, the world isn’t coming to an end. Just because we can’t eliminate a threat doesn’t mean we can’t contain it. The following strategies aren’t specific to any point technology, but can help reduce the impact when your organization is targeted:
- Segregate your networks and information. The more internal barriers an attacker needs to traverse, the greater your likelihood of detection. Network segregation also improves your ability to tailor security controls, especially monitoring, to the needs of each segment.
- Invest heavily in advanced monitoring. I don’t mean only simple signature-based solutions, although those are part of your arsenal. Emphasize two categories of tools- those that detect unusual behavior/anomalies, and those will extensive collection capabilities to help in investigations once you detect something. Advanced monitoring changes the playing field! We always say the reason you will eventually be hacked is that when you are on defense only, the attacker only needs you to make a single mistake to succeed. Advanced monitoring gives you the same capability- now the attacker needs to execute with near-perfection, over a sustained period of time, or you have a greater chance of detection.
- Upgrade your damn systems. Internet Explorer 6 and Windows XP were released in 2001; these technologies were not designed for today’s operating environment, and are nearly impossible to defend. The anti-exploitation technologies in current operating systems aren’t a panacea, but do raise the barrier to entry significantly. This is costly, and I’ll leave it to you to decide if the price is worth the risk reduction. When possible, select 64 bit options since they include even stronger security capabilities.
Longer term, we also need to pressure our application vendors to update their products to utilize the enhanced security capabilities of modern operating systems. For example, those of you in Windows environments could require all applications you purchase to enable ASLR and DEP (sorry Adobe).
By definition, advanced persistent threats are as advanced as they need to be, and won’t be going away. APT the logical extension of all of human history, let’s not pretend it is anything more or less.