Officially, advanced persistent threats (APTs) from China are not even happening. But everybody in information security, especially those trying to protect enterprises from economic espionage, knows that APTs, typically originating in China, are a fact of life in the cyber world, government denials notwithstanding.
As Rob Lee, of the SANS Institute, describes it in a blog post: "It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don't ask us how we know, but you should probably check out several of your systems including 10.3.58.7. You are compromised by the APT."
Much more on Advanced Persistent Threats
- A clear-eyed look at Advanced Persistent Threats
- In depth: What does APT really mean?
- APT in action: Inside the Heartland breach
But, Lee insists that while the enemies are good and keep getting better, "we can stop them."
Lee, an entrepreneur and consultant with an Air Force intelligence and law enforcement background, has developed a curriculum for a six-day SANS Advanced Computer Forensic Analysis and Incident Response Course. He said the need for training is obvious, since 50% of Fortune 500 companies have been compromised by APTs.
More than 90% of intrusions aren't even discovered by the victims themselves, but through third-party notification. In many cases, the APT has been on the victim network for months or even years, exfiltrating intellectual property data plus economic and political information.
And detection is only half the problem, Lee said. "The second half is that now that you're a victim, how do you respond? What we've been trained to do doesn't match what you should do on the ground. You can actually make it worse," he said.
A company that is notified, or finds, that it has been breached and reacts immediately to shut down an intruder will notify that intruder, who may then be able to make changes in its code in other areas of the enterprise and remain hidden. "If you act too soon, you lose the chance to do some forensics, and your adversary will make the problem worse," Lee said.
This is one of the techniques Lee said he teaches in the course, which he is running this week in Austin, Texas, and will present starting July 5 at SANSFIRE in Washington, D.C.
The course, he said, is an effort to keep IT professionals from fighting the last war. It is now generally accepted that perimeter defenses are no longer effective, and that "weeds" are going to get into the enterprise garden. "It starts with an acceptance that weeds will happen," he said. "This is about building an IR (Incident Response) team so if a weed pops up, you aggressively counter it."
Ironically, an IR team can improve its detection capability by first being a victim of an attack, and not reacting too quickly. "You need to be a victim first, and that can help you not to be a victim again," he said.
While the gut response would be to eliminate the attacker's access immediately, Lee said there is much more to be gained by collecting threat intelligence. "If you get a call from the FBI, instead of reacting immediately with an antivirus, do a memory analysis," he said. "If you've been told to look for something on this IP address, start with your 'day zero machine' and look for any others that have that same signature. Scan though your environment to find other compromised code."
Once a company has been hit with an APT, it will be hit again, Lee said, but the good news for enterprises is that with good threat intelligence, there is something to fight back with. "You can predict the future based on the past," he said. "The enemy can't change all his techniques, and once you've learned about your adversary, you can deal better with the oncoming waves of attacks."
Threat intelligence becomes easier for an IR team once its members are trained in looking for indicators, Lee said. "It's looking for things that are slightly different, like everybody on the train looking the same except for the guy with the red tie. Or a cop on a beat, who can recognize from experience when something is out of place."
And a reverse-engineering team can provide threat intelligence that can create a signature and possibly decode traffic. "You might even be able to do host monitoring," Lee said.
Saad Kadhi, CTO of HAPIS, a French information security company, is one of the students in the current course in Austin. He said it has exceeded his expectations, calling it "a real eye-opener."
But he said to achieve significant results will take not only the expertise he is learning, "but the right tools, which means support from management. There has to be a dedicated team for this," he said. "A new methodology won't help if you don't know how to use it."