How to get rid of advanced persistent threats

Eradicating entrenched APT hackers requires catching them off guard with careful, stealthy planning

Having been involved in fighting off nearly two dozen APT (advanced persistent threat) attacks over the past three years, I'm somewhat experienced at eradicating them -- or, more accurately, minimizing them -- in large networks. This type of attack isn't impossible to detect; in fact, that's the easy part. Advanced persistent threats are, however, exceedingly difficult to remove from your network without severely disrupting revenue-generating operations and/or exposing your environment to additional compromises.

Although every instance of an advanced persistent threat is unique, I can offer general suggestions for facing such threats for the first time. Finding and eliminating -- or at least reducing -- an APT attack requires careful and stealthy planning, so as not to alert the attackers to your defensive maneuvers and give them a chance to counter your efforts.

Preparing your network and your staff for remediation day
If you're an IT admin, communicate the known extent of the problem and initial plans for dealing with the advanced persistent threat to IT senior management. This will often morph into presentations to overall senior management, likely to the board of directors, regulators, partners, vendors, and so on. Let senior management dictate who gets to know what and when.

The first major technical response should be to implement more detection across your network; you need to find out the severity of the APT problem. Which computers are owned? Are passwords known? What tools and malware are being used? Is email compromised? Where is the data flowing to, both internally and externally? At a minimum, detecting APT usually means implementing host and network intrusion detection software if it is not already in use.

Next, you need to determine the best way to handle the problem. You might choose to remove each compromised computer from the network immediately. Alternatively, you might initially allow those systems to continue running unabated to prevent the APT planners from becoming aware that they've been discovered. This is an individual risk decision for each company; I've seen it handled both ways.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!