How to get rid of advanced persistent threats

Eradicating entrenched APT hackers requires catching them off guard with careful, stealthy planning

Having been involved in fighting off nearly two dozen APT (advanced persistent threat) attacks over the past three years, I'm somewhat experienced at eradicating them -- or, more accurately, minimizing them -- in large networks. This type of attack isn't impossible to detect; in fact, that's the easy part. Advanced persistent threats are, however, exceedingly difficult to remove from your network without severely disrupting revenue-generating operations and/or exposing your environment to additional compromises.

Although every instance of an advanced persistent threat is unique, I can offer general suggestions for facing such threats for the first time. Finding and eliminating -- or at least reducing -- an APT attack requires careful and stealthy planning, so as not to alert the attackers to your defensive maneuvers and give them a chance to counter your efforts.

Preparing your network and your staff for remediation day
If you're an IT admin, communicate the known extent of the problem and initial plans for dealing with the advanced persistent threat to IT senior management. This will often morph into presentations to overall senior management, likely to the board of directors, regulators, partners, vendors, and so on. Let senior management dictate who gets to know what and when.

The first major technical response should be to implement more detection across your network; you need to find out the severity of the APT problem. Which computers are owned? Are passwords known? What tools and malware are being used? Is email compromised? Where is the data flowing to, both internally and externally? At a minimum, detecting APT usually means implementing host and network intrusion detection software if it is not already in use.

Next, you need to determine the best way to handle the problem. You might choose to remove each compromised computer from the network immediately. Alternatively, you might initially allow those systems to continue running unabated to prevent the APT planners from becoming aware that they've been discovered. This is an individual risk decision for each company; I've seen it handled both ways.

From there, invite remediation participants and make an eradication plan. Your network security team should include technical staff, senior management representatives, vendor specialists, APT specialists, affected business unit team leaders, messaging groups, project managers, and whoever else needs to be involved. In general, start small, and bring in people as necessary. Everyone involved needs to sign an NDA document, even if the company already has one. You want to reinforce the seriousness of keeping the information secret from the large entity until a formal communication plan can be created and implemented.

Assign the APT and remediation event a keyword that all participants will use in online communications. Use phrases such as "health care update," "baseball game," or "travel policy." You want something that should be innocuous enough not to attract unnecessary attention from your APT attackers.

1 2 3 Page 1
Page 1 of 3
How to choose a SIEM solution: 11 key features and considerations