Can advanced persistent threats really be beaten?

My good friend Rafal Los, security evangelist for HP, isn’t so sure about the conclusions drawn in a story we ran yesterday about our ability to beat back advanced persistent threats. He has written a new blog post on the subject that’s worth sharing.

From yesterday’s story:

Officially, advanced persistent threats (APTs) from China are not even happening. But everybody in information security, especially those trying to protect enterprises from economic espionage, knows that APTs, typically originating in China, are a fact of life in the cyber world, government denials notwithstanding.

As Rob Lee, of the SANS Institute, describes it in a blog post: “It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don’t ask us how we know, but you should probably check out several of your systems including 10.3.58.7. You are compromised by the APT.”

But, Lee insists that while the enemies are good and keep getting better, “we can stop them.”

Lee, an entrepreneur and consultant with an Air Force intelligence and law enforcement background, has developed a curriculum for a six-day SANS Advanced Computer Forensic Analysis and Incident Response Course. He said the need for training is obvious, since 50% of Fortune 500 companies have been compromised by APTs.

Los argues that those who talk of beating APTs — especially those who speak in absolutes — are selling snake oil. From his post:

Given that I’m a pragmatist it shouldn’t surprise you that my position on defense against APT is that anyone who tells you they can ‘stop‘ APT and using absolutes is either delusional or trying to sell you something (or a bit of both).

The fact of the matter is this – Advanced Persistent Threats are real. They’re a threat to business through intellectual property theft, through espionage and infiltration of our government secrets and defenses, and potentially a compromise of our infrastructure. Not that it’s a secret or anything – but you, me, and everyone seeking to protect something of value is thinking about defense against APTs.

You may be thinking to yourself – “Self, does this mean that since we can’t effectively ‘stop’ APT that we’ve given up?” Absolutely not. What you, me, and everyone else vested in Information Security needs to learn to live with is that the ‘bad guys’ are likely already inside the castle, and we don’t always have nice labels on them to identify them. This is where my post from yesterday falls right in line as well…

If we can’t ‘stop’ the APT, what then?

I think the answer isn’t if we we can stop APT, it’s all about the response.

I think he’s right, and I encourage you to read the full post. But in Lee’s defense, I think his suggestion was essentially the same as Los’ — that the most important thing is how a company responds to the threat. I don’t believe he was suggesting APTs can be stopped cold, for good. But a lot of security vendors have made that claim, so Los’ post is valid all the same.

Read the original story, then Los’ post, then discuss.