Advanced Persistent Threat (APT)

There has been a great deal of discussion in the security community about APT. The link covers it at a high level, but in a nutshell, it’s type of hacking that is distinguished by people who have the time and money to target specific individuals and organizations. Since the number of resources (time and money) available to the attackers are at a much larger scale than what the defenders can muster, a lot of people are calling this a game changer.

As usual, the battle lines seem drawn along traditional lines, with both sides claiming that the other “doesn’t get it”. For a quick read, check out Richard Bejtlich’s post and MANDIANT’s post and, for a counterpoint, check out Gunnar Peterson’s.

Of course, they’re both right. Neither side gets it. Both are blind. Those that work enterprise security consulting see APT everywhere… mostly, I suspect, because in the enterprise security space you only call the consultants when it’s something particularly troublesome (like APT). Of course, once you’ve focused on APT, that’s what you get called in on, so the problem probably looks bigger than it is.

In contrast, those of use that don’t consult in those spaces don’t get those calls, so we don’t see it. We also probably don’t have the transparency needed to see such activity if it is going on in our organizations. So we minimize the threat.

So what do you do about APT?

I suggest that you consider the following checklist:

1. Do you have a firewall?
2. Does your firewall block outgoing connections?
3. Do you have local antimalware running on all your endpoints?
4. Do you have a web filtering solution in place?
5. Is all access to all systems monitored and audited regularly?
6. Do you have a process in place to pull all legacy systems off your network?
7. Do you have a patch management system in place?
8. Do you have a vulnerability management process in place?
9. Do you matc all system configurations against hardened templates?
10. Do you have a data classification policy that applies to all your data?
11. Are you encrypting your important data?
12. Do you have a log retention and management infrastructure built?
13. Are you running an IDS/IPS system?
14. Do you have third party management systems in place?
15. Are all of your web applications running in hardened stacks?
16. Are you using web application firewalls?
17. Are you using database firewalls?
18. Do you have regular employee awareness training?
19. Are complete penetration tests conducted against your organization?
20. Do you have an Internet data monitoring and scrubbing policy in place?

If the answer to each question is “yes”, then you should worry about APT. This is not to say that if any of these are “no”, you don’t have APT going on in your environment. I’m saying that there’s no point pursuing a full on anti-APT strategy until you have the basics in place… and there are a lot of basics. I’m also not saying that any of these technologies will prevent APT (or any security issues), or that all problems even have technical solutions. These are just 20 questions that explore what a minimal and sufficient security solution looks like for the average business.

If you don’t have a minimal and sufficient security solution in place, it’s not that APT isn’t a threat or that an unknown enemy isn’t out to get you… it’s that you probably have more important things to be working on.