A few months ago I had a conversation with a security professional working in a major US defense contractor. It was right after the attack on RSA. “Welcome to the club”, he said, “we’ve been hit by these APTs for years”.
It’s a big and rapidly growing club. Attacks that the intelligence community classifies as Advanced Persistent Threats, once the realm of government and military targets alone, have shocked the corporate security world time and again in the last 18 months. They are not isolated incidents but rather an orchestrated campaign.
Some security purists claim APT is an overused term, that they do not constitute a truly new form of attack. Security practitioners who are charged with building the cyber defenses tend to hold the opposite view: that these advanced threats are nothing short of a seismic change in the threat landscape, that they effectively breach every perimeter control thrown at them, and that a new defense doctrine is needed to handle them.
You can argue about the use of the APT term, but one thing is clear: the industry takes it very seriously. I recently attended the APT Summit, presented by TechAmerica and RSA; over 100 security executives from US corporations, global companies and government agencies convened in Washington to discuss lessons learned in fighting advanced threats. It was a rare opportunity to meet many of the best thought leaders in the security space and get their direct perspective.
There were no armchair strategists in the crowd: those who showed up at the APT Summit were seasoned security veterans. They apply solid security principles in their organizations while allowing their business to continue; they fight for budgets and balance cutting-edge technologies with proven defense strategies. They know what works and what doesn’t; when they speak, their voice bears significant weight.
The APT Summit summary findings released by TechAmerica and RSA reflect this voice: the cyber security leadership has very specific calls to action. To start with, CEOs in every industry sector are urged to fund new strategies to combat advanced threats and to “plan and act as though you’ve already been breached.” This is a strong statement and a lot to ask for, but I believe it’s backed by a strong conviction among the participants that executive awareness to the risks of cyber attacks is at an all-time high. When asked if they believe it is easier now to ask senior management for greater security budgets, 70% of attendees said ‘yes.’
Another interesting and compelling call to action among Summit participants is for security organizations to urge lawmakers to remove legal barriers that impede information sharing among members of the global security ecosystem. The urgent need for effective, unhindered, real-time intelligence sharing platforms was voiced time and again during the summit.
Attendees agreed that the attack vector has shifted significantly from technology to people. They also agreed that while educating the work force is an important line of defense, no amount of training can foil 100% of social engineering attacks aimed at corporate employees. Anyone can be a target of spear phishing, and it can be quite effective given the right context.
Some of the government agencies involved in cyber defense urged the private sector corporations to take things seriously, saying the cyber threat is real and growing. They pointed out the economic cost of cyber attacks: “our national security is at risk because of the loss of intellectual property,” one of the government officials suggested. People’s heads nodded. This actually poses an interesting question: where does a nation draw the line in terms of protecting its assets? Should it protect only its government and military infrastructure? Extend that protection to critical infrastructure (which today is more than just power grids and transportation systems)? Or go all the way to protect its national investment in R&D and business innovation, by shielding its major corporations?
Early detection, end-user security training and incident response were named key elements to better defend against advanced threats and recover from inevitable cyber attacks. Anyone reading the recent SBIC report “When Advanced Persistent Threats Go Mainstream,”can find similar recommendations, especially in the area of real-time cyber intelligence, next-generation abnormal behavior detection and investigation systems that focus on what’s happening inside the network, and new IT architecture that uses virtualization to help transform the network to be far more resistant to external attacks.
The summit participants received firsthand feedback from those involved in investigating APTs about the severity and scale of the cyber campaign against the corporate sector. This came from both government agencies and forensic experts specializing in such attacks. One of the top experts said that in 90% of the cases his company worked with, amounting to dozens of major corporations, the target company never detected the attack. Someone else, often the intelligence community or law enforcement agencies, told them about it long after the intruder already left the building. This is a very significant observation: only 10% of attacks are detected by their target. The real rate is lower as some companies will never know they were penetrated and that their intellectual property is in the wrong hands.
But that’s the 2011 situation. The growing realization that the industry needs a new defense doctrine, coupled with the board-level awareness to cyber threats will drive the market to develop new solutions and strategies. In a few years’ time we’ll see advanced detection capabilities, risk-based adaptive controls, real-time information sharing platforms, cyber intelligence efforts and a dynamic threat resistant infrastructure being implemented in major corporations. This will turn the tide and give corporations a fighting chance against their new adversary.
Let me conclude by saying that in the APT summit I found openness, a genuine interest in sharing, and a mutual feeling of optimism about the fact the public and private sectors are coming together. Above all, I found a sense of urgency and a sense of purpose. You could light a thousand light bulbs by the energy flowing within that conference room, and that perhaps was the biggest sign that the landscape is changing not just from the offense side, but also in the defensive team.