Advanced persistent threat

By Daniel Geer, Network World |  Security

In other words, the offense expends work whenever innovation is needed; the defense expends work each day and never catches up. Put differently, killing the most dangerous animal on the front porch each morning has no effect on the supply of dangerous animals waiting in the yard.

This "least expensive defense" is not insane, just ineffective because the offense is a sentient being with a strategic advantage. Solving an unbounded, amorphous problem does not generate much CIO enthusiasm, even when money is lying on the table unused; this is understandable.

The "least expensive defense" is also very difficult to calibrate. What does it mean if you add another defense to your infrastructure and then another offense promptly appears? Was that a win? Do you have any new information about how many more defenses it is going to take to win?

No, you did not win and you have no information beyond observing the latest defensive increment getting circumvented. Only getting in front of the threat can ever work; reacting to threat-after-loss has no effect on the future at all.

The most important part of an advanced persistent threat is the ability of its operator to mutate as needed. We see this so much already that we can almost say that the classic versions of defense are no longer of much relevance at all.

Antivirus has been rendered all but impotent by automated self-modification in ever more sentient offensive technology. Firewalls have been rendered all but irrelevant by tools that opportunistically hang their traffic on traffic that defense cannot afford to inspect, much less block. Auto-update has been rendered all-but-dilatory as the reverse engineering of patches into attack tools completes far faster than software updating does.

Even if you don't think the advanced persistent threat is all that advanced, realize that if this is so, it is only because it doesn't have to be when your defenses don't require it to be. Even more central, do not think that the supplier of defensive weapons will ever have weapons to thwart (the deployment of) offensive weapons that are sufficiently well targeted to hit only some people, some computers, some data. Antivirus vendors, firewall engineers, and/or auto-update operators simply cannot afford to deal with attacks that don't have high prevalence -- it is just not economical for them to try.

Trust is the lubricant of business. Competitiveness sometimes requires cooperation and cooperation always requires some trust. Your data is your wealth, but when you cooperate you share not only your good will but also your data, which is to say you share your wealth.

Originally published on Network World |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question