Advanced persistent threat

By Daniel Geer, Network World |  Security

Your counter party may not care about your wealth as much as you do, and so the sentient opponent -- the one behind this advanced persistent threat -- will decide to get at your data (wealth) by applying his tools to your data while it is on your counter party's premises. Said another way: The one who will suffer the loss and the one who must prevent the loss may not be the same entity. This can work both ways: your firm may hold data for others, too.

Getting out in front does not happen by having the defense run faster. The offense has a strategic advantage and it can always run faster than the defense. Einstein called this one right when he said that doing the same thing over and over again while expecting a different result is the very definition of insanity. Making your signature updates, perimeter configuration, software update, or anything of the sort run faster will cost something, but deliver less. As the Harvard National Security Journal said on Feb. 22, 2010: "Analysts who measure the cost-effectiveness of defensive measures in cyberspace relative to the accelerating growth of new cyber attack methods suggest that the defending side in cyberspace is already at a severe disadvantage and that the offensive-defensive gap is widening."

In medicine, there is the concept of "no therapeutic difference," which occurs when further precision in diagnosis can make no further improvement in what can be prescribed. In the world of advanced persistent threats, a sufficiently targeted attack is indistinguishable from a corrupt insider. Distinguishing whether it is an APT or a corrupt insider has no therapeutic difference.

As has been written everywhere and at once, the corrupt insider may be exceedingly rare, but if he does exist his damage potential more than makes up for his rarity. More to the point, if this APT is really advanced and persistent, you should assume that "they" have been in your systems before. You should assume that they have social engineering skills that will turn trusted employees into corrupt insiders with an alibi. 

When you are losing a game that you cannot afford to lose, change the rules. The central rule today has been to have a shield for every arrow. But you can't carry enough shields and you can run faster with fewer anyhow.

The advanced persistent threat, which is to say the offense that enjoys a permanent advantage and is already funding its R&D out of revenue, will win as long as you try to block what he does. You have to change the rules. You have to block his success from even being possible, not exchange volleys of ever better tools designed in response to his. You have to concentrate on outcomes, you have to pre-empt, you have to be your own intelligence agency, you have to instrument your enterprise, you have to instrument your data.


Originally published on Network World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question