June 26, 2012, 10:14 AM — Officially, advanced persistent threats (APTs) from China are not even happening. But everybody in information security, especially those trying to protect enterprises from economic espionage, knows that APTs, typically originating in China, are a fact of life in the cyber world, government denials notwithstanding.
As Rob Lee, of the SANS Institute, describes it in a blog post: "It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don't ask us how we know, but you should probably check out several of your systems including 10.3.58.7. You are compromised by the APT."
But, Lee insists that while the enemies are good and keep getting better, "we can stop them."
Lee, an entrepreneur and consultant with an Air Force intelligence and law enforcement background, has developed a curriculum for a six-day SANS Advanced Computer Forensic Analysis and Incident Response Course. He said the need for training is obvious, since 50% of Fortune 500 companies have been compromised by APTs.
More than 90% of intrusions aren't even discovered by the victims themselves, but through third-party notification. In many cases, the APT has been on the victim network for months or even years, exfiltrating intellectual property data plus economic and political information.
And detection is only half the problem, Lee said. "The second half is that now that you're a victim, how do you respond? What we've been trained to do doesn't match what you should do on the ground. You can actually make it worse," he said.
A company that is notified, or finds, that it has been breached and reacts immediately to shut down an intruder will notify that intruder, who may then be able to make changes in its code in other areas of the enterprise and remain hidden. "If you act too soon, you lose the chance to do some forensics, and your adversary will make the problem worse," Lee said.
This is one of the techniques Lee said he teaches in the course, which he is running this week in Austin, Texas, and will present starting July 5 at SANSFIRE in Washington, D.C.
The course, he said, is an effort to keep IT professionals from fighting the last war. It is now generally accepted that perimeter defenses are no longer effective, and that "weeds" are going to get into the enterprise garden. "It starts with an acceptance that weeds will happen," he said. "This is about building an IR (Incident Response) team so if a weed pops up, you aggressively counter it."