"Oh, we got hit by an APT" so therefore, it’s okay. There was nothing we could do. Whaat? If you get some malware, it’s not APT. In fact, we've lost sight of what APT even really means, if the term ever meant anything at all. Here's the thing, it’s about integrity. If you've lost the integrity of your network and/or systems, you've lost. You can't strive to defend against malware, APT, or viruses. You have to defend your network and your data. Focus internally grasshopper, figure out what is important to your business, keep it running, and enforce integrity.
As far as focus, I think we are also missing the point when it comes to our purchasing decisions. Lately, we have had a number of our customers ask us what products we think are best to counter "the APT." Look, security is not about having the right products. When PDC does a penetration test we could care less what security products an organization is using. Many times we don't even know what products they are using until after the test and after we have compromised their networks. The thing that gets us nervous before a test is effective change management. Yep, sucks don't it? You see, effective change management shows that your organization has made a determination to actually know what is going on with your network. This is the key to security. It is not a product, it is not a test, it is about having the right processes in place to know when something is new or different.
We get called in on IR gigs and we see the same thing, but in reverse. We see organizations that have no idea what normal traffic, users and systems baselines actually are. If you cannot tell what is normal, there is no way you will be able to effectively tell what is abnormal. If you are in this category, APT- real APT, is going to kick your ass.
Originally discussed during episode 240
John Strand will be teaching Hacker Techniques and Incident Response June 25th-30th in Denver Colorado. This time he will do his best to not get kicked out of the hotel....