Skip to main content

What scares you more: APT vs Anonymous vs Wikileaks?

So the past few years have been very interesting in IT security as the amount of public disclosures have increased exponentially. Victims like Google, RSA, HBGary, Bank of America, etc and consultants like Mandiant, McAfee, and Verizon Business have provided more details then ever about the serious threats facing the public and private sector. Its almost coming to the point of information overload, and that's even after weeding out the FUD and sales talk.

So as a security leader in your company what keeps you up at night? First lets define the three "threats" I'm detailing. Yes there are still plenty of other big time threats like organized crime, however I'm keeping the list intentionally small and current.

First you have our beloved APT. I hate this term, its been polluted by the originators of the term, by the people who should know better calling it FUD, and by the sales/marketing folks. But its what we have to work with. APT, has various goals, but the noisiest among them is theft of intellectual property. The outcome of such attacks is also varied, however in the near term it can impact business negotiations and M&A activity and in the long term it turns whatever special sauce your company has into a commodity available to other companies that can likely do it cheaper than US/EU counterparts. Of the three, this is by far the hardest to detect and respond to. It takes a strong security leader with both a short term tactical plan and a long term strategic vision to effectively mitigate this threat.

Next you have the Anonymous threat. For this discussion, just assume Anonymous = Hacktivists. The first rule of dealing with Hactivists is do not underestimate them. HBGary did and they are paying dearly. Hactivists groups are so different its hard to categorize them, however they generally target your company for its perceived policies, ethics, actions, or political stances. Like other threats this requires a comprehensive approach to hardening your network with a particular focus on email and document security. The outcome of such attacks is immediately felt, as its routinely publicized. Having a proactive communications and legal team is crucial to dealing with this threat also. While it's not always the case, acting in a transparent and ethical manner could also alleviate these fears. But that might just be too much to ask many businesses! :-)

Finally, we have johnny come lately Wikileaks and the lot. There are several Wikileaks type sites and for this discussion we can consider them the disgruntled insider threat (FYI, and before you call me out on it, I'm aware that Wikileaks stole some documents via p2p). The outcome of this attack is very similar to Hactivists in that you have an immediate public relations nightmare. Countering insider threats is extremely difficult. In basic terms you cannot not stop a skilled, privileged insider. The upside is that they are the most likely to be caught afterwards and be convicted. Companies have to use that to your advantage. Aside from the typical controls like access logging, DLP, and DRM, there is a whole set of another controls companies don't use. You should routinely communicate to employees that they are being monitored and even demonstrate this capability at internal security/it shows. Do not show them every card you have up your sleeve, however show them that the deck is stacked against them if they try to steal company data. We know this not to be the case, in terms of prevention, but the psychological effect is real.

So while I'm not going in depth on countermeasures, I've generally outlined the threats. Yes, I'm not adhering to the precise definition of threats in all cases, but you know what I mean if you are in IT security. So how do you rate them?

C-Level Executives/Upper Security Management
1 - Wikileaks
2 - Anonymous
3 - APT

CIRT/IT Security
1 - APT
2 - Wikileaks
3 - Anonymous

These are my rankings of what I think and what I believe upper management thinks. As I thought about this, it almost correlates to what causes the most discomfort for the person involved. If you are an incident responder, you don't want advanced foreign CNE actors gliding through your network undetected. If you are an executive, you don't want to do anything the will jeopardize the stock price in the near term. Every company is different, so its not a one size fits all solution. It never is. However, in my opinion taking a long term approach to the defense of your computing assets is the way to go. There are NO silver bullets. Knee jerk reactions need to be avoided to ensure they don't hurt rather then help your company. Consistent security leadership along with a c-level security advocate is beyond important.

Stay secure my friends

Comments

Popular posts from this blog

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your ...

2020 SANS CTI Summit Notes

Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland , @PDXbek , and @likethecoins , another great year of great content! Day 1 Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1579535253.pdf @CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.” "What we call common in #threatinel sharing is what a l...

European DFIR Summit 2018 Review

On Monday October 1st, I attended the European edition of the SANS DFIR Summit in Prague. Normally I try to attend this in Austin, however this year I couldn't make it so attended this one later in the year instead. I took a couple days PTO just to spend some time seeing the sights and it was cool getting to take time visiting the historical sights, instead of my typical shut in routine. If you have time, I would highly recommend this and definitely book a night time river cruise. Also worth noting, the new Spiderman movie was filming last week which was kinda cool. A few other recommendations I would make, would be to stay closer to the city center and take the subway daily. This has the added benefit of staying at a nicer, more western hotel (eg Marriott, Hilton), but also being near the old town square. I'm staying at the Angelo Hotel, but the training is actually split between two hotels and I don't get the benefit of being able to quickly jet up th...