What you can do about Chinese APT attacks

Have your defenses been breached by Chinese hackers? If you have attractive intellectual property, it's quite possible. Here's how to detect and defend

Do you work for a company that has developed valuable intellectual property related to technology? If not, then you probably have little reason to worry about the now infamous APT1 team of the People's Liberation Army of China paying your network a visit. Very likely they aren't interested.

But if your company has goodies of this type to steal -- that includes tech startups, by the way -- your defenses may already have been breached by APT1. And the chances are slim that anyone in your company knows about it. According to the 2012 Verizon Data Breach Investigations Report, 92 percent of all security incidents were discovered by a third party because most companies are horrible at detecting malicious activity. Mandiant, the security firm whose report raised the alarm, supports the finding, noting that most victims of APT1 were compromised for nearly a year before discovery.

[ The top 10 questions about the People's Liberation Army's cyber attacks | Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Mandiant is a credible source. It has been tracking what Chinese APT teams do, how they do it, and what they are interested in for more than a decade. Most of the companies I know that found out they'd been compromised by a Chinese APT attack were notified by Mandiant or one of the U.S. government agencies working with Mandiant.

How to tell if you're a victim

If your company doesn't yet know whether it is compromised, what can you do? I've covered this topic before, but in a nutshell, you need to know what programs are running on each of the computers under your control. Crazy, I know, but dare to dream.

I'm also a big believer in honeypots: Put a fake undefended computer out there and wait for the APT to connect to it. Anytime I've implemented a honeypot in a production environment, it has always captured malicious connections by way of previously undetected hackers or malware in a short period of time. One of my best-selling books is "Honeypots for Windows," and I've frequently written about them in this column over the years, most often in the context of insider threats. Unfortunately, many people think honeypots are just interesting toys.

But you don't even need honeypots to discover APT, although it does make it easier. The "advanced" part of APTs is in how continuously methodic they are in attacking their targets. They should be; it's their full-time job. But they aren't necessarily skilled at hiding or using zero-day tools. Most of the time, if you just looked and knew enough about your environment to know what is supposed to be running in it, you would find them.

The Verizon report says that over 90 percent of victims had the signs of compromise in their logs if they would've looked. Further, it states, "97 percent of breaches were avoidable through simple or intermediate controls." Those statistics aren't new. Verizon has been publishing similar statistics for as long as it has been releasing the report.

The only missing piece is for us to take action. It's our continued inaction in the face of overwhelming, continuous evidence that makes our enemies smile, whether they're looking to steal money, intellectual property, or state secrets.

This story, "What you can do about Chinese APT attacks," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies