Just a few years ago, the media was publishing daily stories about website defacements or even bank theft. How I wish for those halcyon days. Now APT (advanced persistent threat) attacks are grabbing media attention on a near-weekly basis -- and IT security teams must take heed and prepare.
The APT attackers are not stealing money or passwords, even when they break into banks. They are stealing information. In a nutshell, APT attackers aim to take all valuable intellectual property from the victim and transfer it to their home safe harbor country, either to use for competitive advantage or for profit.
This spate of APT attacks started off with the January 2010 announcement of Google's APT experiences; more recently, RSA reported that some of its confidential data has been compromised -- including information about the company's SecurID technology. That revelation has concerned users of the technology.
Hacker group Anonymous's HBGary email leaks show that Dupont, Walt Disney, Johnson & Johnson, Sony, and General Electric have all been hit, along with law firms and insurance companies. Global powerhouse investing firms and banks such as Morgan Stanley have been exploited. McAfee revealed that the world's biggest oil and energy companies have been victimized [PDF].
Democratic Senator Sheldon Whitehouse said it best last year before the more recent round of revealed attacks: "We on the losing end of the biggest transfer of wealth through the theft and privacy in the history of the planet."
Notably, American companies aren't the only victims of APT attacks. Canada suffered such a massive hacker hit that the government had to temporarily pull its largest financial departments off the Internet while the damage was repaired. Because APT focuses on the Fortune 1000, pretty much any company the attackers hit on that list is global.
Sadly, in every case, the targeted organizations had actually been under siege for months or even years. I've been saying since July of last year to assume you've been hacked.
APT action plan
The question, then, is what to do if your organization is hit by an APT attack. Every case is different and depends upon the details of the exploit. But in general, the cleanup and defense techniques are the very same ones we security IT admins have been taught and preached for the past 20 years. However, the problems and neglect we've been living with are finally catching up with us.
If there's any silver lining to your organization being hit by an APT attack, it's that the purse strings will probably starting loosening; at least you'll have the money to spend to clean up the mess and institute that real security you've been talking about for the past five years or more. But money is only one part of the solution.
In a large environment, fixing everything at once is difficult. The best general approach is to identity your company's data crown jewels and to protecting that part of the network as the highest priority. From there, move out to less risky assets.