Some companies cut over to a new infrastructure and others migrate over time; the former approach is more secure than the latter, but the latter is easier and smoother for operations.
Require that all users receive education about advanced persistent threats and current malware tricks (such as malformed PDFs, fake antivirus, social engineering) before being allowed back on the network with their new passwords. Employees can be informed of the APT event or simply told that the new passwords are part of the company's renewed effort to minimize security risk, depending on what the communication team decides.
Don't let your guard down against APT
Employees and management should expect APT attackers to fight back with a vengeance to re-establish their old footholds. The first few days after remediation are often the highest risk.
I'm a big fan of computer and domain isolation. Most workstations don't need to talk to other workstations, and most servers don't need to talk to other servers. Define what communication pathways are needed and block the rest. Use the fastest and dumbest device/service to accomplish the task. Use intelligent (but slower) application-level firewalls and proxies only where they are needed.
Make sure internal development teams are practicing secure development lifecycle techniques. Additionally, implement comprehensive event log management systems, detection, and response. Most malicious behavior would have been noticed if the event logs were configured correctly and reviewed.
In the future, look for unusual network traffic patterns. This is often the first easy-to-see sign of an APT attacker. It's what they do: Steal information and transfer it to places where you normally don't send data.
Finally, consider implementing one or more early-warning honeypots. They are low cost, low noise, and among the best detection devices for any network. In order for a hacker to exploit a network, they have to touch computers. Honeypots are nonproduction assets and, as such, should never be touched after the initial fine-tuning.
In closing, minimizing and eradicating advanced persistent threats is among the hardest challenges any company can face. It can be difficult, if not impossible, to completely wipe out these invaders if you're constrained by senior management, operational directives, and financial considerations. For many companies, the new normal is living with the risk of advanced persistent threats forever, but any company can fight the good fight.
This story, "Protect your network security: How to get rid of advanced persistent threats," was originally published at InfoWorld.com. Follow the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com.