Given that every APT attack varies, there's no single defense plan. Still, the following steps could provide a useful start.
- Begin by threat modeling the past attacks against the biggest weaknesses in the environment. Doing so will help you identify where to begin defending and cleaning up.
- Implement least-privilege authentication and access control. Don't give users access to any resource they don't use. This will help slow down damage from the next APT attack. Some of us at Microsoft (my full-time employer) are going so far as to tell people not to give anyone domain admin rights. Instead, use delegation.
- Harden computers following the vendor's recommended security settings.
- Make sure you're patching everything, especially popular browser add-ons.
- Implement application control whitelisting to stop new malicious programs from spreading around the environment.
- Implement strong password policies, with 12-character or longer complex passwords for standard user accounts. Elevated accounts should be even longer. Use two-factor authentication if long passwords are a problem or aren't secure enough.
- Implement an enterprisewide log management system, with comprehensive alerting and auditing.
- Isolate security domains and hosts. If computers shouldn't talk to each other, don't let them.
- Deploy an anomaly-detection product, such as HIDS (host-based intrusion detection systems) or NIDS (network-based intrusion detection systems).
- Make sure antivirus scanners check for updates every 24 hours or less and that they scan for hacking tools.
- Educate end-users about the biggest risks, such as Adobe Acrobat and Java exploits, fake antivirus warnings, phishing sites, and so on.
There's much more to battling an APT attack, but the list above should provide a good start. If your company hasn't been hit by an APT, make sure it doesn't join that organizations that will be reporting that they're been compromised in a few months. If you've been hit by APT, I feel for you. Some of the ideas above should help.
This story, "Prepare for advanced persistent threats, or risk being the next RSA," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.