How do these constraints -- strong delegation, with no one in an elevated group -- lead me to believe that this big company probably isn't infected by an APT?
For one thing, there's no sign of APT. The company is an active honeypot deployer, and none of those honeypots have turned up anything unusual. Second, network and event log managers are in place and used aggressively. Most companies do a very poor job in this area, but this one takes the task seriously. These active monitors haven't flagged unauthorized activity that might indicate outside attackers have penetrated the network or transmitted data externally. When employees do something they shouldn't, a call from security often comes promptly.
The lack of evidence of APT infection makes sense. In every case I've seen, APT compromises someone's computer, uses that acquired access to escalate itself to an administrator of some type, adds its account to the Domain Admins group of the Active Directory forest, then dumps the domain controller's password hashes. It happens every time. No matter how else hackers get in, they always grab the password hashes. In this case, the company monitors the empty Domain Admins group, so if anyone adds his or herself to it, nearly a dozen people get an immediate notification email, which is then investigated.
I've seen this setup before, but to test the company, I added myself to the Domain Admins group. Sure enough, cellphones and pagers all around me started ringing. I asked if each alert is explored; immediately all employees around me said yes. They didn't hesitate, disagree, or laugh. That means something.
Now I can say I know at least one Fortune 500 company that has probably gone unexploited. I wish I could share the name, but that would make it an extraspecial target for hackers. But now that I've highlighted its successful zero-admin approach, you can join the secret club.
This story, "The one company that wasn't hacked," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.