Neither government nor enterprise IT security defenses, says Mudge, are geared for such low-key incursions. “They have a fixed mind-set, which is border defense and standard kinds of probing and port scans. The idea that a foreign cyberforce could infiltrate over the period of a few years, then stand up and deny you the use of your own systems is foreign to them,” he says. “But that’s the scenario we have to start working on.”

Alan Paller, research director at the SANS Institute, agrees. “With spear phishing and [zero-day] vulnerabilities there’s really no perimeter. And once somebody’s in, if nobody is watching, this stuff spreads like a metastasis.”

Not to mention that the perpetrators may be very close to home. Cybertrust data shows that, in about 10 percent of all incidents it is asked to investigate, insiders are the source of the trouble. In another 30 percent, attacks come by way of connections with business partners and other trusted parties, says Kerry Bailey, senior vice president of global services at Cybertrust.

“The first problem is that these people didn’t necessarily break in. They may already have access, so devices like firewalls and IDS aren’t going to do anything. You’ve got to allow employees to have access to do their job,” says network-defense expert Eric Cole, CTO of The Sytex Group and an adjunct professor at New York Institute of Technology and Georgetown University.

That means IT staff must understand how attacks play out within the network: how software vulnerabilities in programs can allow attackers to gain a foothold and how, from there, they can compromise other systems, access sensitive data, and “exfiltrate” it from your network, Mudge says.

In other words, nameless hackers have penetrated your network and covered their tracks, but they’re not invisible. In most cases, infiltrators of enterprise networks don’t know where the information they want is located and have to look for it. In so doing, they often give away their presence by violating what Mudge terms the physics of networks.

“Think about your internal environment. It’s pretty well defined compared to the Internet, where you truly have distributed data. If I saw somebody accessing a bunch of diff databases or database servers for finance, marketing, R&D, that doesn’t make any sense,” Mudge says, providing one example.

Companies such as Intrusic, which Mudge helped found, sell products that look for those kinds of “tells.” And more companies are investing in SEM (security event management) tools that correlate data from multiple security products.

But security experts agree that effective technology to combat the insider threat is still off in the future. Meanwhile, IT managers should train qualified internal incident response teams to look for telltale signs — and prepare dynamic and resilient responses to attacks so that panic doesn’t ensue when things start breaking.

Wars of attrition

What about preventing attacks before they start? Unfortunately, effective prosecution of organized cybercrime groups and state-sponsored hackers is a long way off. Realistically, the best strategy is a smart, flexible defense that makes attacks increasingly costly, causing hackers to simply move on.