Advanced persistent threats have garnered a lot of attention of late, deservedly so. APTs are arguably the most dangerous security concern for business organisations today, given their targeted nature.
An APT attack is typically launched by a professional organisation based in a different country than the victim organisation, thereby complicating law enforcement. These hacking organisations are often broken into specialised teams that work together to infiltrate corporate networks and systems and extract as much valuable information as possible. Illegally hacking other companies is their day job. And most are very good at it.
By all expert opinion, APTs have compromised the information infrastructure of any relevant company. The question isn't whether you've been compromised by an APT, but whether you've noticed it.
I've been helping companies fight and prevent APTs for nearly a decade. In that time I've amassed my share of war stories from the IT security trenches. Here are some of the better real-life tales, not just for the chase, but for the lessons learned.
APT war story No. 1: APT eyes are watching you
I once spent more than a year responding to an APT attack at a multinational company that was involved in everything from high-tech satellites and guns to refrigerators and education. When I got the call, the client had already been hit by two other APT attacks, which isn't unusual. Most companies that discover an APT usually figure out it's been there for years. One client I worked with has been compromised by three different APT teams over the past eight years — not surprising in the least.
The multinational was finally serious about combatting the attack. The entire IT team was called together to respond; a large, single-purpose task force was created; all the relevant experts were brought in. It was decided that many months in the future all passwords would be reset.
You may wonder why the delay in resetting passwords. Password resets should always be pushed out far into the future in these situations because there's no use changing all the passwords to kick out an APT if you can't guarantee you can prevent the baddies from breaking right back in. Identify the most relevant weaknesses, fix them, then change the passwords. That's the best defense.
As in most companies I work with, everyone involved was sworn to secrecy. Code words were established, so the team could discuss various aspects of the project in (possibly monitored) emails without alerting intruders or employees not yet engaged.
In this instance, the big password reset day was scheduled to coincide with the company's annual baseball game, which had been instituted to increase employee morale. Because of this, the project was dubbed "company baseball game," with the name of the company changed here to protect its identity. From that point forward, no one mentioned APT or password reset. Everything was about the baseball game.