Thursday, February 25, 2010

The Dynamic Threat Vectors

The new threat vectors that we are facing in security are not really new, but are updates of old attacks that have be around for years. I consider myself relatively new to the scene, less then 7 years and most of that is from a help desk or academic background, but even I can see that this is not something new.

Recently I sat in on a SANS APT Webcast that was presented by Nitrosecurity. While some of the information was good, the rest of it was a disappointment because the presenters failed to understand what APT really is. I believe that TaoSecurity does a good job explaining it here and here. Yet we are still led to believe that the attack on Google is a new thing.

The scary thing about all this is that we live in a world where InfoSecurity is determined by arbitrary risk thresh-holds, and proven ROI. The reality is if a corporation is truly secured then you will never know how many attacks you prevented, but the truth is if a corporation is truly secured then they have not verified their logs and all of their assets.

Now comes the question on how do we defend against APT. This is not something that you can wave a magic wand and find the perfect solution in a vendor product to protect yourself. The defense against APT is a bastion of layered defenses that when used together form a solid defense. Analyst must be trained, not just in technology and response techniques, but in how the network behaves, what is expected traffic on the network and what is known vulnerabilities within the network. An analyst must be willing to trust their instinct about network activity and they must have proper escalation procedures in place in case of an attack. Management then must be willing to react, contain, adapt and mitigate on the fly to defend their network. But in doing that we should not compromise the integrity of the data that can be gathered from the attack in hopes to mitigate further attacks from our threat vectors.

Ofcourse our defense against APT should also be our foundation for all of our incidents. If an analyst does not know the network, does not understand the network traffic, and can not make the judgement call that something is not right then regardless the expenses we through into security vendors products our networks will never be secured.

No comments:

Post a Comment