CSOs, Execs Call For Better Intelligence-Sharing Among APT Victims

They met, they commiserated, they shared, and they agreed, among other things, that the well-heeled advanced persistent threat (APT) attackers targeting their organizations are better at sharing real-time intelligence about them than they are about sharing their experiences and information with other victims.

That's one of the conclusions drawn by the more than 100 CSOs and other executives from various industries and the public sector who recently met in Washington, D.C., at a closed-door summit hosted by TechAmerica and RSA Security, which earlier this year experienced first-hand the pain and fallout of a targeted attack. RSA's SecurID two-factor authentication technology was compromised in a major cyberespionage attack that ultimately led to RSA offering replacement tokens to its customers.

RSA today released findings from the consensus items drawn up by C-level and other executives at the July summit on the nature of the APT threat they are seeing targeting their organizations today, and some recommendations for combating these attacks. Among their conclusions: Attackers are better at sharing real-time intell than victim organizations are, and this is a key missing element in the battle against these attacks. Other findings: Plan and assume you've been breached; people are the new attack vector; advanced monitoring is needed for catching APT-type attacks; signature-based technology can't handle these customized attacks; and IT infrastructures need to be simplified so you can better protect them.

"There was [a sense of] validation that other competent security professionals are equally challenged and perplexed about what to do to prevent, detect, and respond" to these attacks, says Bill Boni, CISO for T-Mobile, who attended the summit. "The actual diligence required is eternal vigilance."

Living in what the execs characterized as a constant "state of compromise" requires minimizing the amount of exposure and damage. "Going into this session I've had conversations with people about this very issue, that almost every person ... is in a state of besiegement. That was true [among attendees]. The issue wasn't 'if' you were going to get compromised -- it's 'we are' and how good are we at detecting and stopping it?" said Eddie Schwartz, CSO at RSA.

More advanced, real-time monitoring, or situational awareness, was another recommendation cited by the CSOs as a way to combat APTs. "Not just network stuff, but also understanding the organization holistically: how employees are being affected, the kinds of beta attacks that are going on," Schwartz says. "And how that information can be shared among different types of companies."

The legal and regulatory obstacles to information-sharing among victimized organizations among industry sectors must be knocked down, he says.

Another item they agreed on was that the No. 1 attack vector for APTs is the human factor, with spear-phishing attacks regularly the first step in a targeted attack. "Many of us knew that, but it was confirmed by the people in the room" at the summit, RSA's Schwartz said.

T-Mobile's Boni says it demonstrates how security education and training aren't cutting it. "Education and training are not sufficient deterrents for a well-planned and well-executed attack," he says.

The execs say training needs to be combined with restrictions on user access and visibility in the network, and better training for users on why their access to social networks, for example, must be managed in sensitive data environments.

They also pointed to supply chain "poisoning" as a weak link: "We're only as strong as the weakest link in our supply chain. Adversaries will take the time and care to cultivate vulnerabilities through trusted vendors. Attendees noted that attackers have moved further upstream in the supply chain to get to a target," according to the Summit's findings report.

"Many organizations specifically asserted they have robust activities in their companies to protect the supply chain and the efficacy of the security of it," RSA's Schwartz says. That means using technology, as well as reputation rating services, auditing vendors, and the physical security of their plants and processes, he says.

Not surprisingly, the attendees also called out the failure of signature-based technology to combat targeted attacks. APT attackers often employ zero-day attacks, for instance.

And incident response needs to go beyond the IT security group. "Because being breached is now a fact of life, [incident response] becomes an organizational competency," RSA's Schwartz says. "You have to involve so many departments."

And for every APT breach that gets reported publicly, there are many more that we --and the victims -- don't know about. "Companies get inducted into 'the club' after an attack," RSA's Schwartz says.

Despite conventional wisdom that APT attackers are all about cyberespionage, the execs concluded that these attacks also could be about trying to sabotage, disrupt, or shame the victim publicly in some way.

Meanwhile, RSA plans to host regional Advanced Threats Summits this fall, with the first to kick-off on Oct. 10 in London during the 2011 RSA Conference Europe. The goal is to come up with and implement defenses against APT attacks.

A full copy of the inaugural summit's findings is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.