Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:25 PM
Connect Directly

CSOs, Execs Call For Better Intelligence-Sharing Among APT Victims

Executives at a recent RSA-sponsored summit share their findings about the nature of the APT-type attack

They met, they commiserated, they shared, and they agreed, among other things, that the well-heeled advanced persistent threat (APT) attackers targeting their organizations are better at sharing real-time intelligence about them than they are about sharing their experiences and information with other victims.

That's one of the conclusions drawn by the more than 100 CSOs and other executives from various industries and the public sector who recently met in Washington, D.C., at a closed-door summit hosted by TechAmerica and RSA Security, which earlier this year experienced first-hand the pain and fallout of a targeted attack. RSA's SecurID two-factor authentication technology was compromised in a major cyberespionage attack that ultimately led to RSA offering replacement tokens to its customers.

RSA today released findings from the consensus items drawn up by C-level and other executives at the July summit on the nature of the APT threat they are seeing targeting their organizations today, and some recommendations for combating these attacks. Among their conclusions: Attackers are better at sharing real-time intell than victim organizations are, and this is a key missing element in the battle against these attacks. Other findings: Plan and assume you've been breached; people are the new attack vector; advanced monitoring is needed for catching APT-type attacks; signature-based technology can't handle these customized attacks; and IT infrastructures need to be simplified so you can better protect them.

"There was [a sense of] validation that other competent security professionals are equally challenged and perplexed about what to do to prevent, detect, and respond" to these attacks, says Bill Boni, CISO for T-Mobile, who attended the summit. "The actual diligence required is eternal vigilance."

Living in what the execs characterized as a constant "state of compromise" requires minimizing the amount of exposure and damage. "Going into this session I've had conversations with people about this very issue, that almost every person ... is in a state of besiegement. That was true [among attendees]. The issue wasn't 'if' you were going to get compromised -- it's 'we are' and how good are we at detecting and stopping it?" said Eddie Schwartz, CSO at RSA.

More advanced, real-time monitoring, or situational awareness, was another recommendation cited by the CSOs as a way to combat APTs. "Not just network stuff, but also understanding the organization holistically: how employees are being affected, the kinds of beta attacks that are going on," Schwartz says. "And how that information can be shared among different types of companies."

The legal and regulatory obstacles to information-sharing among victimized organizations among industry sectors must be knocked down, he says.

Another item they agreed on was that the No. 1 attack vector for APTs is the human factor, with spear-phishing attacks regularly the first step in a targeted attack. "Many of us knew that, but it was confirmed by the people in the room" at the summit, RSA's Schwartz said.

T-Mobile's Boni says it demonstrates how security education and training aren't cutting it. "Education and training are not sufficient deterrents for a well-planned and well-executed attack," he says.

The execs say training needs to be combined with restrictions on user access and visibility in the network, and better training for users on why their access to social networks, for example, must be managed in sensitive data environments.

They also pointed to supply chain "poisoning" as a weak link: "We're only as strong as the weakest link in our supply chain. Adversaries will take the time and care to cultivate vulnerabilities through trusted vendors. Attendees noted that attackers have moved further upstream in the supply chain to get to a target," according to the Summit's findings report.

"Many organizations specifically asserted they have robust activities in their companies to protect the supply chain and the efficacy of the security of it," RSA's Schwartz says. That means using technology, as well as reputation rating services, auditing vendors, and the physical security of their plants and processes, he says.

Not surprisingly, the attendees also called out the failure of signature-based technology to combat targeted attacks. APT attackers often employ zero-day attacks, for instance.

And incident response needs to go beyond the IT security group. "Because being breached is now a fact of life, [incident response] becomes an organizational competency," RSA's Schwartz says. "You have to involve so many departments."

And for every APT breach that gets reported publicly, there are many more that we --and the victims -- don't know about. "Companies get inducted into 'the club' after an attack," RSA's Schwartz says.

Despite conventional wisdom that APT attackers are all about cyberespionage, the execs concluded that these attacks also could be about trying to sabotage, disrupt, or shame the victim publicly in some way.

Meanwhile, RSA plans to host regional Advanced Threats Summits this fall, with the first to kick-off on Oct. 10 in London during the 2011 RSA Conference Europe. The goal is to come up with and implement defenses against APT attacks.

A full copy of the inaugural summit's findings is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-23
Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
PUBLISHED: 2019-10-23
XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal.
PUBLISHED: 2019-10-23
XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response cap...
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An authenticated remote non-administrative user can read unauthorized shared files, as demonstrated by the filename=*public*%25252Fadmin_OnlyRead.txt substring.
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An unauthenticated attacker can download log files via the include/makecvs.php?Event= substring.