Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/13/2011
02:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

CSOs, Execs Call For Better Intelligence-Sharing Among APT Victims

Executives at a recent RSA-sponsored summit share their findings about the nature of the APT-type attack

They met, they commiserated, they shared, and they agreed, among other things, that the well-heeled advanced persistent threat (APT) attackers targeting their organizations are better at sharing real-time intelligence about them than they are about sharing their experiences and information with other victims.

That's one of the conclusions drawn by the more than 100 CSOs and other executives from various industries and the public sector who recently met in Washington, D.C., at a closed-door summit hosted by TechAmerica and RSA Security, which earlier this year experienced first-hand the pain and fallout of a targeted attack. RSA's SecurID two-factor authentication technology was compromised in a major cyberespionage attack that ultimately led to RSA offering replacement tokens to its customers.

RSA today released findings from the consensus items drawn up by C-level and other executives at the July summit on the nature of the APT threat they are seeing targeting their organizations today, and some recommendations for combating these attacks. Among their conclusions: Attackers are better at sharing real-time intell than victim organizations are, and this is a key missing element in the battle against these attacks. Other findings: Plan and assume you've been breached; people are the new attack vector; advanced monitoring is needed for catching APT-type attacks; signature-based technology can't handle these customized attacks; and IT infrastructures need to be simplified so you can better protect them.

"There was [a sense of] validation that other competent security professionals are equally challenged and perplexed about what to do to prevent, detect, and respond" to these attacks, says Bill Boni, CISO for T-Mobile, who attended the summit. "The actual diligence required is eternal vigilance."

Living in what the execs characterized as a constant "state of compromise" requires minimizing the amount of exposure and damage. "Going into this session I've had conversations with people about this very issue, that almost every person ... is in a state of besiegement. That was true [among attendees]. The issue wasn't 'if' you were going to get compromised -- it's 'we are' and how good are we at detecting and stopping it?" said Eddie Schwartz, CSO at RSA.

More advanced, real-time monitoring, or situational awareness, was another recommendation cited by the CSOs as a way to combat APTs. "Not just network stuff, but also understanding the organization holistically: how employees are being affected, the kinds of beta attacks that are going on," Schwartz says. "And how that information can be shared among different types of companies."

The legal and regulatory obstacles to information-sharing among victimized organizations among industry sectors must be knocked down, he says.

Another item they agreed on was that the No. 1 attack vector for APTs is the human factor, with spear-phishing attacks regularly the first step in a targeted attack. "Many of us knew that, but it was confirmed by the people in the room" at the summit, RSA's Schwartz said.

T-Mobile's Boni says it demonstrates how security education and training aren't cutting it. "Education and training are not sufficient deterrents for a well-planned and well-executed attack," he says.

The execs say training needs to be combined with restrictions on user access and visibility in the network, and better training for users on why their access to social networks, for example, must be managed in sensitive data environments.

They also pointed to supply chain "poisoning" as a weak link: "We're only as strong as the weakest link in our supply chain. Adversaries will take the time and care to cultivate vulnerabilities through trusted vendors. Attendees noted that attackers have moved further upstream in the supply chain to get to a target," according to the Summit's findings report.

"Many organizations specifically asserted they have robust activities in their companies to protect the supply chain and the efficacy of the security of it," RSA's Schwartz says. That means using technology, as well as reputation rating services, auditing vendors, and the physical security of their plants and processes, he says.

Not surprisingly, the attendees also called out the failure of signature-based technology to combat targeted attacks. APT attackers often employ zero-day attacks, for instance.

And incident response needs to go beyond the IT security group. "Because being breached is now a fact of life, [incident response] becomes an organizational competency," RSA's Schwartz says. "You have to involve so many departments."

And for every APT breach that gets reported publicly, there are many more that we --and the victims -- don't know about. "Companies get inducted into 'the club' after an attack," RSA's Schwartz says.

Despite conventional wisdom that APT attackers are all about cyberespionage, the execs concluded that these attacks also could be about trying to sabotage, disrupt, or shame the victim publicly in some way.

Meanwhile, RSA plans to host regional Advanced Threats Summits this fall, with the first to kick-off on Oct. 10 in London during the 2011 RSA Conference Europe. The goal is to come up with and implement defenses against APT attacks.

A full copy of the inaugural summit's findings is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...