Friday, February 22, 2013

APT is hard, but not impossible



When Jeff asked me to write this week’s blog, I jumped at the opportunity.  What an incredibly busy week not only for Red Sky but for the security world as a whole!  As many of us were getting prepared and turning our eyes to San Francisco and the RSA conference, on Tuesday Mandiant shook things up and released their controversial “APT1” report!  The conference will be all abuzz!  More on Mandiant's report in a bit.


Living in Northern New England, I often talk to organizations, banks, and companies on the small side.  Interestingly, one bank CISO described his bank as one such “small” bank with nearly a billion dollars in assets!  To be fair, relatively speaking, that is probably a small bank, but who wouldn’t want 1% of what is considered “small”?! I digress…  And like Northern New England, there is a sense of security that comes with living here.  The pace is slow and crime is low and all too often this tranquility results in what I call “cyber complacency” or the “I’m too small to own” syndrome.  Unfortunately, cyber criminals are not bound by the same societal values of the communities where their targets reside. 


I’ve had many conversations with good security people and CISO’s that do not see them as ever being the target of APT because simply put, and quoting, “We’re too small. There are bigger fish to fry before they ever get to us.”  Oh, really?  I can’t entirely blame some people for holding this attitude, APT is hard, not only understand for many of the decision makers but also extremely hard to defend against when you’re outgunned and understaffed.


These conversations generally lead me into a story I often tell about a small defense contractor working on a very niche project for the defense department.  When asking what measures they were taking against the APT threat, the response was, “APT is too hard to deal with. Besides, were too small. No one cares what we’re doing.” Unfortunately, someone did care and this small company was gutted of its intellectual property.  Result: Aside from the hundreds of thousands of dollars worth of intellectual property lost, the company lost its competitive advantage in the market space and we, as a nation, may have lost our competitive advantage on the battle field.


When I tell this story the climate in the room often dramatically changes from “We’re too small to get owned” to “We know we are exposed but we’re spending a ton on security already and we don’t even know where to start with APT.”  Again, APT is hard, but can you afford to ignore it?  The adversary knows this and those that wish to steal from you are not doing it alone. They have teams of people targeting you, which brings me back to Mandiant. 


Mandiant’s release of the APT1 report has been met with both strong applause and strong criticism. In my opinion, I think there are merits in the arguments on both sides.  Whether you agree with Mandiant’s decision or not, the release of the report pushes the APT problem and “APT1”, lurking in the shadowy corners of cyberspace into the light for everyone to see.  Mandiant has thrust the conversation about the APT problem, its tenacity, and its effects, light years forward and I myself can only see the positives in that.


To me, there are two take aways from the Mandiant report that should raise the hairs on any CISO as well as anyone in the C-Suite.  One is something we all know – Once you’re the target, they’re coming in whether you like it or not.  They will outspend you in both time and money, and when they do get in, and they will, they’re there to stay!   The second take away and a more subtle one – The adversary is working in teams. Not only in teams of highly trained people in the technical trades but people trained in linguistics, cultural attitudes, human intelligence, and economics.  Can you afford a team equal in size and expertise?  Probably not.


APT is hard.  Red Sky members know this very well.  Red Sky is made up of multiple mature incident response teams from some of the largest Fortune 500 companies sharing information, assisting one another, and working together to solve the complex APT problem.  Red Sky members form a team of very smart analysts and technical experts from a widely diverse number of industries and disciplines.  


As a Red Sky member, these groups of professionals, facing the same threats as you, become a part of your team and you become part of theirs.  The point is your adversaries number in the hundreds if not thousands.  You can’t ignore that and you’re going to eventually have to start somewhere – Mandiant has made that abundantly clear. You can go about it alone but you don’t have to – ask for help and join the conversation!


For all of you traveling to the RSA conference, I wish you very safe travels.  If you’re like me, you’re leaving early to avoid the storm working its way eastward!  If you’re interested in speaking with me about Red Sky and how our members can help you, please feel free to reach out to me at rgamache@redskyalliance.org.


It’s going to be a great event and I’m looking forward to the presentations and the good people who are working in the trenches every day.


See you in San Francisco!


Rick