Going above and beyond traditional security

Security Art

Cyber, Cyber, Cyber. What are we talking about anyway?

February 17, 2012 – 3:53 pm

A long draught (almost a month) in this blog is finally coming to an end after I had some great conversations with good friends at the cyber un-conference here in Israel. One of the obvious discussions is around the use of the term cyber (surprise). The general agreement is that the term has been violated pretty badly by security consulting firms and vendors trying to jump on the “cyber” bandwagon without a slim clue of what they are talking about (another shocker!).

But seriously now, we are all to blame for using the term once in a while (yours truly not excluded), while we all refer to different things. So, let’s try to get some order in the media hype and understand (at least the way I see it) what is this cyber we are talking about.

Disclaimer: this is what I believe that Cyber actually refers to. Your mileage may vary…

For me, cyber starts from way up. Beyond technology and Internet, and even beyond warfare and conflict. Cyber is first and foremost a domain. Much like air, land, sea, and space. A domain is (from the Merriam-Webster dictionary):

1. a. complete and absolute ownership of land
b. land so owned
2. a territory over which dominion is exercised

As such, domains that are not under the direct ownership, are treated by sovereign countries as first and foremost economical factors that affect their well-being. Most importantly, shared, or international domains are crucial to enabling international trade, communication, travel and freedom (especially air, sea and space). Such domains are referred to as “global commons“.

Now think of the Internet and the underlying parts that make it work. Computers, network equipment, cabling, satellite communications and other elements that are owned by a variety of private companies, governments, and are under different jurisdictions around the world. Because it is so hard to pinpoint the ownership of a specific part of the Internet, it is much simpler to treat it as a general domain, and as such, a global common. This is exactly how most modern countries act, and how it, much like the other global commons, became an element of conflicts when such countries escalate diplomatic efforts into actions. A good example of how this works can be seen in the work that NATO are putting to address this exact question. Note how a lot of the efforts are placed first on the legal and cooperative elements before addressing the battlefield (NATO and Cyber Defense – PDF) .

So we went from an economical domain that supports communications, trade and information, to an element which countries may use as part of their available conflict management against other countries. Enter: cyberwar. What most abuses of the term these days do not take into account, that cyberwar, much like airwar, seawar, spacewar and landwar is almost never a singular element in a conflict. It is part of a larger strategy and a mean of affecting diplomatic efforts to achieve some goal at a national or international level. Hence, cyber-weapons are never products or pieces of software, but more generally tactics that are deployed in order to gain an advantage in the cyber common in conjunction with other tactics and strategies used in other domains.

I’m sorry that this isn’t the “sexy” cool thing that some consultant that used to do vulnerability assessments is trying to pitch to you, or some product that a vendor is trying to sell you in preparation to the imminent cyberwar that will erupt any minute now and eject all the CD trays of the PCs in your organization. It’s more in the lines of a broader understanding of what elements that would be used in the cyber common would affect us as individuals, organizations, cultures and countries that we should be concerned about. It’s more about how countries are developing capabilities that would be used to gain an advantage over their adversaries in diplomatic conflicts. Whether on an ongoing basis – much like “normal” spying and intelligence gathering is done in times of peace, or in times when more active measures are taken.

The bottom line is that the “Cyber” term is first handled at the higher levels which may have nothing to do with some virus or worm hitting a nuclear plant, and only then translated to the tactics used to protect or attack assets which have some manifestation in that domain.

Now we can all get back to abusing the term. At least we knowhow we are going to abuse it :-) .

Additional reading:
http://www.worldpoliticsreview.com/articles/6838/resetting-article-5-toward-a-new-understanding-of-natos-security-guarantees
http://security.cbronline.com/news/cyberspace-is-operational-domain-like-air-land-and-sea-us-150711

 

By iamit | Posted in Opinion | Comments (0)

Hackers, Credit Cards, and the Media

January 17, 2012 – 2:21 pm

In the past couple of weeks there has been an interesting “hacking” trend going on in Israel. It started from the publication of a few thousand credit card records (out of an alleged 400,000). Continued with the publication of “SCADA” systems with default credentials, and a handful of gov.il email addresses and passwords, and more recently with the DDoS on the public site of the Tel-Aviv Stock Exchange, and ElAl Arilines.

We call these events “hacking” (quotes) on purpose. Following is a basic analysis of what has been done, some impact analysis on it, and an outlook for the continuation of such events and their escalation.

Analysis of past events

First things first – the credit card leak that started it all wasn’t real news. All the records pertain to older attacks on some poorly secured internet merchants (mostly coupon deals) which stored credit card records (illegal) in an insecure way (malpractice). The “news” about the leak was the aggregation of these records, and the publication in a media context of “Cyberwar against Israel”. What made this fairly insignificant event into newsworthy was… the news. The media attention thrown on it was unprecedented, and the number of “cyber consultants” (I’m not making this up) who provided content-less interviews gave the impression that the infosec industry in Israel is 10 times bigger than it really is.

For the person/s (0xOmar) who published the regurgitated information this was pure win – exactly what they were looking for. This would have ended with that unless two things happened:

  • 1. Danny Ayalon – the vice-minister of foreign affairs has been quoted saying that this attack should be regarded as an act of terror
  • 2. Several groups of script kiddies from Israel started working on a vengeance against Saudi credit card holders.

Both actions are regarded as knee-jerk responses, and there is no way to look at them in any productive means (strategic nor tactical). Nevertheless, the combination of said actions, and the continued excessive media coverage basically led the way to an escalation in the activities.

The next action, although not a real escalation yet, showed how 0xOmar turned essentially into a brand much like Anonymous, where information on alleged Israeli “SCADA” systems logins and gov.il email addresses was made public. This leak, now not directly associated with 0xOmar turned the attention of some Anonymous twitter accounts into supporting the newly tagged “#fuckIsrael” activities.

When looking at the “SCADA” leak, it is easy to see that none of the systems quoted are actually SCADA related, but mostly content management systems, some wireless routers installed at residential locations, and a car booking system. The email addresses and passwords (and hashes) are all from the STRATFOR leak which happened a couple of weeks beforehand (and even there it didn’t contain the hundreds of really interesting Israeli related information).

Nevertheless – media attention was at full force, and the attempts to “out” who 0xOmar only fueled the ego behind the alias more. Combined with the newfound attention from the Anonymous brand as well, additional groups started to join the party, and the last escalation in activities showed for the first time an actual activity against Israeli associated facilities – the DDoS on the stock exchange and ElAl’s websites. Again – the choice of targets is not coincidental: both sites are well known and are strongly associated with Israeli media around the world (financial, and the national airline). These are not strategic targets of a classic “cyberwar” but more of a “media-war”.

This latest attack, while inflicting minimal (if at all) damage to the targets, should raise a lot of hard questions for the relevant CISOs who failed to recognize the threat communities they are facing (especially in light of the media attention), and the defenses put in place to greet such communities. Additionally, mitigation tactics of such attacks has been out there for quite a while, and even a simple CDN solution would have easily coped with them.

Escalation and Triggers

The escalation has already started from the attacking side. We see more groups that were previously unassociated with 0xOmar join into the game – especially now when its has been expanded to include more media support from some anon factions. These groups widen the threat communities that are now part of the threat model which Israeli organizations have to deal with, along with their associated threat capabilities.

We expect that the attacks would continue – especially is media coverage of this will continue to be provided in prime-time. Additionally, groups that are currently in holding pattern on whether to join the action will be more keen to do so if a direct retaliation will be launched from the Israeli side. Such a retaliation could be additional attempts to “out” 0xOmar using diplomatic ties, attacks on hacker forums associated with the recent activities or anything that would be portrayed as a violation of rights in international eyes.

An escalation in the attacks would mean that additional groups, who also bring additional capabilities to the table, would be able to launch much more targeted attacks against more strategic targets. If the attacks so far focused on the media value, further attacks would escalate to (in order): financials, defense contractors, government, and finally high-value individuals.

We hope that this analysis sheds some light on the motivations and the actual impact of the recent events, and would prevent any escalation – both in the response from the local hacking groups, from the media as well as from the assorted groups that were ad-hoc strung together to form this chain of events.

By sa | Posted in Opinion, Security Research | Tagged , , , , , , , , , , , , , , | Comments (1)

Intelligence on Ashiyane and Iranian Cyber Army

December 19, 2011 – 11:19 am

One of my favorite OSINT resources internet-haganah have opened up a new thread on their forums that are dedicated to Iran, called Ashiyane.

This is basically the hacker forum that I was researching a couple of years ago (see my DefCon18 talk, and here, and here).

The forum thread is here: http://forum.internet-haganah.com/showthread.php?440-Ashiyane

And an interesting intelligence profile for the group actually quotes my past research (which unlike what it may seem was NOT done as part of my reserve duty tasks in the Israeli AriForce…)

Keep up the great work guys! Truly humbled to have my work mentioned on your site.

By iamit | Posted in Security Research | Tagged , , , , , , , , , , | Comments (0)

Information Security, Homeland Security, and finding someone to pin it on

October 24, 2011 – 10:05 pm

In the recent spree of cyber attacks on a plethora of US and international government and federal related establishments a lot of speculations are being thrown around as authorities are trying to find the threat community behind it.

As computer systems are reigning most of the control over our daily lives – from transportation, through financial systems, and up to government facilities that provide research, analysis and even critical infrastructure to support what we know of now as “modern life”, attackers find it easier and easier to poke at such systems as their security is left mostly as an afterthought. Most of the focus when the relevant organizations approach the forensics and remediation of such breaches is first to recover any lost data, and then to identify not the root cause of the breach, but the attacker.

As the blame game runs amok, the actual privacy and confidentiality of the core (digital) elements of our modern society are left for grabs. When groups such as LulzSec, Anonymous, and any other book-reading internet-browsing anonymous-under-several-proxies infosec-warrior find it as easy as running a few scripted tools on their target list to find easy to exploit issues, we are facing a very tough job of figuring out who to blame.

Nevertheless, blame by itself (or attribution as we like to refer to it in the more politically-correct industry circles) won’t help us in mitigating such attacks. It may be helpful for organizations to have someone to pin the “adversary” tag on – especially when dealing with defense/government/federal institutions who’s budgets can be manipulated more easily under the threat of a foreign nation. But when looking at the ability to actually come up with evidence to support such claims we often face empty hands, and a thick smokescreen of assumptions, prejudice, and incompetence.

On the other hand, when viewed from a strategic/political stance, it can be easily seen how a string of breaches in facilities that share a common ground (such as the one presented by Rafal Los of HP in his great article “DOE Network Under Siege”) can be attributed more to a nation state than to a fun-seeking internet-bored group.

This simple reality – of having intricate connections that are often only visible when looking at the bigger picture of security incidents, allows state sponsored attacks to happen without much scrutiny or the ability to thwart them on a more strategic position.

The bottom line remains the same – chasing after excuses and online enemies won’t get us to a more secure state. Investing in proper education, training, exercises, people and (lastly) technologies, will. Instead of trying to investigate breaches from an attribution standpoint, we should be investigating root causes to the deepest level (i.e. not stopping at “a 0-day vulnerability we didn’t know of”, or the bit-bucket of “It’s an APT”) that involves how we manage our electronic infrastructure and how we keep track of what’s going on in it after the initial setup is complete and the contractors/integrators pack up their people and leave.

By iamit | Posted in Opinion, Security Research | Tagged , , , , , , , , | Comments (0)

Post Brucon thoughts – guesstimates in an engineering field

September 22, 2011 – 9:18 am

So, another epic Brucon has ended, and while everyone is getting their thoughts together again (the amount of super smart people I have had the pleasure to have conversations with is unimaginable), I wanted to post a quick recap.

First things first – numbers. I’ve been working with the FAIR methodology quite a while now, and have actually (with the kind permission of Jack Jones) integrated some of its elements into the Penetration Testing Execution Standard (PTES). Watching the discussions that started after Jack’s talk at Brucon was heartwarming. Pentesters and security practitioners finally “get it”, was divine. Working in a field of engineering that has the least engineering in the sense of how it’s applied to businesses has been frustrating to say the least. With the ability to effortlessly connect the technical elements of vulnerabilities and exploits to business-speak has been one of my personal challenges (and hopefully strengths), and being able to tilt the industry even a little towards that direction is something that we all needed for a long time.

A quick “teaser” to add on top of it (which has been previewed in my talk) is the ability to also marry in the social media risk into the risk management practice (look out for some more cool research and insights coming from that direction very soon!).

Which leads me to the last point – the ever evolving presentation I use to deliver the message about data exfiltration is provided for your viewing pleasure. Don’t fear the >100 slide count – it’s mostly the “build” effects that I left in for clarity.

Pushing in, leaving a present, and pulling out slowly without anyone noticing

Looking forward for some more discussions and developments in the way that we as an industry are justifying what we practice (if it wasn’t obvious by now – go check out what FAIR is, and then start thinking on how to integrate it into what you do…).

By iamit | Posted in Opinion, Security Research | Tagged , , , , | Comments (0)

Career in Information Security

August 23, 2011 – 6:04 pm

So, here comes the time when I say out loud something a little personal on what’s going on at Security-Art. We are at the challenging phase where we are growing rapidly, and as a result are also looking to grow our excellent team.


If you ever ran a small company you know how hard this phase is. Making sure not to outgrow the amount of work you can take, making sure you can still deliver the top-notch services you got your customers used to (and what built your reputation in the first place), managing the growth, having people trained and lined up to the way you do business, the list goes on and on…

Bottom line, It’s one of the more exciting (and scary) phases that a boutique company such as ours goes through, and we are looking for more talents to join our team.

Beyond the “standard” job descriptions you can find on the careers page on our company website, I can only say that:

1. We work hard. Probably harder than you have worked before. Ask around and people who know us can tell you.

2. We love what we do. See point 1. If we wouldn’t have, we would have burnet out years ago. This is our passion, this is our hobby, and this is what we are good at.

3. We are all n00bs. Anyone who thinks they are an expert at something and therefore have reached some faux pinnacle of their career is probably not in InfoSec. We learn new things every day. We research new technologies, law systems, politics, people, societies, companies, business, finance and other areas on an ongoing basis. The landscape keeps changing and our job it not only to stay on top of everything, it’s also to plan ahead, and try to predict what’s going to be the next challenge. By definition, 80% of what we look into will not be relevant. It’s the 20% that does that makes it later to presentations in security conferences…

Now that you got a little taste from the “behind the scenes” of what we are looking for, and think you can step up to the plate – please do!

Looking forward to see some new blood whom we can all learn from a few more things and share our passion with.

P.S. No I didn’t forget 4 (and people who know me can attest to the fact that there is a no. 4) – party hard. Just as you need to kick-ass in your work, you are allowedrequired to party just as hard ;-)

 

Iftach Ian Amit

VP Consulting

By iamit | Posted in Opinion | Tagged , , , , , , | Comments (0)

What the * is wrong with mobile security

July 11, 2011 – 8:36 am

 

We have been dealing with a barrage of mobile application security issues lately, and although I had the feeling that there was a lot wrong with the industry back there I haven’t realized it was that bad.

I mean – it’s supposedly almost the same developers, right? Some Java, Objective C, a little JS/Json/GUI/, the concepts are still the same. Oh, was I wrong. When testing some of these applications, and looking at how they are (much easier BTW that with “traditional” software), it almost seems like we are blinded by the fancy little gadget we got sitting on our desk waiting to be tested, and just push out really crappy code with no apparent attention to how it works, how secure it is, or how does it reflect on the security of the rest of the bank/commerce/corporate security.

Forget all the shortcuts that completely bypass any reasonable process and procedure that are implemented through the “regular” (i.e. web, web services, even client-server) interfaces, and the fact that web services are created to support that.

Forget that authentication is almost thrown out the window when you used to have multiple factor authentication on other channels.

Go back to basics. Ummmm, like, SSL? It has been too many times that you see an “application” that is no more than that hybrid thing Apple allowed developers to do – a few HTML pages that get rendered really nicely on an iDevice, some jQuery and CSS tricks, and maybe even bother through churning the end result through PhoneGap to be like the cool kids with the native apps. Problem is – developers go full retard on shiny things like this. The completely forget the fact that the user’s phone is just like a PC, and is going to be connected to so many non-trusted wireless networks that it’s not even funny to think how much data will be exposed through their insecure plaintext calls.

One thing that really helps developers stay in full retard mode is the lack of any security indication on the device that their communications are done completely in the clear. No bright yellow/red/green padlock that indicates an SSL connection, no API checks to verify that some crypto library is in use if any of the “sensitive” (read: contacts, network access, mail, locally saved data, etc…) is accessed by the application. Nothing.

That’s how we got to a point that sensitive data is leisurely sent unencrypted over non-trusted WiFi connections, along with almost everything you can think of from the phone (GPS coordinates, user information, you name it). That’s how we got to a point where useless web services are opened up (again – no requirement for an SSL connection) on financial/corporate/commercial servers to allow logical shortcuts just because the mobile applications needs to be “streamlined”.

We need to put our foot down and say “no more”. We need both the big guys (Apple, Google, Microsoft, RIM) to have a real certification and testing program for their *Stores that actually look at what the application is doing. We need more logic and more process in the way that applications get developed and commissioned. We need developers to get off the “I need to be at the *Store” mentality, and think like they used to in the sense of “we are going to get so pwned if I put this application out like this”. We need product managers and marketing departments to think if they want to be the next Sony™ getting nailed 21 times in a row and still not realizing they are so far behind they need to take everything offline and start getting their stuff together.

We just need to pull our heads out of the sand and smell the napalm. It’s a war out there, and your shiny device doesn’t give a small rodent’s rear-end about your security as long as it looks good.

Now off to getting ready for Vegas. See you all there!

By iamit | Posted in Opinion, Security Research | Tagged , , , , , | Comments (3)

Is Your Company a Prime Target?

June 1, 2011 – 9:02 am

The recent security breaches at Lockheed Martin, RSA Security, Sony, PBS and other high-profile companies have proven once again what is well-known to top cyber-security professionals: that the entire security practice which most corporate security teams base their cyber security on simply does not work anymore.

The entire security practice is reactive. Anti-viruses, IDS/IPS and DLPs wait for an intruder to come in the front door and act in a specific way. These reactive solutions work well when you are not a prime target, and the intruder is unwilling to make any extra effort in the crime. These types of random attacks will be blocked by a well-configured perimeter defense.

However, if you are a prime target, a reactive security system does not–and will not–work for you. Advanced Persistent Threats (APTs) are based on intelligence gathering that includes anything from deployed infrastructure and controls, to business processes, key individuals, and social media presence. When working on prime targets, well-funded intruders persist until they have a good view of the attack surface and have figured out their avenues of attack.

The industry perceives companies as “prime targets” if they provide high value to the community, and as a result attract cyber-criminals. Typically such companies have one or more of the following attributes:

  • - High value information assets e.g. Lockheed Martin
  • - High volume information assets e.g. Sony
  • - High volume transactions (financial or other) e.g. TJX and Sony
  • - High exposure to media (social sites, media, controversial sites, and so on) e.g. PBS
  • - Critical 3rd party for high volume of diverse organization e.g. RSA Security

Just as you would not bring a knife to a gunfight, you also need the right tools and weapons in the cyber-security arena. It is time to move from a reactive approach to a more proactive approach. If your Anti-Virus software can provide a detection rate of up to 20%, then deploy a solution that provides a higher rate. If you want to know what attack avenues threaten your intellectual property, then collect intelligence about your organization and identify what “secrets” are out there in the public domain. If you want to check how vulnerable you are to malware, acquire a specially tailored unique signature malicious email with a malicious PDF attachment. And if you think you might be vulnerable to Distributed Denial of Service…test it! Be prepared!

A proactive approach is not a single effort into exploring security gaps; rather it operates on all fronts evaluating all information security layers for possible vulnerabilities. In most cases, such efforts are composed of experts from many fields of practice including but not limited to intelligence gathering, web security and crimeware experts who are collectively able to simulate a real-world attack using blended-threat scenarios. A valuable advantage of the proactive approach is the live feedback you get regarding the true level of the security of the organization; it provides an in-depth understanding of how sensitive information is externalized and also highlights exploitable patterns and instances of undue bias in control and planning.

Regarding risk and compliance, top cyber-security professionals will tell you what you probably already know: compliance isn’t security. Although compliance was the single biggest driver of security projects in the last few years, it is time to realize that is not the ultimate driver of your security. The next ultimate driver is quantitative information risk analysis presented to the executive team along with the monetary value of the potential loss. Making informed decisions based on this type of analysis will allow you to secure the funding necessary for changing the approach from reactive to proactive.

By yoram | Posted in Opinion | Tagged , , , , , , , , , , , | Comments (0)

Perimeter defenses are hurting your security

May 16, 2011 – 3:03 pm

I have looked for a good example for a real-world security practice that is misconceived and that also applies to information security. Recently I have had a chance to read an opinion article that talks about physical security measures that are put in to protect small populations (read army bases, gated communities, etc…) and how many of the “traditional” security thinking is actually hurting them.
The example that was cited, talked specifically about building fences around such facilities, and their actual and perceived effect.
The real effect of such a “security” fence is very low. These fences can be easily bypassed with very basic skills and tools.
However, the perceived effect of such fences is incredible. On one hand, the protected population sees that there is a fence that goes around the entire perimeter, and immediately think “cool! we are well protected”. They can SEE the perimeter, and it has an immediate effect on how the area is perceived (especially in gated communities).
On the other hand, a much more worrisome element is how such fences affect the way that the security personnel behave. One would think that security professionals understand that fences are no more than a slight delay for an attacker that looks to break into the protected area. Nevertheless, the article talks about how security personnel are actually putting their guard down when assigned to work in fenced areas. It talks about how the perimeter (again – being highly visible and seemingly intimidating) provides some comfort to the guards, and makes them prone to focus on the gates and openings. Whereas guards that were put in duty to protect non-fenced compounds were much more vigilant in identifying tactical areas that would be used to watch the compound, and to attack it. They have been more active in their movements across the protected area, paying attention not only to the access paths used daily, but to all aspects of the area.

Now think about everything that I have discussed above in information security terms. We have been having firewalls blinding our CIOs, IT personnel and purchasing managers. The ability to market a product that specifically opens access paths into the organization so successfully have actually degraded the security posture of most organizations. Think about it – one of the things that come up very early in a conversation about an organization’s security protections will usually be a firewall.
The more problematic aspect here – much like in the physical fence example, is that firewalls make security personnel put their guards down. They fail to be vigilant in identifying access paths, data patterns, and potential pitfalls in the way that the organization keeps, processes and uses its information.
Don’t get me wrong – I’m not a huge “de-perimeterization” fan, but we do need to take note from this way of thinking about security. Everyone is preaching about “layered security”, but keep putting a lot of focus on the perimeter defenses while leaving the internal layers mostly unprotected.

In summary – when you think about how your organization is protected for security breaches, remember the “fence effect”. Remember how people that live in gated communities have a wrong sense of protection, and how guards stationed at checkpoints and gates are usually focused on the opening rather than the fence around them.

By iamit | Posted in Opinion | Tagged , , , , , , , , | Comments (1)

Targeted Attacks – aka APT (Advanced Persistent Threat)

April 27, 2011 – 9:39 am

Recently, we’ve been hearing more and more about APT attacks, with the most publicized being   the attack on RSA Security (EMC). For those who aren’t familiar with the term, APT attacks are those cyber-attacks directed to specific entities. In this case, an attack on a high-profile security organization by highly professional and well-funded attackers.

 

How can we prevent or contain such attacks?

Targeted attacks have been here for a while and are not about to go away, therefore our battle should be focused on lowering the probability and impact of such attacks. Below I suggest a number of ways to tackle the problem and I’m looking forward to getting your input in the discussion of ways you have approached this problem.

 

Preparing Before the Incident

In order to properly prepare for an advanced cyber-attack, organizations should assess the potential impact of such an attack. This means that all the relevant capabilities of the attacker need to be included as part of the assessment. A red-team test creates a scenario, where the organization is placed under the same scrutiny as under a real attack, with the benefit of running it in a controlled environment and by a trusted entity.

During a red-team test, the organization is not only being tested for the resilience of its technological controls, but also for its human assets, policies and just as importantly – its ability to detect and react to the different stages of the attack (CIRT and other Incident Handling capabilities).

Another preventive approach is identifying and minimizing malware throughout the organization. It’s crucial to ongoingly apply proactive intelligence gathering and analysis to the organization’s technology infrastructure. The keyword here is “ongoingly”, because crimeware is constantly evolving, so malware scans have a very short life span.

 

During the Incident:

When an attack is detected, two of the more important activities for to correctly containing the attack and managing its impact are the incident response process and the digital forensics.

Without a skilled and thorough incident response team, the impact of the attack can magnify. The team must be able to contain the attack, identify its control structure and breadth, and acting rapidly to control and mitigate damage. Part of this is running a digital forensics process to enable the organization to quickly identify the actual threat capability, its communication scheme, and the data it targets inside the organization. Forensic services include both the analysis of the malicious software operating in the organization as well as the analysis of any peripheral devices that may have been affected or produced logs related to the incident.

Beyond the area of technical solutions, two major business factors need to be taken into account. Firstly, the legal aspect; in some states\countries it is a requirement to report such incidents or inform affected parties. The second area is public relations or media relations. Not being an expert in any of those I won’t elaborate, but it is important to consult both legal and PR during and following the incident.

 

After the Incident:

Once an APT attack has been handled, the organization should initiate a process of strategically identifying the core issues that led to the incident. Additionally, the same activities that are part of the pre-incident and forensics are applied to create a roadmap for addressing the security gaps that led to the incident.

As part of the post-incident assessment, a more generalized forensics examination would also identify the paths into the organization that the attacker has used. This examination should include social mediamobile devices and web applications that may have left openings open for such an attack. Additionally, any criminal related risk exposure such as the CyberCrime interest level in the organization would be assessed and potential avenues of extortion or other criminal elements would be assessed and addresses in the risk management practice.

 

In summary, while it may not be possible to eliminate such attacks, I’ve outlined here some of the basic steps organizations can take in assessing and managing the risks. What other steps do you see that organizations need to take in relation to APT attacks?

Please join the conversation in the comments section of the blog.

By yoram | Posted in Opinion | Tagged , , , , , , | Comments (0)