The success of advanced persistent threats (APT) is reportedly so pervasive that detecting and defeating them with any consistency may seem to be a hopeless battle.
Based on news reports and multiple statements from U.S. officials, hackers from China breach the systems of all kinds of U.S. businesses, from major newspapers to defense contractors and cutting-edge technology companies, and remain undetected long enough to make off with billions in intellectual property and sophisticated weapon designs.
Defense Secretary Chuck Hagel and officials from the National Security Agency and the Department of Homeland Security have called the power of APTs the security challenge of the modern era.
"Cyber is one of those quiet, deadly, insidious unknowns you can't see," Hagel told U.S. troops in Hawaii. "It's in the ether — it's not one big navy sailing into a port, or one big army crossing a border, or squadrons of fighter planes ... This is a very difficult, but real and dangerous, threat. There is no higher priority for our country than this issue."
APTs are also no longer solely the domain of nation-states with vast resources, nor are they focused only on espionage or attacks against military and other government entities. They are "living" on networks in IT, energy, news, telecom, manufacturing and other sectors of the economy.
But according to a number of security experts, while it will probably never be possible to eliminate them entirely, it is possible to detect APTs and minimize the damage they cause.
"There are solutions — the sky is not falling," says Wade Williamson, senior security analyst at Palo Alto Networks. "A lot of times security folks use APTs as an excuse for failure, but it shouldn't be. There are technologies that can help."
Williamson is among those who also argue that detecting and defending against APTs effectively will take more than technology. In general, he says, "the biggest change we need is not one of tactics, but strategy. Security must evolve to become a very creative discipline.
"Historically, security held the view of saying no to requests and blocking 100% of threats. Neither of these maxims is practical today. We need security professionals to be inquisitive — to be looking out for the things that don't exactly make sense, and to ask themselves what it could mean, and how they should look deeper into the issue.
"We will always need automated security that blocks bad things," Williamson says, "but we also need creative, engaged security experts to be looking for the creative, engaged bad guys on the other end of the connection."
That said, there are a number of practices security experts recommend for organisations that are serious about the battle with APTs. In no particular order of ranking, they are:
Sign up for Computerworld eNewsletters.