1. Use big data for analysis/detection
The word from RSA Executive Chairman Art Coviello during his keynote address at the 2013 RSA conference is, "The whole game here is to shift away from a prevention regime — big data will allow you to detect and respond more quickly."
That is endorsed by people like Aviv Raff, co-founder and CTO of Seculert, who notes that prevention from the perimeter is impossible; therefore, detection must be "based on the ability to analyze data, which must be gathered from and analyzed over sustained time durations. And that's where big data analytics enters the picture."
Of course, that takes an investment in analysis tools. "IT does not have the automated tools needed to identify infections in a timely manner," says Brian Foster, CTO at Damballa. "Instead they just have a ton of data. The industry needs to provide big-data approaches to IT for detecting infections in their network."
Williamson agrees in part, calling big data useful in detection. But, he adds, "The most important point is that the attack itself has spread out across multiple steps and technologies and our view of security of must break out of its 'silo' view to be comprehensive as well."
2. Share information with the right people
According to Anton Chuvakin, writing on the Gartner blog last year, the bad guys share "data, tricks [and] methods" much better than the good guys. "It is considered acceptable to sit on the 'hard-earned' knowledge of ways you used to detect that proverbial advanced attacker while your peers in other organizations are being owned by the same threat," he writes. "And the cycle of suffering continues!!!"
To get an edge over APTs, he writes, organisations must share information in a way that helps them but doesn't benefit the attackers and doesn't violate laws or regulations governing the sharing of sensitive information.
Beyond the legal considerations, however, there are also economic constraints to sharing information. Brian Krebs, a former reporter at The Washington Post and author of the blog Krebs on Security, says he has seen progress in information sharing, but also efforts to hoard it to exploit it financially.
"The past few years have seen the emergence of several companies that make decent profits selling and exploiting this intelligence, so there remains a fair amount of tension between sharing and hoarding information about threat actors and indicators," he says.
3. Understand the "kill chain"
This is a so-called "phase-based" model to describe the stages of an APT attack. Those stages include reconnaissance, weaponization, delivery, exploit, installation, command & control and actions. As Lysa Myers, a virus hunter for Intego, put it in an InfoSec Institute article, "In essence, it's a lot like a stereotypical burglary — the thief will perform reconnaissance on a building before trying to infiltrate it, and then go through several more steps before actually making off with the loot."
Sign up for Computerworld eNewsletters.