« Avoiding Option C | Main | What Infosec Should Learn from APT »


Russell Thomas

Yes, focusing on asset protection does make things a lot easier.

This assumes that you would not do security any different if you faced APTs (however you define it) vs. opportunistic threat agents. If that's true, then the APT stuff is a distraction.

If it's not true, and defense against APTs requires major changes or different investment priorites, then threat intelligence suddenly becomes a required capability.

It would be interesting to hear from people in organizations who have been defending against APTs for a long time, and also from those who have only recently decided reorient their security to defend against APTs.


Its not about making it easier its abot making it cost effective. Your local police department is not armed, trained and provisioned the same the USMC or Army is

Russell Thomas

Yeah... when I said "easier", I was thinking two things: 1) not requiring sophisticated analysis and 2) cost-effective.

Not to be snarky about your example, *some* police departments do have some military-like capabilities. I'm thinking specifically of NYPD's anti-terrorism unit.

Rob Lewis


Aside from defense or intelligence communities, just who do you think has been defending against APT for a long time?

Amit Yoran just said: "“Advanced stuff is getting through pervasively,” he said. “It’s simply impossible to protect an enterprise today.” and Allan Paller adds, " “The story is about: ‘Oh shoot, they are already inside’. The attacks are one level too sophisticated for the current tools."

Kudos to Gunnar since he has commented regularly on the need to use things that work inside the network like reference monitors and authorization.


The report that you are referring to appears to be written in the style of an intelligence briefing and not a treatise on end-to-end information security. As someone who has fought APT threats for over 6 years, I believe that it would serve the community well for people to thoughtfully consider the nature of the threat and decide how to alter its plan for, as you put it, asset protection. This is not a hyped-up threat the demands new technologies. This reinforces the same infosec song that has been played for at least 2 decades.
You speak of sensitivity to cost and deriving the greatest value from your actions. In every security and intelligence field a cornerstone of that evaluation is understanding the threat and modeling an appropriate response. In many ways, a good security model serves as a solid foundation. Occasionally this foundation does fail, and pat academic answers shouted with a sense of authority drives poor decisions. Poor decisions lead to excess cost - you are cleaning up two messes at that point.
The "A" in APT has nothing to do with your infosec world. The choice of TCP ports over which to run C2 channels is not advanced, the fact that properly configured and layered firewalls and proxies have not been an impediment is not advanced. The fact of active exploitation of users and their accounts who have access to assets well-protected with traditional security models is not advanced.
Honestly it comes down to simply the material that is sought, the efficiency of their operation and the depth of penetration into the Fortune 500 that some bloggers so blithely state should be more concerned with simple customer security.
When considering the whole picture, not just a few choice points, it is actually a bad thing for a CISO to ignore the problem. That's the type of thing that gets CISOs fired.

Russell Thomas

@Rob I don't exactly know who, besides defense and intell, has been defending against APT for a long time. That's why I asked.

If I had to guess, I might guess some in Financial Services, non-defense aerospace, certain segments of IT (e.g. Intel, Microsoft), on-line gambling (many reports of DDoS and extortion against them), and maybe human rights groups like Amnesty International.

I'd really like to know how widespread it is and how long it takes an organization to effectively adapt their InfoSec to the APT (or APA) reality.

Andrew van der Stock

Gunnar - you're about the only person who gets APT and that FUD du jour that it represents.

Keep it up, dude.

The comments to this entry are closed.