Tip

Incident response security plans for advanced persistent threat

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

Download the full interview

Download the full interview on advanced persistent threat with Michael Malin and Dave Merkel as an MP3.
This short Q&A is an excerpt of a recent podcast interview with Michael Malin, executive VP and CFO for MANDIANT Corp., and Dave Merkel, VP of products for MANDIANT Corp., focusing on advanced persistent threat and incident response security.

What can enterprises do to proactively defend against advanced persistent threat (APT)? What about after the APT has already struck?

Dave Merkel: That's a tough one. Let me describe what things I'm sure don't work: If your information security program is purely compliance-based, and you're trying to mark off checkmarks on some criteria from some entity, you're probably not going to be able to stop this kind of attacker. If you don't have a qualitative aspect to your security program with good, strong technologists managing that infrastructure and trying to improve it on an ongoing basis, if you find yourself talking about investing in prevention and detection so you never have to worry about response, you are a prime target and are probably going to have issues.

We find companies are most successful dealing with this kind of attack understand what level of security they actually get from their infrastructure, and therefore remain vigilant for the right kinds of things after the fact. How many companies buy an IDS and let it run and never look at the logs or think about analyzing the data, aren't doing any critical thinking about the information that their systems generate and they receive? That's pretty common.

We find companies that have been highly targeted. We've seen a lot of APT activity in the defense industrial base, understandably so, and look how that community now works: They share information between each other, they actively discuss the threats, they actively look for new streams of intelligence, and they are vigilant in their infrastructure, understanding that there's only so much stuff you can prevent outright. That mindset is exactly what you have to have to be successful in managing -- as you can never have perfect prevention with this kind of attack group -- [this risk] on an ongoing basis, like you would any other risk. Those companies are doing good things.

Mike Malin: And I think one of the things we also do, regardless of the APT, is deal with incident response. If APT has struck, ... some of the basics that we talk about are: Don't panic, Observe and act, Define the win. [Which means:] What do you truly want to accomplish with this reconnaissance? Is it at a micro-level of your enterprise, or do you actually want to scan the entire enterprise and really get a scope of what you're trying to do? And then lastly, back to basics: There is a lot to be said for having a robust security portfolio. ... What we're seeing is, you'd better be able to respond, because odds are, you're compromised.


This was first published in June 2010

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.