This year many companies have come to the realization that somewhere on their network, possibly in a far off corner hidden behind a pile of who knows what is a computer or some type of appliance that is playing the role of host for a certain strain of malware.

It’s hanging out, in stealth mode.  Occasionally beaconing over a secure 443 connection waiting for the C&C server to pass down the long awaited commands to launch a DoS attack against an Internet site, attempt to infect other machines or to carefully search its locally mapped drives for certain key words (e.g. pass, confidential, etc.).  There it sits like a dirty ninja, waiting for some piece of confidential information to pass by its patient watch  -where it is copied and uploaded to a web site hosted by a reputable service provider.  It can sit there for months, even years as Nortel found out in fact, in January, Mandiant stated that the average infection stays resident for 416 days on average. Why so long? Well, the fact that 96 percent of data breaches are uncovered by third parties (i.e. not internal security teams) is one reason.  That’s right, even those expensive next generation firewalls that are high and to the right in the Gartner Magic Quadrant are failing to catch these contagions.

What can we do to stop APTs?

It is a tough problem indeed that all of us are facing.  How can we fortify our security measures to increase our defenses against these targeted attacks? Here is a list that many of us are familiar with. Lets review:

  •   Keep end systems and servers patched
  •   Block critical servers from connecting to Internet.  Grant routine temporary access for updates only.
  •   Force password rotation and consider two factor authentication
  •   Invest in behavior monitoring systems that categorize suspicious behaviors over time
  •   Educate and re-educate employees on the dangers of email regarding phishing attacks and how to avoid the “costly click”

Prepare for the Discovery

Now that we are no longer in denial about being infected and have accepted that fact that we are already likely hosting malware somewhere on the network, lets make sure we are ready to roll-back the video footage to replay the steps of the infiltration.

Cyber Attack Incident Response

We can often learn behaviors from this and play back the traffic to sleuth out the other machines still under the radar that are exhibiting some of the same behaviors.

Cyber Attack Incident Response

What do you need? Ideally, a system that surpasses industry compliance obligations by providing the necessary evidence for cyber attack incident response.  Security breaches can be very costly and twice as embarrassing when it is discovered that government imposed compliance regulations aren’t being met.  For example, the Global Payments breach in April 2012 cost $93.9 million, including $35.9 million in fines and other noncompliance charges.

Are you ready to get prepared? Contact our team to learn about our Incident Response System.

Mike Patterson author pic


Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.