NPR's morning edition had a segment titled "Cybersecurity Firms Ditch Defense, Learn To ‘Hunt." The focus of the piece is on attacks from China that look to gain intellectual property and other trade secrets from specifically-targeted Western firms. This type of attack is called an Advanced Persistent Threat (APT).
There is little doubt that APTs are a growing problem; Google, Adobe and Rackspace are among the companies that have publicly disclosed that they were the targets of an APT-style attack. Even the security firm RSA said it was compromised by an APT in 2011.
The most striking quote in the NPR piece came from Dmitri Alperovitch, a co-founder of CrowdStrike: "There's really no organization, including government agencies, that can prevent this type of attack. So you need to shift your mode into thinking that you are always in a state of compromise, and you need to start thinking about how to hunt on the network."
He couldn't be more right. All organizations need to ask: "What would happen if an attacker were to penetrate our network - what actions would the attacker take, what damage could be done, and how could such a breach be detected?"
In many cases, the first step for attackers once they penetrate a network is to gain access to administrative accounts, which frequently have access to the proverbial "keys to the kingdom." While the NPR report focused on firms that gather intelligence and actively seek out the attacking groups, there is a complementary defense needed against APTs: Privileged Identity Management. This tactic helps control and secure the accounts that can do the most damage to an organization by:
- managing access to privileged "administrator" accounts
- restricting even privileged accounts to have only the minimum access necessary, and
- monitoring the actions that are taken using these accounts
By doing this, an organization applies the concept of "defense-in-depth" to mitigate the effects of an APT and to improve its ability to detect a breach should one occur. In essence, the best defense against APTs and other external threats is to secure your network from the inside out.