All good, APT is a legitimate term like so many that start out legitimate and then are used and abused by security companies to the point where the term becomes confused and dirty.
Even a lot of APT can actually be stopped rather easily. Aurora for example could have been defeated simply by enforcing all outbound network traffic to traverse through a web proxy. The malware used in Aurora was not proxy aware. Stuxnet is another that is easy to defeat with good technical security best practices. One of the privilege escalation vulnerabilities it used could be prevented, and therefore prevent the subsequent chain of events, simply by having good file permissions. And these are not magical permissions that you would have had to know about Stuxnet to implement but rather best practices that in fact some companies I know already had. For example one of our customers that is a bank with over a half million windows systems had this file permissions configuration in place and so when Stuxnet was discovered instead of having to drop everything and patch over a half million systems they were already mitigated and could patch as part of their regular cycle. Don't get me wrong there is plenty of APT, and even general cybercrime attacks, that are very difficult but there have been few attacks ever, APT included, that could not have been prevented in a generic and reasonable way. The problem is our industry celebrates people who break software more than people who help educate what you can do to be more secure (beyond a product). And that is not to say we should celebrate the researchers doing vulnerability research less but rather to celebrate people doing innovative and educational things around protection more. We actually have a white paper on the topic of security configuration best practices and examples of how some of these basic things can go very far in stopping even APT and other sophisticated attacks. You can grab that paper "eEye Research Report: In Configuration We Trust" from our website here: http://www.eeye.com/resources/literature/white-papers We also have a webinar with myself and one of my researchers giving a bit of an overview of the white paper that you can view here "On the Frontline of the Threat Landscape" http://www.eeye.com/resources/media-center/webinars-podcasts Your last point Alan is a good one on how are we going to get better... Sadly in the 13+ years I have been in this space it seems we only get better through pain. But then as I discuss in a keynote I have been giving at conferences lately, I do not think this is a IT/security problem but rather something rooted deeper in basic human nature and our inability to be proactive without pain etc... -Marc -----Original Message----- From: Alan Davies [mailto:[email protected]] Sent: Tuesday, October 11, 2011 4:27 AM To: NT System Admin Issues Subject: RE: AV and malware protection? Agree wholeheartedly for the majority of threats. The only exception I'd make is for APT (sorry to mention buzzwords!!). Security through obscurity can be a very valid defence against undirected attacks (and probably most directed ones too), but a little social engineering, insider knowledge, etc. and it doesn't matter so much anymore. Stuxnet was a good example. What matters are the real controls in place, your people and your processes. On your last comment Marc, I do worry how we are ever going to get to a scenario where businesses in general are well protected since only very few, through either extraordinary diligence of their own doing, or through regulatory necessity, make that time or care about that level of knowledge (aka funds!). PCI perhaps is at least a start in terms of introducing some of these concepts to otherwise unregulated verticals. a ________________________________ From: Marc Maiffret [mailto:[email protected]] Sent: 11 October 2011 01:28 To: NT System Admin Issues Subject: RE: AV and malware protection? The reality is that most IT environments are all using one of the 2-4 popular AV products. One of the 5-6 popular network firewalls. This makes it so that the ease at which an attacker can setup a test lab to mimic the average business and ensure their attack will be successful is a very easy thing. In order to be successful in today's IT security environment you need to customize security to your specific environment. If you spend even a reasonable amount of time customizing your security at the OS and network level you can prevent the vast majority of attacks. This is not opinion but fact. Problem is that most people in IT have not been given the time or education by management to be able to do this successfully so alas everyone just installs a product and hopes it works. Likewise the attacker installs the product, makes sure their exploit works, and does not abide by hope. Now of course you could have the time and knowledge and not a product that allows for customization. But that is a different thing all together. -Marc Signed, Marc Maiffret Founder/CTO eEye Digital Security WEB: http://www.eEye.com BLOG: http://blog.eeye.com TWITTER: http://twitter.com/#!/marcmaiffret From: Alan Davies [mailto:[email protected]] Sent: Monday, October 10, 2011 2:01 AM To: NT System Admin Issues Subject: RE: AV and malware protection? Huge +1 to that. Anyone who says product x is the best, is, at best, correct for a short period of time! All AV is poor - I seem to remember about 70% protection is as high as any product gets by some measurements. Why on earth would you encourage users not to use IE!? Again, FUD mostly - IE is one of, if not the most secure browser out there out of the box. Firefox not so great. Now I agree that you can add various addons to change the game, mostly at the expense of functionality, but these also require management and understanding - something that normal users will not have! Top browsers all managed well equal a fairly level playing ground. a ________________________________ From: Mike Gill [mailto:[email protected]] Sent: 07 October 2011 19:50 To: NT System Admin Issues Subject: RE: AV and malware protection? I have seen exploits on systems with just about every (fully updated) AV product heard of. There is no product that will win every time playing this cat and mouse game. I run MSE on my personal systems. Vipre and Nod32 on client computers. I encourage users not to use IE. -- Mike From: Micheal Espinola Jr [mailto:[email protected]] Sent: Friday, October 07, 2011 11:26 AM To: NT System Admin Issues Subject: Re: AV and malware protection? Yep, the current version. From what I have seen done to it by web-based exploit infections, I would classify the product as "a joke". I thought it was decent before, but I currently have no faith in it. This being part of the scenario of users, using IE, getting hit with drive-by's, those drive-by's pulling down more crap, and ultimately owning the system with rootkits. IMO, MSE has been worthless in these situations. -- Espi ************************************************************************************ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. "CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE" ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
