RSA CONFERENCE 2012 -- San Francisco, Calif. -- The lion's share of attacks that target companies will be opportunistic scams and cybercrime, but companies that want to protect their customer information and corporate intellectual property need to also worry about the more persistent attackers.
While the term "advanced persistent threat" (APT) has become a marketing buzzword, persistent attackers do pose a real threat for companies, Greg Hoglund, HBGary founder and CTO, told attendees Wednesday at the RSA Conference in San Francisco. As attackers learn the benefits of quietly establishing a beachhead inside corporate networks, corporate IT security teams need to assume that the bad guys have already made it past their defenses and actively hunt down the intruders in their networks.
"You should not rely completely on an outside vendor to supply you a magical blacklist that will solve all your security problems," he said.
HBGary learned the hard way that APTs do not need to use advanced techniques to get a company's critical information. A year ago, hackers claiming to be part of the Anonymous movement gained access to the e-mail accounts of the company's subsidiary HBGary Federal and leaked confidential messages. Yet the hackers never gained access to the company's network, the firm has said.
[ See our complete RSA 2012 Security Conference coverage, live from San Francisco. ]
Dealing with attackers who are specifically targeting your company is a tough problem, and an expensive one, Hoglund said.
"It's a counterintelligence problem," Hoglund said. "You have to be willing to accept the cost of treating it as a counterintelligence problem, if you want good security."
Here are four of Hoglund's recommendations to help companies better find APTs in their networks.
1. Be aware of suspicious behavior.
Advanced attackers will use social engineering and other methods--such as compromising third-party servers--to get valid credentials to access a corporate network. At that point, it becomes nearly impossible to detect the attackers based on detecting malicious code. Instead, the defenders need to focus on identifying suspect behaviors, Hoglund said.
It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)