Internet Security Systems - AlertCon(TM)

Advanced Persistent Threat: An Iterative Approach

Posted by Tom Cross on March 21, 2011 at 11:40 PM EDT.

In February, I gave a talk at IBM's Pulse conference on Advanced Persistent Threat. There is no simple solution to combatting APT threats on a computer network - fighting APT becomes a process that you engage in over time. The first step involves a multifaceted effort to detect APT activities in your environment. Its not always possible to detect everything - the goal is to detect something. Detecting something gives you a foothold. Once you've detected an attack, you analyze it to gain actionable intelligence that allows you to remediate that attack and augment your detection efforts. By iterating through this cycle you get better and better at staying on top of sophisticated threats.

While this talk borrows some material from the SANS Webcast on APT that Jon Larimer, Will Gragido, and I gave back in June of this year, I have built on top of that material to provide a set of process recommendations that more tangible. You can stream the video here and download my slides here. Also, there will be some more information on this subject in the upcoming X-Force Annual Trend Report.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.