Targeted Attacks carried out by Determined Adversaries are not a new phenomenon; political, military, and even commercial espionage has existed in some form for hundreds of years. Over the past three decades, the global connectivity of the internet, together with the lack of traceability and the ability to remain anonymous online, has opened up new attack vectors.
Successfully combatting such threats requires coordinated action between the public and private sectors, and an increased focus on risk management and incident response in regard to Targeted Attacks. The following summarizes these calls to action:
Establish a culture that promotes information exchange. Fast, comprehensive information sharing is vital to help address the threat of Targeted Attacks. Such information sharing requires establishing a climate in which victims are sufficiently confident to share details of the attacks against them, and to enable governments to share details of the evolving threat ecosystem from their perspectives. Governments should work toward the creation and harmonization of global laws that protect cyberspace, and enable information sharing (including technical information about the Targeted Attacks and threat assessments about the Determined Adversaries) across international boundaries. How individual countries do this domestically might differ, but the desired outcome is a shared objective.
Make risk management a key strategy for organizations, businesses, and governments seeking to prevent, detect, contain and respond to the threat of Targeted Attacks. A key element of risk management strategies must be the assumption that the organization either will be - or already has been - compromised. Another key is to create action plans that thoroughly analyze what the bad actors will do if they compromise an organizationâ€™s high value assets. The goal is effective risk management; risk elimination is not possible.
Make creation and active operation of an analytical security enterprise a priority. Even well protected environments will be targeted by determined adversaries, who are technology agnostic and persistent. The deployment of intrusion detection and advanced analytics solutions that observe the real-time health and security condition of networks involves more than traditional network monitoring. In addition to security data from intrusion detection systems, organizations can also use information provided by IT assets such as routers, hosts, and proxy servers to evaluate operational and security status. The large amounts of monitoring and audit data generated by these solutions must ultimately be turned into insights that can be used to inform more effective cyber security responses.
Make establishing a solid incident management and response function a vital activity, at an organizational level and at an international level. Organizations should ensure that they have the capability to react appropriately to an attack when detected, contain the attacker, and then recover from the attack. Response plans should include robust communications plans (internal and external) to help ensure that speculation and assumption do not cause additional damage. Internationally, adequate response capability and capacity needs to be built in to countries around the world. Organizations and governments should establish points of contact that are available 24 hours a day, 7 days a week to help facilitate the response process. It would be prudent for these points of contact to be established before an attack takes place.