Four stages of effective response to apt target attack

For many organizations today, the question is no longer whether they will be the victims of the APT attack-advanced persistent cyber threat (persistentthreat, APT)/target attack, but when. In this case, how the organization should respond will determine whether it can become a serious event, or remain in a state of small trouble.

The malware used for apt target attacks is often undetectable because it is a custom-made attack for a specific organization, and a crafted social engineering attack looks like a decoy for normal commercial mail.

In short, an attacker with sufficient resources can always find a way to get to the target, regardless of which defenses are deployed. Defensive measures can increase the difficulty of entry, but cannot be completely prevented.

The SANS Association provides some guidance on how to respond to cyber security events in a broadly divided four phases:

1 , prepare

This involves responding to an apt target attack before it actually occurs. Security experts need to plan for how to deal with apt target attacks in their own networks. It's like a system administrator needs to plan for a fixed outage-related event, such as a data center offline.

It is also important to understand the general normal threats that organizations face daily. Not only will information security experts be addressed when an attack occurs, but they should also understand the general "normal" problem before they can quickly detect unusual threats, such as apt target attacks. Threat intelligence and analytics are invaluable at this stage and can lead security experts to understand the current situation.

Security experts must also plan to acquire the right skills to deal effectively with apt target attacks. One of the most important skills to learn is the ability to acquire and analyze data appropriately from compromised devices.

Many of these technologies are more unfamiliar than general it daily work, but learning these techniques can help organizations get information and better prepare to handle any attack.

2 , Respond

Once it is determined that an apt target attack is in progress, the next step is to respond decisively. There are several parts to responding to an apt target attack: Controlling threats, eliminating them, and confirming the scope of damage. The first step is to isolate or control the threat scale immediately. The steps that can be taken here include isolating the infected machine or offline the compromised service, with the ultimate goal of preventing further expansion of the attack.

It is helpful to identify threats that occur, and to work with security vendors who understand common apt target attack tools and grey software. Similarly, ongoing monitoring of existing network activities can help determine the size and scope of existing attacks.

3 , Recovery

As important as responding to an attack is to restore the organization's normal operation. While interruptions are sometimes necessary to respond to an apt target attack, the organization must be "back to normal" in the long run and back to normal operation.

"Restoring" the organization is normal not only in terms of technology. If necessary, the organization needs to liaise with partners, stakeholders and customers to clearly communicate the scope of the APT target attack Hazard and any measures taken to mitigate the loss. In many cases, goodwill and trust will be vigorously undermined by the apt target attack, which must also be addressed.

4 , Learning

When the attack is over, the organization needs to figure out what it can learn from it. Each attack has a lesson for defenders-what works? What can we do better? It may also indicate that some assumptions and information about planning for security events are incorrect or incomplete.

However, it is also important not to overreact to any single event. An overreaction may be as bad as a lack of response: it may add an unnecessary burden to the organization's only small margin of security, if any, and the Organization must be able to make decisions based on rational logic after the event is resolved.

Summary

In today's world of apt target attacks, the issue of intrusion is no longer the case, but when it happens--a strategy designed to respond to an apt target attack must be an important part of a broader defense strategy. Trend Micro Threat Discovery device TDA can deal with the proliferation of network threats and large enterprise network management, so that real-time, effective grasp of enterprise network security status, to meet a large number of users to immediately detect network security, quickly locate the source of infection and other needs.

Four stages of effective response to apt target attack