On July 28, 2011, McAfee released a white paper (reg. req'd.) detailing its investigation of a targeted intrusion into more than 70 companies and government organizations over the past five years by an APT—an attack McAfee called Operation Shady RAT. By gaining access to a command and control server that was used in the attacks, McAfee found logs identifying the victims of the attacks dating back to at least 2006. The attacks were made against US federal, state, and county governments, foreign governments, the United Nations, defense contractors, non-profits and think tanks, as well as companies in the manufacturing, energy, IT, security, real estate, new media, and electronics industries. The wide scope of the attacks led McAfee to conclude that “virtually everyone is falling prey to these intrusions.” Indeed, the author of McAfee’s paper is “convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact.”
McAfee is not alone in warning of the threat of APTs to all businesses (not just military and government interests). The Security for Business Innovation Council released a report titled “When Advanced Persistent Threats Go Mainstream,” which contains security recommendations from “16 of the world’s leading security officers” on how companies make themselves vulnerable and new approaches for taking defensive measures against this escalating threat. The Council’s report notes that APTs are no longer only targeting the defense industry, they are attacking enterprises across industries and moving beyond seeking credit cards to “pursuing high-value digital assets such as intellectual property, across mission-critical operations, and other proprietary data and systems.”
One of the preventative recommendations made in the report is to “activate smart monitoring.” Specifically, the report describes how some security teams are using an innovative approach modeled on data analytics used for business intelligence to detect intrusions. Those security teams are using “an analytical engine to sift through massive amounts of real-time and historical data at high speeds to develop trending on user and system activity and reveal anomalies that indicate compromise.”
The report also mentions that one of the current challenges facing security teams using data analytics is how to store and process that massive amount of data. A blog post by EMC’s Chuck Hollis describes how new products from EMC and RSA use the cloud to combine storage and data analytics capabilities to provide real-time situational awareness designed to stop complex cyber threats.