Defending Against The APT

Advanced Persistent Threat

Everybody has heard of the APT, yet very few people actually know what they can do to protect themselves. Below is a list of The Top 5 Things you can do to reduce the success of an APT attack:

1) Analyze Incoming Email:  
 a. Pay extra attention to FREE webmail providers like yahoo, gmail, etc.
 b. Attachments that contain embedded exploits to vulnerable software and/or .exe's w/ a modified icon
 c. Links directly to executables, compressed executables (i.e. .zip containing an exe) and web pages attempting to exploit your browser.

2)  Analyze Outbound Connections:
 a. Many HTTP Get requests for long filenames
 b. Many HTTP Post requests (careful not to trip on all that streaming media traffic)
 c. Anomalies on any other outbound protocol you allow outbound
 
3) Ingress Filter:
 a. Make sure all traffic enters the network through YOUR Mail/DNS servers.
 b. This makes #1 Easier




4) Egress Filter:
 a. Protocol enforcement (i.e. port 80 = HTTP ONLY)
 b. This makes #2 Easier

5) User Awareness Training:
 a. Condition your users to be skeptical and to avoid clicking on things from people they do not know and/or are not expecting.
 b. Setup a deterrence program by punishing those that do not think before they click. 

The above list is meant to be generic, but hopefully it gives you a place to start or focus on. As always your feedback is welcome...