Today is one of those days when security news finds its way to the front page of mainstream news. The New York Times announced in a very detailed report that their network had been breached starting about four months ago in an Advanced Persistent Threat (APT) attack. Their story explains that the attackers have been repelled from their network with help from an outside security company.
What makes this story interesting and important reading is the scope of detail it provides around the attack. Because they’re disclosing an attack after it’s been thwarted, the story provides a broad view into the full lifecycle of an APT attack. The report also provides a level of detail that is rare in these situations. Anyone interested in security and protecting against APTs should take some time and read the full New York Times’s story.
One thing that the New York Times does is to call out that they had security products in place and that those failed to prevent the attack. They go so far as to name the vendor. Some have characterized this as “pointing the finger” at the vendor (who has defended themselves publicly). We don’t have detailed specifics around what products were deployed and how they were maintained. But the New York Times’ story and the vendor’s response would seem to imply that the protection regimen was focused on signature-based endpoint-security. Presumably there were other protections like firewalls and possibly intrusion prevention systems (IPS) that also failed to prevent the attack but there is no specific mention of that.
With that information and what we know about the attacks, we can draw some lessons from that around what it takes to adequately defend an environment against APTs.