Skynet is Not The Enemy

To my knowledge, botnets, worms and other malware are not self-aware.

Yet most discussions with prospects interested in combating advanced targeted attacks such as the advanced persistent threat (APT) start off with requirements around detection and eradication of these forms of malware. Until self-aware programs bent on the destruction of the human race become a reality, our focus needs to shift to detection and eradication of the intruder.

What's the difference you may ask? A lot.

First, why do the APT, organized crime and other targeted attackers use RATS, (like Poison Ivy) or spear phishing attacks with PDF attachments that open up backdoors? One reason: because they work. What if they stopped working? If someone invented an easy button that stopped all spear phishing attacks, would you believe you had successfully stopped the APT for good? Of course not. They would find a new way to gain entry into your organization's network. Because to the APT and other advanced targeted attackers, RATS, botnets and other malware are a way IN. It is an early step in their process of owning your network. If this particular way in was blocked, they would find another way in. Count on it.

What this means is your battle is actually with a self-aware enemy. No, not Skynet. Your enemy is a human mind (in fact, many human minds). Perhaps a better analogy is that you are combating the Borg (you will quickly learn I am a Star Trek geek). The Borg was a collective that continually adapted to the target's defenses with a singular goal: assimilate everything. That's a pretty close definition of the APT: a collective of professional attackers that continually adapt to your defenses with a single goal - obtain your intellectual property. Maybe Rick Berman was sending us hints back then, "beware the APT are coming..."

So while you should devote resources to the detection of malware, don't lose sight of the true enemy. Otherwise they may slip in using other means - and if you aren't spending some of your resources and efforts looking for signs that you've been compromised, you may find yourself assimilated.

Resistance is NOT futile!