TechCrunch got hit again. Not 24 hours since they were previously hacked and their site defaced they got hit again. Maybe this is why everyone is so up on discussing APT (Advanced Persistent Threat).
This attack on TechCrunch is not truly what folks are discussing around APT because so far it doesn’t look like the hackers were trying to acquire any trade secrets, and the hack probably wasn’t that advanced though I haven’t read any specific details of the actual hack. What I find interesting is the persistent piece. This goes back to an idea from a previous post about Threat Modeling. What do you do when you are the target of a group of malicious hackers?
The first thing you would need to do is find out that you are under attack. For TechCrunch it was a bit late as they found out when they saw that their web page had been defaced. For Google vs China they were able to track back to the source but the attack had been going on for weeks. So how do you find out before you are compromised? Sometimes there is no way. But sometimes there is.
Using a layered approach to your network security you are not just trying to stop attackers but you are trying to find out how they are attacking you and maybe even what they want. By correlating logs and activity from your Routers, Firewalls, IDS’, Web Servers, and other devices on your network you should be able to build a pretty clear picture of what is happening on your network. By monitoring these you can build a map of how you are being attacked (and you are even if you aren’t the specific target) and then you can formulate a plan to make sure you are not vulnerable to the attacks.
The first step doesn’t have to be denial.