What I did not hear people mentioning was PPM (Privileged Password Management). They should have. Why PPM? The reason is simple: APTs are primarily targeting one thing- privileged passwords.

PPM is the management of privileged account passwords. It involves securely storing, releasing, checking and changing the passwords for your privileged accounts. What are privileged accounts? A privileged account is the root account for your core system, your AD Enterprise Admin account, the local administrator account for your HR server – any account that either has elevated access, is shared, or requires individual accountability.

PPM can be done through a variety of ways manually or using technology-based solutions (whether a product or a service). The main issue is to ensure that these privileged accounts are being changed on a regular basis.

So how does PPM relate to APTs? Bruce Smalley had a nice analogy that he presented during his presentation. It related to his efforts to protect chickens from predators using a henhouse. I'll leave out some of the more graphic details, and sum it up to say that defense of chickens is like the defense of your network; if an adversary is determined to breach your environment, it all comes down to a question of time and money.

I personally like the analogy of a safe—no safe manufacturer claims its safe is impregnable – it rates the safe based on the tools and time required to breach. If you take the same perspective on your network, then you can assume that at some point your network will be breached.

With this in mind, what are APTs trying to gather? The APTs are actively trying to install keyloggers and other malware in order to capture privileged passwords. The reason a spear phishing attack is targeting a network admin isn't to get their personal account, it is to get the keylogger on that person's machine to wait for them to log in with Enterprise Admin and capture the valuable password.

The question then becomes the following: 'how long will that password that has just been capture be valid on the DC?'

This is the relationship between APTs and PPM. PPM will not stop APTs, but it can have a huge impact on the value of the information captured by an APT. If the Enterprise Admin account mentioned above is changed every 45 days, then the APT has a nice, long window to communicate that password back to the owner. If however, the password is automatically changed after use (let's say two hours later as an example), the window of the value of the captured password is significantly different.

To relate this to the henhouse analogy, PPM would be the equivalent of mounting the henhouse on a flatbed truck and driving it to a new location every two hours, without changing any of the security constructs around the henhouse (and making sure no added passengers are on board). Now predators need to find, breach, and exploit within two hours – instead of weeks or months. I think you'll end up with a lot more eggs.

This correlation is the reason that the Fortune 1000 has significantly stepped up PPM adoption in areas outside of the traditional financial services vertical. Other large companies that have very valuable intellectual property (whether trade secrets, information contacts, or other crown jewels) are looking to minimize the effects of APTs by using PPM. Many of the most notable breaches in the past two years have related to privileged accounts, and most directly related to APTs capturing these passwords.

If your credit union is not changing your privileged passwords, then the best henhouse in the world is not going to protect you forever. It is also interesting to note that PPM will typically cost less than NIDS, HIDS or almost any other control. So before investing in more chicken wire, maybe you should look into some wheels.

Kris Zupan, CISSP, is CTO at Rallypoint Solutions LLC in Wilmington, Del.