
Chinese hackers go after think tanks in wave of more surgical strikes - cepth
https://arstechnica.com/information-technology/2017/12/chinese-hackers-go-after-think-tanks-in-wave-of-more-surgical-strikes/
======
badrabbit
My opinion isn't that remarkable and quite cheesy, but, I seriously think not
using windows and enabling two factor authentication wherever possible is the
best defense against APT attacks. They are not "a room full of genius hackers"
most of their attacks I have read about use phishing attacks that can be
stopped by two factor auth (credential stealing) and not using powershell,MS
office,windows script host and other dependable and reliable tools that come
with windows. It's not that windows is so insecure but that it is so uniform
and easy to prepare an attack for.

Try finding a way to have a user download and execute a malicious executable
in Linux or a script (much like Office macros) - in my experience it is very
unreliable and difficult. You have to resort to 0 days or hope the machine
isn't well updated. Please correct me if I am wrong,I only speak from a
limited experience.

I get how difficult replacing windows can be in BigCorp and large
organizations,but for small orgs like think thanks that are of high risk to
APT attacks,I believe the risk associated with windows and single factor auth
far exceeds the cost of a linux only network with 2fa and dedicated security
staff.

