“Advanced persistent threat (APT) is a term that has been used frequently in the course of security threat discussions; however, confusion exists as to what an APT is and how to manage the risk associated with it. Although the study reveals that a large number of respondents feel that APTs are a signiﬁcant threat and have the ability to impact national security and economic stability, the study also indicates that the controls being used to defend against APTs might not be suﬃcient to adequately protect enterprise networks.”
So says a new report from ISCACA which shows that 21% of organisations have experienced an advanced persistent threat attack whilst 66% believe their company will be hit by an APT sooner rather than later.
Despite such experience and sentiment many enterprises are hardly prepared for such an attack with a mere fifteen percent declaring that they are well prepared for such an eventuality. Alarmingly, only a third of organisations that had already been on the wrong end of an APT attack could determine the source
“The bad news is that there is still a big knowledge gap regarding APTs and how to defend against them—and more security training is critically needed.”
ISACA’s 2014 APT Study polled 1,220 security professionals from a broad range of organisations and found that the majority felt they were well positioned to identify, respond to and nullify an APT attack, primarily by adopting a risk-based approach to planning.
A range of controls were found to be employed by most enterprises though they were more robust amongst those which felt most at risk of an APT attack. The majority of organisations responded that their primary controls were technical in nature, citing firewalls, access lists and anti-virus as the most popular means of defence.
On the flip side, less than 30% of the organisations polled said they were utilising any mobile controls, despite the fact that 88% accepted the fact that employees’ use of mobile devices was often a major contributing factor in an APT attack.
Also of note is the fact that almost 40% of enterprises report that they are not using user security training and controls to defend against APTs which, if done well, could go a long way in mitigating the risks surrounding social engineering and spear phishing attacks. Even in organisations which recognise an increased likelihood of an APT attack, investment in training against the same is unlikely to have increased despite the quick gains that it offers.
Commenting on the report Mark Sparshott, director of EMA at Proofpoint had this to say:
“The fact that 50% of security professionals who responded to the survey do not see APTs as highly differentiated from traditional attacks means that 50% of those interviewed should consider a career change.
Organisations need to ensure the security teams that they are relying on to defend their business understand how easily APT attacks bypass traditional security controls like Firewalls, Anti-Spam, Anti-Virus and Anti-Malware tools that 96% said were a Technical Control for preventing APT attacks.
Encouragingly 92% of respondents recognised Social Networking makes APT attacks easier with personal information harvested from these sites used to craft compelling and believable targeted emails. As Proofpoint’s Human Factor research showed targeted email attacks like spear-phishing and longlining, the main initial APT attack vector, have a 1 in 10 success rate and Social Networking invites are the #1 lure with LinkedIn Invitations achieving the highest success rate of any email lure.”
Robert Stroud, international president of ISACA and a vice president at CA Technologies said:
“The good news is that more enterprises are attempting to better prepare for the APT this year. The bad news is that there is still a big knowledge gap regarding APTs and how to defend against them—and more security training is critically needed.”
While more enterprises report that they are adjusting vendor management practices (23%) and incident response plans (56%) in order to address APTs this year, ISACA believes the numbers still need significant improvement with Tony Hayes, ISACA’s immediate past international president, saying:
“APTs are stealthy, relentless and single-minded, and their primary purpose is to extract information such as valuable research, intellectual property or government data. In other words, it is absolutely critical for enterprises to prepare for them, and that preparation requires more than the traditional technical controls.”
The report concludes by saying that seventy-five percent of respondents had noted a lack of guidance in the market focused on APTs – is that your experience?