ISACA Advanced Persistent Threat Survey Shows Some Eye-opening Findings

ISACA Advanced Persistent Threat Survey Shows Some Eye-opening Findings

Advanced persistent threats (APTs) have been in the headlines over the past couple of years for affecting some high profile enterprise networks. Many thought these attacks were limited to government networks. However, in January 2010, the source code and intellectual property of Google and at least 20 other companies in the high-tech industry and defense industrial base were targeted and compromised during “Operation Aurora.” In November 2009, “Operation Night Dragon” included a series of coordinated and targeted attacks against the global oil and gas companies. These attacks made it very clear that APTs are not just government threats. Furthermore, in 2011 Stuxnet became a teachable moment for many trying to explain the need for better cyber-defenses, and as an inspiration for security researchers searching for new types of systems that could be hacked, according to Symantec’s’ Malicious Code Trends.

In an effort to gain insight into security professionals’ understanding of APTs and what enterprises are doing to detect and prevent them, the Information Systems Audit and Control Association (ISACA), conducted its “Advanced Persistent Threat Awareness Study” in late 2012. The study included over 1,500 information security managers in different industries and organizations throughout the world.

APTs differ significantly from traditional garden variety threats, yet they leverage many of the same attack vectors of their malware cousins. To clarify what is meant by an advanced persistent threat, the ISACA study uses the definition provided by the U.S. National Institute of Standards and Technology (NIST), which states that an APT is:

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.

In short, APTs are often aimed at the theft of intellectual property (espionage) as opposed to achieving immediate financial gain and are prolonged, stealthy attacks. These attacks are generally difficult to detect and may go on for many months before they’re discovered, often by a party outside the enterprise.

More than 25% of the survey respondents cite the loss of enterprise intellectual property as the biggest risk of an APT, followed closely by loss of customer or employee personally identifiable information (PII). About 90% of respondents believe that the use of social networking sites increases the likelihood of a successful APT. More importantly, approximately 22% of those surveyed said their organizations were victims of an ATP attack.

Additionally, about 60% of those surveyed believe it will only be a matter of time before their organization is targeted. And some 94% think APTs represent a credible threat to national security and economic stability.

According to the survey, “respondents are leveraging a variety of preventive and detective technical controls as well as education, training and policy to help reduce the likelihood of a successful breach.”

Despite this these efforts and recognition of an APT potential impact to their organizations, most enterprises are employing ineffective technologies to protect themselves against APTs, the report states. Specifically, nearly 95% of the surveyed are attempting to mitigate these threats with anti-virus and anti-malware solutions. This observation should raise many eyebrows because anti-virus and anti-malware solutions are largely ineffective against APT attacks. APTs often rely on vulnerabilities that have not yet been discovered by the AV/AM vendors—the dreaded zero-day attack.

93% of the respondents attempt to stop APTs at the network perimeter with technologies such as firewall. The report highlights this as “concerning,” given that APTs are known to have evaded such controls. Furthermore, the report shows a lower adoption of critical controls for mobile devices, remote access technologies (RATs), and logging/event correlation as part of a layered approach to APT mitigation.

87% of the survey participants believe bring your own device (BYOD), combined with rooting or jailbreaking the device, makes a successful APT attack more likely; but mobile security controls, which can be quite effective, are used much less frequently used to protect the organizations from these potential APT threat vectors.

There are two other areas that organizations haven’t taken into consideration when it comes to APTs: the cloud and outsourcing. When it comes to third party vendor agreements, about 82% of respondents have not updated their agreements with third parties for protection against APTs. The report sums up this oversight very well, saying “the lack of consideration being given to third parties is troubling. Enterprises must be sure that the data they outsource are protected—even if the provider itself experiences an APT attack.”

The survey report concludes that companies may need to consider additional controls such as network segregation and an increased focus on email security and user education. Many advanced attacks enter companies through unsolicited emails containing malicious links, and especially through spear phishing attempts.

In addition, while many of technological controls being employed by enterprises “are proficient for defending against traditional attacks, they are probably not as suited for preventing (or detecting) APTs. This is true for a number of reasons: APTs exploit zero-day threats, which are often unknown vulnerabilities, and many APTs enter the enterprise through well-designed spear phishing attacks.”

As can be seen by the survey report, many organizations don’t understand how advanced persistent threats differ from garden variety cyber attacks. It’s important for companies and their security professionals to understand the differences if they are going to successfully defend against APTs.

The ISACA study is available as a free download at