SlideShare a Scribd company logo

2015-advanced-persistent-threat-awareness_whp_eng_1015

R
Robin "Montana" Williams

The document discusses the results of a study on advanced persistent threats (APTs) conducted by ISACA. Some key findings include: - Awareness of APTs has increased since 2014, though awareness may have regressed slightly in 2015. Over 90% of information security professionals surveyed said they were familiar with APTs. - Most respondents believe their organizations have not been directly targeted by an APT, but nearly three-quarters feel their organizations will likely be targeted in the future. - Perceptions of APTs have shifted from seeing them as unique threats to seeing them as similar to traditional cyber threats. Increased familiarity may be contributing to this shift in view. - Improvements have

1 of 17
Download to read offline
Study Results Advanced persistent threats (APTs) continue to enjoy the spotlight in the wake of their successful use to launch several high-profile data breaches. The fourth in a series of ISACA studies designed to uncover information security professionals’ understanding and opinions of APTs, technical controls, internal incidents, policy adherence and management support, this report reveals positive trends since the 2014 survey. Improvements can be seen in the level of awareness of the unique aspects of APTs and the benefits of addressing them through a variety of countermeasures. A strong correlation clearly exists between the perceived likelihood of an APT attack on the enterprise and the enterprise’s adoption of improved cybersecurity practices. Yet, not all avenues for APT intrusion are fully locked down. Mobile device security is lagging, despite acknowledgment that the “bring your own device” (BYOD) trend increases APT risk, and a preference is seen for technical controls over education and training, even though many successful APT attacks gain entry by manipulating individuals’ innate trust and/or lack of understanding. 2015 Advanced Persistent Threat Awareness— Third Annual www.isaca.org/cyber
2© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS Table of Contents Introduction to the Report 03 Defining Advanced Persistent Threats 04 Description of the Population 06 Perspectives on APTs 07 Awareness 07 Direct APT Experience 09 APT Impact on Policies and Practices 11 Conclusions 15 List of Figures Figure 1 Industries of Survey Participants 05 Figure 2 Geographic Distribution 06 Figure 3 Likelihood of APT Attack 06 Figure 4 Familiarity With APT 07 Figure 5 Perception of Nature of APT Threats 07 Figure 6 Degree of Enterprise Risk 08 Figure 7 Enterprise Ability to Deal With an APT Attack 09 Figure 8 Correlation Between Likelihood of and Preparedness for an APT Attack 09 Figure 9 Technical Controls Used to Protect Against APT Attacks 10 Figure 10 Correlation Between Likelihood of APT Attack and Use of Technical Controls 11 Figure 11 Correlation Between Familiarity With APTs and Updating of Third-party Contracts 12 Figure 12 Correlation Between Likelihood of APT Attack and Executive Involvement 13 Figure 13 Correlation Between Likelihood of APT Attack and Executive Actions 13 Figure 14 Correlation Between Likelihood of Attack and Adjustment of Incident Response Plans 14 Figure 15 Correlation Between Likelihood of Attack and Increase in Awareness Training 14
3© 2015 ISACA. All Rights Reserved. Introduction to the Report In 2013, ISACA, in collaboration with Trend Micro® , released its first study on advanced persistent threat (APT) awareness. ISACA’s Guidance and Practices Committee launched the APT Awareness Study to comprehend better how well security professionals understand APTs and identify what is being done to prevent them. The study reported on data collected in 2012 and demonstrated that although APTs had received much market attention, there was still a lack of clarity around what actually defined an APT and how to protect and defend against it. To determine whether the landscape had evolved, ISACA repeated the survey in January 2014 and July 2015. Each year, the survey is distributed to a sample of ISACA member and nonmember security professionals, which includes information security managers in different industries and organizations throughout the world. The sample population consists of current holders of ISACA’s Certified Information Security Manager® (CISM® ) credential and other information security professionals. The 2015 survey, the results of which are reported in this publication, provides an updated view of these professionals’ perceptions of the APT and organizational attitudes about its impact on business operations and economics. The survey, which uses multiple-choice and Likert scale formats, is organized in five sections: • Demographics • APT Awareness • Direct APT Experience • Security Controls, Processes and Responses • APT Impact on Policies and Practices How Secure Is Your Enterprise? Take our free ISACA APT Awareness Survey Quiz and see how well your organization scores on its APT-readiness. Download it now!
4© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS 1 “Cybercrime Will Cost Businesses Over $2 Trillion by 2019, Finds Juniper Research,” PR Newswire, 12 May 2015, www.prnewswire.com/news-releases/cybercrime-will- cost-businesses-over-2-trillion-by-2019-finds-juniper-research-503449791.html 2 Verizon, Verizon 2015 PCI Compliance Report, 2015, www.verizonenterprise.com/pcireport/2015/, 3 FireEye Advanced Threat Report: 2013, https://www2.fireeye.com/advanced-threat-report-2013.html 4 Mandiant, M-Trends 2015: A View From the Front Lines, https://www2.fireeye.com/WEB-2015-MNDT-RPT-M-Trends-2015_LP.html 5 Verizon, Verizon 2015 PCI Compliance Report, www.verizonenterprise.com/pcireport/2015/ Defining Advanced Persistent Threats Every year the damage and costs related to cyberattack multiply at a shocking rate. Major cyberattacks targeting financial, retail, healthcare, government and the entertainment industries have resulted in tens of millions of exposed records, billions spent on remediation and significant damage to many brands. Cybercriminals continue to exploit individuals and enterprises while increasing profits from more than US $300 billion in 2012 to an estimated US $1 trillion in 2014. Juniper Research has predicted that profits will top US $2 trillion in 2019.1 But money is not all the cybercriminals are after. They compound their financial success by stealing sensitive data in espionage attempts. Unfortunately, negative cybersecurity incidents show no signs of decreasing. On the contrary, industry and vendor reports indicate that attacks are on the rise as cybercrime, hacktivism and advanced attacks continue to pester enterprise networks. Admittedly, some progress in defending against cyberattacks has been made: Many preventive controls have emerged that have made it more difficult for those with malicious intent to penetrate networks, and detective controls have helped to identify quickly when a breach does occur. Still, some attacks are very difficult to spot. Efforts to stay ahead of cybercriminals and APTs are not helped by the skills gap that exists in the information security workforce. Current practitioners lack the requisite skills to leverage the technology; understand the threat; and integrate cybersecurity risk management strategies, tools and policies to defend against the APT. The failure or inability to leverage technology and implement strategies based on industry standards and good practices is illustrated by Verizon’s 2015 report on the payment card industry (PCI), which notes that only one in five businesses is compliant with the PCI Data Security Standard (PCI DSS).2 As technology changes and information security tools evolve, so too do the tactics, techniques and procedures of threat actors. Social engineering remains at the center of APT activity to gain footholds into information systems. Early efforts began with phishing, then evolved to spear phishing, and proceeded on to whaling, which often included an attachment or a link that contained malware or an exploit. However, over the past three years APTs have moved on to the Internet as the main attack vector (e.g., web sites, social media and mobile applications). Watering hole (fake web site) attacks have increased in frequency and often use a browser-based, zero-day attack. In fact, recent reports by leading cybersecurity experts have found that web-based attacks outnumber email-based attacks nearly five to one,3 and web applications and point-of-sale systems are leading hacker targets.4,5 Opinions differ on what makes a threat an APT. Some state that APT is just a marketing term; others believe there is no difference between an APT and a traditional threat; yet others say that an APT is a nation-state-sponsored activity that is geared toward political espionage. Which is true? APTs are often seen in nation-state-sponsored attacks (but it is very hard to prove), and they do often use the same attack vectors that traditional threats leverage. However, they also employ different attack methodologies and display different characteristics from those evidenced by traditional threats. Because so many differing opinions of what constitutes an APT exist in the market, ISACA’s planning for the initial study included the realization that it was critical to establish a broadly accepted definition. This definition was retained in the subsequent surveys. ISACA’s definition specifies that APTs are often aimed at the theft of intellectual property (espionage) as opposed to achieving immediate financial gain and are prolonged, stealthy attacks. This wording aligns with the definition used by the US National Institute of Standards and Technology (NIST), which states that an APT is:
5© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.6 This definition provides a good base from which to understand the differences between traditional threats and APTs. Interaction with a command-and-control center, repeated pursuit of objectives, adaptation to defenders, and persistence set APTs apart from the typical attack. There is a “who” behind the APT; it is not just a random spray of malware—someone is specifically targeting the enterprise. The primary purpose of most APTs is to extract information from systems—critical research, enterprise intellectual property, government information or other data. APTs are advanced and stealthy, often possessing the ability to conceal themselves within the enterprise network traffic, interacting just enough to get what they need to accomplish their job. Their facility with disguise and ability to morph when needed can be crippling to security professionals’ attempts to identify or stop them. In addition to their stealth and adaptability, APTs are characterized by their persistence. For example, traditional cyberthreats try to exploit a vulnerability, but often will move on to something less secure if they cannot penetrate their initial target. APTs, on the other hand, do not stop. Their single- minded persistence in pursuing their target and repeated efforts to complete the job they were created to do means they will not go away after one failed attempt. They will make continual attempts until they meet their objective—or until they are mitigated and removed. The people and groups behind APT attacks are determined to achieve success and appropriately resourced to do so. 6 NIST, Special Publication 800-39: Managing Information Security Risk—Organization, Mission, and Information System View, USA, March 2011, http://csrc.nist.gov/ publications/PubsSPs.html#SP 800 Industries of Survey Participants FIGURE 1 WITHIN WHICH OF THE FOLLOWING INDUSTRIES ARE YOU EMPLOYED? Technology Services/Consulting Financial/Banking Government/Military—National/State/Local Telecommunications/Communications Manufacturing/Engineering Insurance Health Care/Medical Miscellaneous Mining/Construction/Petroleum/Agriculture Utilities Transportation Retail/Wholesale/Distribution Education/Student 0% 5% 35% 30% 25% 20% 15% 10% Percentage of Respondents
6© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS IN WHICH OF THE FOLLOWING AREAS DO YOU RESIDE? HOW LIKELY DO YOU FEEL THAT IT IS THAT YOUR ORGANIZATION WILL BE THE TARGET OF AN APT? Description of the Population Because this ongoing study’s purpose is to measure information security characteristics such as understanding of APTs and knowledge of internal controls, internal incidents, policy adherence and management support, the survey population consists of those who deal with those issues every day: professionals with information security responsibilities. The study’s global sample includes those who hold ISACA’s Certified Information Security Manager (CISM) credential and other information security professionals with whom ISACA interacts. For the 2015 survey, SurveyMonkey® (www.surveymonkey. com) was used to collect the data from 661 individuals globally, 96 percent of whom are members of ISACA. Seventeen industries are represented in the study, the most highly represented industry being the technology services and consulting field, in which 32 percent of the respondents work (figure 1). The highest concentration of respondents resides in Europe/ Africa (40 percent), followed by North America (30 percent) (figure 2). Based on these demographic factors, a typical participant can be described as: • An ISACA member • European/African or North American • Working in the technology services/consulting industry or the financial services/banking industry 9 Ponemon Institute, 2014 Global Report on the Cost of Cyber Crime, https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5207enw.pdf 10 Bodeau, Deborah J.; Richard Graubart; Cyber Resiliency Engineering Framework, The MITRE Corporation, 2011, www.mitre.org/sites/default/files/pdf/11_4436.pdf Geographic Distribution Likelihood of APT Attack FIGURE 3 Europe/Africa Asia North America Latin America Oceania 40% 30% 19% 6% 5% Likely 52% Very likely 22% Not at all likely 1% Not very likely 25% FIGURE 2
7© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS DO YOU BELIEVE THAT APTS ARE SIMILAR OR UNIQUE TO HISTORICAL THREATS? HOW FAMILIAR ARE YOU WITH APTS? Perspectives on APTs The analysis of the 2015 survey results suggests that there may be a slight regression in level of awareness regarding APTs as compared to the 2014 study. In 2014, 96 percent claimed familiarity with APTs; that figure drops to 94 percent in 2015. The 2015 survey results indicate that 72 percent of respondents believe their organizations have not been targeted by an APT-related attack; while an almost equal number (74 percent) think they will be targeted in the near future (figure 3). It is, of course, possible that the respondents’ stated belief that their organizations have not been targeted may instead reflect a lack of awareness that a breach has already occurred. However, progress is being made on identifying potential breaches before they occur and mitigating their effect quickly. The 2015 study reports a significantly larger percentage of respondents (over previous years’ studies) who are adjusting practices by employing newer technologies, antivirus/malware software, signature management, logging and security awareness/training. These activities are reflected in an expanded awareness of the steps of the APT threat life cycle; three out of four respondents were able to identify all seven steps of the life cycle. All this adds up to improvements in cybersecurity practices. However, the same degree of effort is not being applied to mobile security, as is discussed later in this publication. Awareness Almost one-quarter of the 2015 respondents consider themselves very familiar with APTs, and a total of 94 percent characterize themselves as having at least some familiarity (figure 4). The degree of familiarity appears to be a positive indicator and may contribute to a shift in how APTs are perceived. In 2014, 51 percent of the respondents saw APTs as unique threats, a result that is reversed in 2015, where 51 percent see the APT as similar to traditional threats (figure 5). Familiarity With APT Perception of Nature of APT Threats FIGURE 4 FIGURE 5 Very familiar 22% Familiar 45% Somewhat familiar 27% Not at all familiar 6% Unique 49% Similar to Traditional Threats 51%
8© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS WHAT DO YOU BELIEVE TO BE THE HIGHEST RISK TO YOUR ENTERPRISE ASSOCIATED WITH A SUCCESSFUL APT ATTACK? This may be indicative of the high degree of sophistication demonstrated by current breaches, making all attack methodologies used today appear more advanced (and, therefore, APT-like). Also, many more attacks are now being attributed to nation-state actors, who are known to rely on APT-related tactics, techniques and procedures. Recent breaches have highlighted the APT. Perhaps this higher profile has resulted in blurring the lines between traditional threats and advanced threats, creating confusion in the marketplace. This is troubling because if security professionals do not understand the differences between the threat classes, it follows that they may find it difficult to properly identify, defend against and respond to APTs. Given that a stunning 97 percent of the 2015 respondents report their belief that APTs represent a credible threat to national security and economic stability (up from 92 percent in 2014), the importance of having a clear understanding of APTs is self-evident. Other awareness highlights include: • A growing belief that the use of social networking sites increases the likelihood of a successful APT attack (95 percent in 2015, up from 92 percent in 2014) • A broadly held conviction (89 percent of 2015 respondents) that “bring your own device” (BYOD), combined with rooting (Android manipulation by the owner of the device to gain more access to OS and hardware functions) or jailbreaking (iOS manipulation by the owner of the device to evade vendor limitations), makes a successful APT attack more likely While there is a high level of agreement among the 2015 respondents that APTs are cause for concern, there is less agreement on the biggest risk to the enterprise in the event of a successful APT attack (figure 6). The 2015 respondents agree with the 2014 participants that loss of personally identifiable information is the biggest risk to the enterprise. However, the recent high-profile breaches may be the cause of the 2015 survey participants selecting reputation damage as the second largest risk (24 percent), bumping loss of intellectual property into third place (22 percent in 2015, down from 24 percent in 2014). 2015’s top two issues reverse the positions assigned by the initial study’s (2013) respondents. Degree of Enterprise Risk FIGURE 6 Loss of Personal Information of Employees or Customers 0% 5% 30% 25% 20% 15% 10% Percentage of Respondents Reputational Damage Loss of Intellectual Property Financial Loss (tangible) Contractual Breach (due to the above) or Legal Issues Loss of Availability - i.e., Business Continuity Issues
9© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS Direct APT Experience While respondents may have developed risk scenarios of a successful APT attack, most have not yet had to deal with the actuality of an attack. Only 28 percent of respondents report having been subject to an APT attack. Of those, 25 percent are employed in the technology services and consulting field, and 19 percent work in government or military (national/state/local). Additionally, among those who have been subject to attack, 65 percent were able to identify its source. All respondents were asked whether they consider their enterprises prepared to deal with the threat of an APT. There is a significant amount of confidence among respondents that that they do have the ability to detect, respond to, and stop an APT attack (figure 7). It is worth looking further into enterprises’ ability to respond to attack. Respondents were asked to indicate their enterprises’ ability to respond, with the different levels of preparedness specifically defined: “Very prepared” means having a documented and tested plan in place; “Prepared” signifies having an incident management plan, although it does not specifically cover APTs; “Not very prepared” and “Not prepared at all” are clear and are not included in calculating any degree of preparedness. Overall, more than 67 percent of the 2015 respondents believe that they are ready to respond to APT attacks to some degree; this represents a decrease of 7 percentage points from 2014’s statistic of 74 percent. The degrees of preparedness reported are 18 percent in the “very prepared” category and close to 50 percent in the “prepared” category. This leaves 33 percent of respondents not confident that they are prepared to deal with an event triggered by this class of threat. Interesting correlations can be drawn between the perceived likelihood of an enterprise being subject to attack and its degree of preparedness to deal with it. Among the 22 percent of respondents who believe it is “very likely” that their organizations will be the target of an APT attack, only 45 percent consider themselves “very prepared” and 35 percent place themselves in the “prepared” category (figure 8). Combining the two groups reveals that 80 percent of those who characterize their enterprise as “very likely” to be targeted are prepared—to some degree—to deal with APTs (up from 75 percent in 2014). Likewise, those who identify their enterprises as “likely” targets (52 percent) Correlation Between Likelihood of and Preparedness for an APT Attack Very likely Likely Not very likely Not at all likely Very Prepared— Documented and Tested Plan in Place 45% 15% 2% 0% Prepared—Incident Management Exists but Does Not Cover APT 35% 58% 46% 29% Not Very Prepared 18% 25% 49% 57% Not Prepared at All 2% 2% 4% 14% Total 22% 51% 26% 1% Enterprise Ability to Deal With an APT Attack FIGURE 7 FIGURE 8 60% 40% 20% 0% DETECT APT ATTACKS RESPOND TO APT ATTACKS STOP A SUCCESSFUL ATTACK VERY ABLE ABLE NOT ABLE NOT AT ALL ABLE
10© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS WHICH SPECIFIC CONTROLS IS YOUR ENTERPRISE USING TO PROTECT SENSITIVE DATA FROM APT ATTACKS? believe they, too, are ready to deal with an attack, with 15 percent considering themselves “very prepared” and 59 percent claiming to be “prepared.” While the total “prepared” percentage for this group (74 percent) is not as high as the “very likely” group, this population has a lower likelihood expectation of attack as well. The correspondence between likelihood and preparation continues in the lower likelihood categories. Among those who categorize their enterprises as “not very likely” targets of an APT, only 48 percent report feeling prepared for an attack to some extent. Of the group that considers its enterprises “not at all likely” to be subject to attack, only 29 percent claim to be prepared for attack (figure 8). Regardless of the degree of preparedness, it is clear that at least some controls and countermeasures are in place on which the respondents are relying to address an APT attack. What approaches are being used? Enterprises seem to be taking a risk-based approach to planning for an APT. As has been previously noted, nearly three-quarters of respondents indicate their belief that their enterprise is likely to be targeted for an APT attack; controls in the enterprises represented by these respondents are more prevalent than in the enterprises not characterized as highly likely to become an APT target. This is true not only of technical controls. Throughout the study, there is a significant correlation between the respondents who believe that their enterprises will be targeted by an APT and those who have adjusted components in the security program (such as awareness training and incident response plans) to prepare for potential attack from an APT. Respondents are leveraging a variety of preventive, detective and investigative controls to help reduce the likelihood of a successful breach. A very high percentage of those surveyed (95 percent) report that they are using antivirus and anti- malware and/or traditional network perimeter technologies (to thwart APTs), but critical controls for mobile devices, remote access technologies (RATs), sandboxing and endpoint control are much less prevalent (figure 9). Technical Controls Used to Protect Against APT Attacks FIGURE 9 0% 60% 40% 20% Percentage of Respondents 80% 100% Antivirus, Anti-malware Network Technologies (firewalls, routers,switches, etc.) Log Monitoring/Event Correlation IPS (signature/abnormal event detection and prevention based controls) User Security Training & Controls (IDM, password, awareness training, etc.) Network Segregation (zoning off) Endpoint Control Remote Access Technologies Mobile Security Gateways Sandboxes (environment with limited functionality used to test untrusted code) Mobile Anti-malware Controls
11© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS In addition to these technical controls, 73 percent of respondents (up 4 percentage points from 2014) are using training and education to help prevent against attacks such as spear phishing and social engineering, which specifically attempt to exploit the human factor. It is clear that a correlation exists between perceived likelihood of APT attack and degree of preparation to deal with the attack. A similar degree of alignment can be found between likelihood of APT attack and usage of more technical controls (figure 10). Educational training is also more prevalent as a defense within enterprises considered very likely to become targets. While it is a positive sign that a higher level of perceived likelihood of an APT breach correlates to the increased use of technical and educational controls, it is concerning that network perimeter technologies and antivirus and anti-malware top the list of controls used because APTs have been shown to leverage zero-day vulnerabilities, which render tools that look for known signatures and vulnerabilities irrelevant. As was noted previously in this publication, 88 percent of respondents recognize that BYOD, combined with rooting and jailbreaking, is significant in increasing the likelihood of an attack. Given this awareness, it is surprising to see that mobile security reflects such low usage to help defend against APTs. APT Impact on Policies and Practices The threat of APT attack calls for many defensive approaches, among them technical controls, IT/cybersecurity workforce training and certification, changes in human resource awareness training, and updates to third-party agreements. Additional considerations examined in the survey are the effect of APT threats on enterprise policies and the practices and attitudes of executive management toward cybersecurity initiatives. Nearly two-thirds of the survey participants (62 percent) indicate that their organizational leadership is becoming more involved in cybersecurity-related activities and 80 percent see a visible increase in support by senior management. Ninety percent of the respondents’ organizations now include cybersecurity in their organizational risk management strategy. Correlation Between Likelihood of APT Attack and Use of Technical Controls FIGURE 10 Very likely Likely Not very likely Not likely at all Total IPS (signature/abnormal event detection and prevention-based controls) 25% 53% 21% 1% 77% Antivirus, Anti-malware 22% 52% 25% 1% 95% Network Technologies (firewalls, routers, switches, etc.) 23% 51% 25% 1% 93% Network Segregation (zoning off) 24% 53% 21% 2% 73% Sandboxes (environment with limited functionality used to test untrusted code) 32% 52% 15% 1% 35% Log Monitoring/Event Correlation 25% 51% 22% 1% 75% Remote Access Technologies 24% 50% 25% 1% 59% End-point Control 25% 50% 24% 1% 64% Mobile Security Gateway 30% 51% 18% 1% 37% Mobile Anti-malware Controls 32% 51% 16% 1% 26% User Security Training and Controls (IDM, password, awareness training, etc.) 24% 53% 22% 1% 74% Total Respondents 122 279 133 7 541
12© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS Vendor Management Vendor management is an important factor in protecting outsourced data. Therefore, the study examined ongoing relationships with third parties to see whether enterprises are adjusting contract language or service level agreements (SLAs) to ensure that third parties are practicing due diligence to protect themselves from APTs and to require financial restitution in the event that—despite controls—they are breached, resulting in damage to the customer. Overall, 75 percent of respondents have not updated agreements with third parties for protection against APTs. While this is a disturbing statistic, especially in light of the numerous high-profile data breaches that have resulted from attacks that first targeted vendors supporting larger organizations, it does represent an improvement, albeit a negligible one, over the 2014 survey, in which 76 percent reported that they had not adjusted third-party agreements. The percentage improves slightly when cross-referenced with the degree of familiarity with APTs, as illustrated in figure 11. One-third of the respondents who indicate they are very familiar with APTs have updated their third-party contracts to address APTs, a figure that drops to only 19 percent among those who describe themselves as having no familiarity with APTs. Overall, 75 percent of respondents have not updated agreements with third parties for protection against APTs. Correlation Between Familiarity With APTs and Updating of Third-party Contracts FIGURE 11 0% 80% 60% 40% 20% 100% VERY FAMILIAR FAMILIAR SOMEWHAT FAMILIAR NOT AT ALL FAMILIAR Yes, we have updated our third-party contract language to address APTs. No, we have not updated our third-party contract language to address APTs.
13© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS Executive Involvement Given the increased attention that APTs have received in recent years, it might be expected that executives would become more involved in cybersecurity activities. Survey respondents were asked to indicate whether they note a change in executive activity within their enterprises. In a similar fashion to other findings in the study, there is a correlation between the perceived likelihood of the enterprise being an APT target and the level of executive involvement, with more likely targets reflecting increased executive involvement and less likely targets showing less executive engagement (figure 12). Those who indicated seeing increased executive involvement in security initiatives were asked the types of specific actions in which executives are engaging. Results indicate security budgets have increased (53 percent of respondents); the majority (80 percent) reported seeing increased visible support from senior executives, while 61 percent noted increased policy enforcement. When the responses are filtered according to the likelihood of the enterprise being targeted by APTs, the numbers shift (figure 13). Results indicate security budgets have increased (53% of respondents); the majority (80%) reported seeing increased visible support from senior executives, while 61% noted increased policy enforcement. Correlation Between Likelihood of APT Attack and Executive Involvement FIGURE 12 0% 80% 60% 40% 20% VERY LIKELY LIKELY NOT VERY LIKELY NOT AT ALL LIKELY Yes, executive leadership demonstrates increased involvement in cybersecurity activities. No, executive leadership does not demonstrate increased involvement in cybersecurity activities. Correlation Between Likelihood of APT Attack and Executive Actions FIGURE 13 0% 80% 60% 40% 20% 100% INCREASED SECURITY BUDGETS INCREASED VISIBLE SUPPORT FROM EXECUTIVE LEADERSHIP INCREASED SECURITY POLICY ENFORCEMENT VERY LIKELY LIKELY NOT VERY LIKELY NOT AT ALL LIKELY
14© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS Correlation Between Likelihood of APT Attack and Increase in Awareness Training Although enterprises characterized as very likely targets for an APT are enjoying increased security budgets and policy enforcement, all enterprises, regardless of perceived likelihood of APT attack, seem to be benefitting from a significant level of visible support from senior executives. Incident Management and Awareness Training Managing a successful APT attack is not always as easy as removing the violating threat. Many APTs are adaptable and have the ability to change to suit the circumstances. Typical incident response plans designed to stop and remediate might not be suitable for APTs; the plans should be reviewed and incorporation of specific provisions for APTs considered. The 2015 survey indicates an improvement in level of preparedness, with 79 percent of those who consider their enterprises very likely to be targeted by an APT reporting that adjustments have been made to their incident response plans (figure 14). This represents an increase of 9 percentage points over the 2014 survey. Unfortunately, the same attention is not being applied to awareness training. Overall, 56 percent of respondents report that their enterprises have not increased awareness training relative to APTs; however, this is a significant improvement from 2014 when 67 percent stated they had not increased APT-related awareness training. The percentages improve slightly for enterprises that are considered very likely or likely targets of an APT, but even in these cases, less than half are increasing awareness training (figure 15). This statistic is troubling as targeted spear phishing and web browsers are attack vectors that could possibly be mitigated with well-trained staff. Although enterprises characterized as very likely targets for an APT are enjoying increased security budgets and policy enforcement, all enterprises, regardless of perceived likelihood of APT attack, seem to be benefitting from a significant level of visible support from senior executives. Correlation Between Likelihood of Attack and Adjustment of Incident Response Plans FIGURE 14 0% 80% 60% 40% 20% 100% Yes, our incident response plan has been adjusted to address APT considerations. No, our incident response plan has not been adjusted to address APT considerations. VERY LIKELY LIKELY NOT VERY LIKELY NOT AT ALL LIKELY FIGURE 15 0% 80% 60% 40% 20% Yes, my enterprise has increased awareness training. No, my enterprise has not increased awareness training. VERY LIKELY LIKELY NOT VERY LIKELY NOT AT ALL LIKELY
15© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS Conclusions Like the 2014 survey, there are many positive findings to celebrate in the 2015 study. Overall, more people are aware of APTs and are making positive changes to increase their protection against them. The survey respondents— security professionals all—seem to be practicing good security management by utilizing a risk-based approach to managing APTs within their enterprises. This is reflected throughout the results as the respondents, who consider their enterprises more likely to experience an APT, report activities that suggest they have adopted a layered approach to managing their enterprise security. In almost all cases, the higher the perceived likelihood of becoming a target, the more consideration is being given to APTs in terms of technology, awareness training, vendor management, incident management and increased attention from executives. This activity and corresponding effort form an excellent base for information protection. However, APTs are still not clearly understood. They are different from traditional threats and need to be addressed differently. A gap in the understanding of what APTs are and how to defend against them remains, as demonstrated by the number of respondents who self-identity as familiar (to some degree) with APTs (67 percent) compared to those who feel that APTs are similar to traditional threats (51 percent). The data also indicate that enterprises have not really changed the ways in which they protect against APTs. The technical controls most often cited as being used to prevent APTs are network perimeter technologies such as firewalls and access lists within routers, as well as anti-malware and antivirus. While these controls are proficient for defending against traditional attacks, they are probably not as well suited for preventing APTs because APTs exploit zero-day threats, which leverage unknown vulnerabilities, and many APTs enter the enterprise through well- designed spear phishing attacks. This indicates that additional controls—and perhaps an increased focus on email security and user education—could be beneficial. Finally, the survey revealed a slight improvement relating to the availability of guidance focused on APTs. In 2014, 75 percent of respondents noted a lack of appropriate guidance; that number decreased to 66 percent in 2015. This improvement can probably be partially attributed to a generally increased level of awareness of APTs, resulting from recent high-profile APT-related attacks. ISACA is doing its part as well to address the marketplace’s need for guidance. ISACA’s Cybersecurity Nexus® (CSX) program provides education, training, certification and professional development—with a concentration on APTs—to support the efforts of professionals and practitioners as they address challenges in cybersecurity. Finally, the survey revealed a slight improvement relating to the availability of guidance focused on APTs. In 2014, 75% of respondents noted a lack of appropriate guidance; that number decreased to 66% in 2015. This improvement can probably be partially attributed to a generally increased level of awareness of APTs, resulting from recent high-profile APT-related attacks. To learn more visit us at www.isaca.org/APT-WP
16© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS ISACA® ISACA (isaca.org) helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards, networking, credentialing and career development. Established in 1969, ISACA is a global nonprofit association of 140,000 professionals in 180 countries. ISACA also offers the Cybersecurity Nexus™ (CSX), a holistic cybersecurity resource, and COBIT® , a business framework to govern enterprise technology. Disclaimer This is an educational resource and is not inclusive of all information that may be needed to assure a successful outcome. Readers should apply their own professional judgment to their specific circumstances. 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 Email: info@isaca.org www.isaca.org Provide feedback: www.isaca.org/APT-WP Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center Follow ISACA on Twitter: www.twitter.com/ISACANews Join ISACA on LinkedIn: www.linkd.in/ISACAOfficial Like ISACA on Facebook: www.facebook.com/ISACAHQ
17© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS ACKNOWLEDGMENTS Lead Developer R. “Montana” Williams MA-IOP, CWDP Senior Manager, Cybersecurity Practices ISACA, USA Board of Directors Christos K. Dimitriadis Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, International President Rosemary M. Amato CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands, Vice President Garry J. Barnes CISA, CISM, CGEIT, CRISC, MAICD, Vital Interacts, Australia, Vice President Robert A. Clyde CISM, Clyde Consulting LLC, USA, Vice President Theresa Grafenstine CISA, CGEIT, CRISC, CPA, CIA, CGAP, CGMA, US House of Representatives, USA, Vice President Leonard Ong CISA, CISM, CGEIT, CRISC, CPP, CFE, PMP, CIPM,CIPT, CISSP ISSMP-ISSAP, CSSLP, CITBCM, GCIA,GCIH, GSNA, GCFA, ATD Solution, Singapore, Vice President Andre Pitkowski CGEIT, CRISC, OCTAVE, CRMA, ISO27kLA, ISO31kLA, APIT Consultoria de Informatica Ltd., Brazil, Vice President Eddie Schwartz CISA, CISM, CISSP-ISSEP, PMP, WhiteOps, USA, Vice President Gregory T. Grocholski CISA, SABIC, Saudi Arabia, Past International President Tony Hayes CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President Robert E Stroud CGEIT, CRISC, USA, Past International President Zubin Chagpar CISA, CISM, PMP, Amazon Web Services, UK, Director Matt Loeb CAE, ISACA, USA, Director Rajaramiyer Venketaramani Raghu CISA, CRISC, Versatilist Consulting India, Pvt., Ltd., India, Director Jo Stewart-Rattray CISA, CISM, CGEIT, CRISC, FACS CP, BRM Holdich, Australia, Director

Recommended

2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't WorkConfirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Michael Davis
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
Eoin Keary
 
CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016 CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016
Bolaji James Bankole CCSS,CEH,MCSA,MCSE,MCP,CCNA,
 
Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015
Marketing Türkiye
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM
Joseph DeFever
 

Recommended

2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't WorkConfirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Michael Davis
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
Eoin Keary
 
CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016 CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016
Bolaji James Bankole CCSS,CEH,MCSA,MCSE,MCP,CCNA,
 
Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015
Marketing Türkiye
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM
Joseph DeFever
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
TechBiz Forense Digital
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security Teams
FireEye, Inc.
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Phil Legg
 
Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDFSeven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
Tor Cannady
 
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015
Andreanne Clarke
 
Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014
Symantec
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security Gap
FireEye, Inc.
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Matthew Rosenquist
 
A field guide to insider threat helps manage the risk
A field guide to insider threat helps manage the riskA field guide to insider threat helps manage the risk
A field guide to insider threat helps manage the risk
Priyanka Aash
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
Syed Peer
 
Social Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network SecuritySocial Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network Security
Oladotun Ojebode
 
ISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_Kukreja
Puneet Kukreja
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_training
wardell henley
 
Open source software in government challenges and opportunities
Open source software in government challenges and opportunitiesOpen source software in government challenges and opportunities
Open source software in government challenges and opportunities
Luke Fretwell
 
Future of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistFuture of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.Rosenquist
Matthew Rosenquist
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye, Inc.
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformation
Nexon Asia Pacific
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
HSBC-News 34
HSBC-News 34HSBC-News 34
HSBC-News 34
John Banos
 
Civil Rights
Civil RightsCivil Rights
Civil Rights
Dustinm97
 

More Related Content

What's hot

Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDFSeven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
Tor Cannady
 
Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014
Symantec
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Matthew Rosenquist
 
ISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_Kukreja
Puneet Kukreja
 
Open source software in government challenges and opportunities
Open source software in government challenges and opportunitiesOpen source software in government challenges and opportunities
Open source software in government challenges and opportunities
Luke Fretwell
 
Future of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistFuture of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.Rosenquist
Matthew Rosenquist
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 

What's hot (19)

Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security Teams
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
 
Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDFSeven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
 
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015
 
Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security Gap
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
 
A field guide to insider threat helps manage the risk
A field guide to insider threat helps manage the riskA field guide to insider threat helps manage the risk
A field guide to insider threat helps manage the risk
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Social Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network SecuritySocial Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network Security
 
ISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_Kukreja
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_training
 
Open source software in government challenges and opportunities
Open source software in government challenges and opportunitiesOpen source software in government challenges and opportunities
Open source software in government challenges and opportunities
 
Future of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistFuture of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.Rosenquist
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformation
 

Viewers also liked

Civil Rights
Civil RightsCivil Rights
Civil Rights
Dustinm97
 
Crecimiento del Mercado de
Crecimiento del Mercado deCrecimiento del Mercado de
Crecimiento del Mercado de
FerAcevedo11
 
CV Socrates Freire in English updated
CV Socrates Freire in English updatedCV Socrates Freire in English updated
CV Socrates Freire in English updated
Socrates S
 

Viewers also liked (13)

Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
HSBC-News 34
HSBC-News 34HSBC-News 34
HSBC-News 34
 
Civil Rights
Civil RightsCivil Rights
Civil Rights
 
Өкпе рагы
Өкпе рагыӨкпе рагы
Өкпе рагы
 
Historic Buildings of the 1920s and 1930s in Budapest
Historic Buildings of the 1920s and 1930s in BudapestHistoric Buildings of the 1920s and 1930s in Budapest
Historic Buildings of the 1920s and 1930s in Budapest
 
Crecimiento del Mercado de
Crecimiento del Mercado deCrecimiento del Mercado de
Crecimiento del Mercado de
 
Communication in the real world
Communication in the real worldCommunication in the real world
Communication in the real world
 
Аралар мен құмырсқалар
Аралар мен құмырсқаларАралар мен құмырсқалар
Аралар мен құмырсқалар
 
Curación de--contenidos-cómo-realizarla-y-en-que-te-beneficia
Curación de--contenidos-cómo-realizarla-y-en-que-te-beneficiaCuración de--contenidos-cómo-realizarla-y-en-que-te-beneficia
Curación de--contenidos-cómo-realizarla-y-en-que-te-beneficia
 
Espírito enche a minha vida
Espírito enche a minha vidaEspírito enche a minha vida
Espírito enche a minha vida
 
Xpand for General Assembly Hong Kong
Xpand for General Assembly Hong KongXpand for General Assembly Hong Kong
Xpand for General Assembly Hong Kong
 
CV Socrates Freire in English updated
CV Socrates Freire in English updatedCV Socrates Freire in English updated
CV Socrates Freire in English updated
 
MS Thesis ShashiprakashSingh
MS Thesis ShashiprakashSinghMS Thesis ShashiprakashSingh
MS Thesis ShashiprakashSingh
 

Similar to 2015-advanced-persistent-threat-awareness_whp_eng_1015

Unveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital LandscapeUnveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscape
greendigital
 
rp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-responserp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-response
Maciej Buczkowski
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
Jessica Graf
 
Classmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docxClassmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docx
bartholomeocoombs
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4
Meg Weber
 
Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxRisk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docx
SUBHI7
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report
Angela Gunn
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
IJNSA Journal
 
Advanced persistent threats (APTs) have been thrust into the spotlig.docx
Advanced persistent threats (APTs) have been thrust into the spotlig.docxAdvanced persistent threats (APTs) have been thrust into the spotlig.docx
Advanced persistent threats (APTs) have been thrust into the spotlig.docx
SALU18
 

Similar to 2015-advanced-persistent-threat-awareness_whp_eng_1015 (20)

Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital LandscapeUnveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscape
 
rp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-responserp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-response
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
 
HCA 530, Week 2, Advanced persistent threat healthcare under attack
HCA 530, Week 2, Advanced persistent threat healthcare under attackHCA 530, Week 2, Advanced persistent threat healthcare under attack
HCA 530, Week 2, Advanced persistent threat healthcare under attack
 
Classmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docxClassmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docx
 
Defending Your Institution Against Ransomware Attacks
Defending Your Institution Against Ransomware AttacksDefending Your Institution Against Ransomware Attacks
Defending Your Institution Against Ransomware Attacks
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4
 
Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxRisk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docx
 
Infosecurity magazine webinar v2
Infosecurity magazine webinar v2Infosecurity magazine webinar v2
Infosecurity magazine webinar v2
 
HP cyber risk report 2015
HP cyber risk report 2015HP cyber risk report 2015
HP cyber risk report 2015
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
3 Perspectives Around Data Breaches
3 Perspectives Around Data Breaches3 Perspectives Around Data Breaches
3 Perspectives Around Data Breaches
 
University-of-Miami_MEDINA
University-of-Miami_MEDINAUniversity-of-Miami_MEDINA
University-of-Miami_MEDINA
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report
 
The Security Challenge: What's Next?
The Security Challenge: What's Next?The Security Challenge: What's Next?
The Security Challenge: What's Next?
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
 
Advanced persistent threats (APTs) have been thrust into the spotlig.docx
Advanced persistent threats (APTs) have been thrust into the spotlig.docxAdvanced persistent threats (APTs) have been thrust into the spotlig.docx
Advanced persistent threats (APTs) have been thrust into the spotlig.docx
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
 

2015-advanced-persistent-threat-awareness_whp_eng_1015

  • 1. Study Results Advanced persistent threats (APTs) continue to enjoy the spotlight in the wake of their successful use to launch several high-profile data breaches. The fourth in a series of ISACA studies designed to uncover information security professionals’ understanding and opinions of APTs, technical controls, internal incidents, policy adherence and management support, this report reveals positive trends since the 2014 survey. Improvements can be seen in the level of awareness of the unique aspects of APTs and the benefits of addressing them through a variety of countermeasures. A strong correlation clearly exists between the perceived likelihood of an APT attack on the enterprise and the enterprise’s adoption of improved cybersecurity practices. Yet, not all avenues for APT intrusion are fully locked down. Mobile device security is lagging, despite acknowledgment that the “bring your own device” (BYOD) trend increases APT risk, and a preference is seen for technical controls over education and training, even though many successful APT attacks gain entry by manipulating individuals’ innate trust and/or lack of understanding. 2015 Advanced Persistent Threat Awareness— Third Annual www.isaca.org/cyber
  • 2. 2© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS Table of Contents Introduction to the Report 03 Defining Advanced Persistent Threats 04 Description of the Population 06 Perspectives on APTs 07 Awareness 07 Direct APT Experience 09 APT Impact on Policies and Practices 11 Conclusions 15 List of Figures Figure 1 Industries of Survey Participants 05 Figure 2 Geographic Distribution 06 Figure 3 Likelihood of APT Attack 06 Figure 4 Familiarity With APT 07 Figure 5 Perception of Nature of APT Threats 07 Figure 6 Degree of Enterprise Risk 08 Figure 7 Enterprise Ability to Deal With an APT Attack 09 Figure 8 Correlation Between Likelihood of and Preparedness for an APT Attack 09 Figure 9 Technical Controls Used to Protect Against APT Attacks 10 Figure 10 Correlation Between Likelihood of APT Attack and Use of Technical Controls 11 Figure 11 Correlation Between Familiarity With APTs and Updating of Third-party Contracts 12 Figure 12 Correlation Between Likelihood of APT Attack and Executive Involvement 13 Figure 13 Correlation Between Likelihood of APT Attack and Executive Actions 13 Figure 14 Correlation Between Likelihood of Attack and Adjustment of Incident Response Plans 14 Figure 15 Correlation Between Likelihood of Attack and Increase in Awareness Training 14
  • 3. 3© 2015 ISACA. All Rights Reserved. Introduction to the Report In 2013, ISACA, in collaboration with Trend Micro® , released its first study on advanced persistent threat (APT) awareness. ISACA’s Guidance and Practices Committee launched the APT Awareness Study to comprehend better how well security professionals understand APTs and identify what is being done to prevent them. The study reported on data collected in 2012 and demonstrated that although APTs had received much market attention, there was still a lack of clarity around what actually defined an APT and how to protect and defend against it. To determine whether the landscape had evolved, ISACA repeated the survey in January 2014 and July 2015. Each year, the survey is distributed to a sample of ISACA member and nonmember security professionals, which includes information security managers in different industries and organizations throughout the world. The sample population consists of current holders of ISACA’s Certified Information Security Manager® (CISM® ) credential and other information security professionals. The 2015 survey, the results of which are reported in this publication, provides an updated view of these professionals’ perceptions of the APT and organizational attitudes about its impact on business operations and economics. The survey, which uses multiple-choice and Likert scale formats, is organized in five sections: • Demographics • APT Awareness • Direct APT Experience • Security Controls, Processes and Responses • APT Impact on Policies and Practices How Secure Is Your Enterprise? Take our free ISACA APT Awareness Survey Quiz and see how well your organization scores on its APT-readiness. Download it now!
  • 4. 4© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS 1 “Cybercrime Will Cost Businesses Over $2 Trillion by 2019, Finds Juniper Research,” PR Newswire, 12 May 2015, www.prnewswire.com/news-releases/cybercrime-will- cost-businesses-over-2-trillion-by-2019-finds-juniper-research-503449791.html 2 Verizon, Verizon 2015 PCI Compliance Report, 2015, www.verizonenterprise.com/pcireport/2015/, 3 FireEye Advanced Threat Report: 2013, https://www2.fireeye.com/advanced-threat-report-2013.html 4 Mandiant, M-Trends 2015: A View From the Front Lines, https://www2.fireeye.com/WEB-2015-MNDT-RPT-M-Trends-2015_LP.html 5 Verizon, Verizon 2015 PCI Compliance Report, www.verizonenterprise.com/pcireport/2015/ Defining Advanced Persistent Threats Every year the damage and costs related to cyberattack multiply at a shocking rate. Major cyberattacks targeting financial, retail, healthcare, government and the entertainment industries have resulted in tens of millions of exposed records, billions spent on remediation and significant damage to many brands. Cybercriminals continue to exploit individuals and enterprises while increasing profits from more than US $300 billion in 2012 to an estimated US $1 trillion in 2014. Juniper Research has predicted that profits will top US $2 trillion in 2019.1 But money is not all the cybercriminals are after. They compound their financial success by stealing sensitive data in espionage attempts. Unfortunately, negative cybersecurity incidents show no signs of decreasing. On the contrary, industry and vendor reports indicate that attacks are on the rise as cybercrime, hacktivism and advanced attacks continue to pester enterprise networks. Admittedly, some progress in defending against cyberattacks has been made: Many preventive controls have emerged that have made it more difficult for those with malicious intent to penetrate networks, and detective controls have helped to identify quickly when a breach does occur. Still, some attacks are very difficult to spot. Efforts to stay ahead of cybercriminals and APTs are not helped by the skills gap that exists in the information security workforce. Current practitioners lack the requisite skills to leverage the technology; understand the threat; and integrate cybersecurity risk management strategies, tools and policies to defend against the APT. The failure or inability to leverage technology and implement strategies based on industry standards and good practices is illustrated by Verizon’s 2015 report on the payment card industry (PCI), which notes that only one in five businesses is compliant with the PCI Data Security Standard (PCI DSS).2 As technology changes and information security tools evolve, so too do the tactics, techniques and procedures of threat actors. Social engineering remains at the center of APT activity to gain footholds into information systems. Early efforts began with phishing, then evolved to spear phishing, and proceeded on to whaling, which often included an attachment or a link that contained malware or an exploit. However, over the past three years APTs have moved on to the Internet as the main attack vector (e.g., web sites, social media and mobile applications). Watering hole (fake web site) attacks have increased in frequency and often use a browser-based, zero-day attack. In fact, recent reports by leading cybersecurity experts have found that web-based attacks outnumber email-based attacks nearly five to one,3 and web applications and point-of-sale systems are leading hacker targets.4,5 Opinions differ on what makes a threat an APT. Some state that APT is just a marketing term; others believe there is no difference between an APT and a traditional threat; yet others say that an APT is a nation-state-sponsored activity that is geared toward political espionage. Which is true? APTs are often seen in nation-state-sponsored attacks (but it is very hard to prove), and they do often use the same attack vectors that traditional threats leverage. However, they also employ different attack methodologies and display different characteristics from those evidenced by traditional threats. Because so many differing opinions of what constitutes an APT exist in the market, ISACA’s planning for the initial study included the realization that it was critical to establish a broadly accepted definition. This definition was retained in the subsequent surveys. ISACA’s definition specifies that APTs are often aimed at the theft of intellectual property (espionage) as opposed to achieving immediate financial gain and are prolonged, stealthy attacks. This wording aligns with the definition used by the US National Institute of Standards and Technology (NIST), which states that an APT is:
  • 5. 5© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.6 This definition provides a good base from which to understand the differences between traditional threats and APTs. Interaction with a command-and-control center, repeated pursuit of objectives, adaptation to defenders, and persistence set APTs apart from the typical attack. There is a “who” behind the APT; it is not just a random spray of malware—someone is specifically targeting the enterprise. The primary purpose of most APTs is to extract information from systems—critical research, enterprise intellectual property, government information or other data. APTs are advanced and stealthy, often possessing the ability to conceal themselves within the enterprise network traffic, interacting just enough to get what they need to accomplish their job. Their facility with disguise and ability to morph when needed can be crippling to security professionals’ attempts to identify or stop them. In addition to their stealth and adaptability, APTs are characterized by their persistence. For example, traditional cyberthreats try to exploit a vulnerability, but often will move on to something less secure if they cannot penetrate their initial target. APTs, on the other hand, do not stop. Their single- minded persistence in pursuing their target and repeated efforts to complete the job they were created to do means they will not go away after one failed attempt. They will make continual attempts until they meet their objective—or until they are mitigated and removed. The people and groups behind APT attacks are determined to achieve success and appropriately resourced to do so. 6 NIST, Special Publication 800-39: Managing Information Security Risk—Organization, Mission, and Information System View, USA, March 2011, http://csrc.nist.gov/ publications/PubsSPs.html#SP 800 Industries of Survey Participants FIGURE 1 WITHIN WHICH OF THE FOLLOWING INDUSTRIES ARE YOU EMPLOYED? Technology Services/Consulting Financial/Banking Government/Military—National/State/Local Telecommunications/Communications Manufacturing/Engineering Insurance Health Care/Medical Miscellaneous Mining/Construction/Petroleum/Agriculture Utilities Transportation Retail/Wholesale/Distribution Education/Student 0% 5% 35% 30% 25% 20% 15% 10% Percentage of Respondents
  • 6. 6© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS IN WHICH OF THE FOLLOWING AREAS DO YOU RESIDE? HOW LIKELY DO YOU FEEL THAT IT IS THAT YOUR ORGANIZATION WILL BE THE TARGET OF AN APT? Description of the Population Because this ongoing study’s purpose is to measure information security characteristics such as understanding of APTs and knowledge of internal controls, internal incidents, policy adherence and management support, the survey population consists of those who deal with those issues every day: professionals with information security responsibilities. The study’s global sample includes those who hold ISACA’s Certified Information Security Manager (CISM) credential and other information security professionals with whom ISACA interacts. For the 2015 survey, SurveyMonkey® (www.surveymonkey. com) was used to collect the data from 661 individuals globally, 96 percent of whom are members of ISACA. Seventeen industries are represented in the study, the most highly represented industry being the technology services and consulting field, in which 32 percent of the respondents work (figure 1). The highest concentration of respondents resides in Europe/ Africa (40 percent), followed by North America (30 percent) (figure 2). Based on these demographic factors, a typical participant can be described as: • An ISACA member • European/African or North American • Working in the technology services/consulting industry or the financial services/banking industry 9 Ponemon Institute, 2014 Global Report on the Cost of Cyber Crime, https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5207enw.pdf 10 Bodeau, Deborah J.; Richard Graubart; Cyber Resiliency Engineering Framework, The MITRE Corporation, 2011, www.mitre.org/sites/default/files/pdf/11_4436.pdf Geographic Distribution Likelihood of APT Attack FIGURE 3 Europe/Africa Asia North America Latin America Oceania 40% 30% 19% 6% 5% Likely 52% Very likely 22% Not at all likely 1% Not very likely 25% FIGURE 2
  • 7. 7© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS DO YOU BELIEVE THAT APTS ARE SIMILAR OR UNIQUE TO HISTORICAL THREATS? HOW FAMILIAR ARE YOU WITH APTS? Perspectives on APTs The analysis of the 2015 survey results suggests that there may be a slight regression in level of awareness regarding APTs as compared to the 2014 study. In 2014, 96 percent claimed familiarity with APTs; that figure drops to 94 percent in 2015. The 2015 survey results indicate that 72 percent of respondents believe their organizations have not been targeted by an APT-related attack; while an almost equal number (74 percent) think they will be targeted in the near future (figure 3). It is, of course, possible that the respondents’ stated belief that their organizations have not been targeted may instead reflect a lack of awareness that a breach has already occurred. However, progress is being made on identifying potential breaches before they occur and mitigating their effect quickly. The 2015 study reports a significantly larger percentage of respondents (over previous years’ studies) who are adjusting practices by employing newer technologies, antivirus/malware software, signature management, logging and security awareness/training. These activities are reflected in an expanded awareness of the steps of the APT threat life cycle; three out of four respondents were able to identify all seven steps of the life cycle. All this adds up to improvements in cybersecurity practices. However, the same degree of effort is not being applied to mobile security, as is discussed later in this publication. Awareness Almost one-quarter of the 2015 respondents consider themselves very familiar with APTs, and a total of 94 percent characterize themselves as having at least some familiarity (figure 4). The degree of familiarity appears to be a positive indicator and may contribute to a shift in how APTs are perceived. In 2014, 51 percent of the respondents saw APTs as unique threats, a result that is reversed in 2015, where 51 percent see the APT as similar to traditional threats (figure 5). Familiarity With APT Perception of Nature of APT Threats FIGURE 4 FIGURE 5 Very familiar 22% Familiar 45% Somewhat familiar 27% Not at all familiar 6% Unique 49% Similar to Traditional Threats 51%
  • 8. 8© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS WHAT DO YOU BELIEVE TO BE THE HIGHEST RISK TO YOUR ENTERPRISE ASSOCIATED WITH A SUCCESSFUL APT ATTACK? This may be indicative of the high degree of sophistication demonstrated by current breaches, making all attack methodologies used today appear more advanced (and, therefore, APT-like). Also, many more attacks are now being attributed to nation-state actors, who are known to rely on APT-related tactics, techniques and procedures. Recent breaches have highlighted the APT. Perhaps this higher profile has resulted in blurring the lines between traditional threats and advanced threats, creating confusion in the marketplace. This is troubling because if security professionals do not understand the differences between the threat classes, it follows that they may find it difficult to properly identify, defend against and respond to APTs. Given that a stunning 97 percent of the 2015 respondents report their belief that APTs represent a credible threat to national security and economic stability (up from 92 percent in 2014), the importance of having a clear understanding of APTs is self-evident. Other awareness highlights include: • A growing belief that the use of social networking sites increases the likelihood of a successful APT attack (95 percent in 2015, up from 92 percent in 2014) • A broadly held conviction (89 percent of 2015 respondents) that “bring your own device” (BYOD), combined with rooting (Android manipulation by the owner of the device to gain more access to OS and hardware functions) or jailbreaking (iOS manipulation by the owner of the device to evade vendor limitations), makes a successful APT attack more likely While there is a high level of agreement among the 2015 respondents that APTs are cause for concern, there is less agreement on the biggest risk to the enterprise in the event of a successful APT attack (figure 6). The 2015 respondents agree with the 2014 participants that loss of personally identifiable information is the biggest risk to the enterprise. However, the recent high-profile breaches may be the cause of the 2015 survey participants selecting reputation damage as the second largest risk (24 percent), bumping loss of intellectual property into third place (22 percent in 2015, down from 24 percent in 2014). 2015’s top two issues reverse the positions assigned by the initial study’s (2013) respondents. Degree of Enterprise Risk FIGURE 6 Loss of Personal Information of Employees or Customers 0% 5% 30% 25% 20% 15% 10% Percentage of Respondents Reputational Damage Loss of Intellectual Property Financial Loss (tangible) Contractual Breach (due to the above) or Legal Issues Loss of Availability - i.e., Business Continuity Issues
  • 9. 9© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS Direct APT Experience While respondents may have developed risk scenarios of a successful APT attack, most have not yet had to deal with the actuality of an attack. Only 28 percent of respondents report having been subject to an APT attack. Of those, 25 percent are employed in the technology services and consulting field, and 19 percent work in government or military (national/state/local). Additionally, among those who have been subject to attack, 65 percent were able to identify its source. All respondents were asked whether they consider their enterprises prepared to deal with the threat of an APT. There is a significant amount of confidence among respondents that that they do have the ability to detect, respond to, and stop an APT attack (figure 7). It is worth looking further into enterprises’ ability to respond to attack. Respondents were asked to indicate their enterprises’ ability to respond, with the different levels of preparedness specifically defined: “Very prepared” means having a documented and tested plan in place; “Prepared” signifies having an incident management plan, although it does not specifically cover APTs; “Not very prepared” and “Not prepared at all” are clear and are not included in calculating any degree of preparedness. Overall, more than 67 percent of the 2015 respondents believe that they are ready to respond to APT attacks to some degree; this represents a decrease of 7 percentage points from 2014’s statistic of 74 percent. The degrees of preparedness reported are 18 percent in the “very prepared” category and close to 50 percent in the “prepared” category. This leaves 33 percent of respondents not confident that they are prepared to deal with an event triggered by this class of threat. Interesting correlations can be drawn between the perceived likelihood of an enterprise being subject to attack and its degree of preparedness to deal with it. Among the 22 percent of respondents who believe it is “very likely” that their organizations will be the target of an APT attack, only 45 percent consider themselves “very prepared” and 35 percent place themselves in the “prepared” category (figure 8). Combining the two groups reveals that 80 percent of those who characterize their enterprise as “very likely” to be targeted are prepared—to some degree—to deal with APTs (up from 75 percent in 2014). Likewise, those who identify their enterprises as “likely” targets (52 percent) Correlation Between Likelihood of and Preparedness for an APT Attack Very likely Likely Not very likely Not at all likely Very Prepared— Documented and Tested Plan in Place 45% 15% 2% 0% Prepared—Incident Management Exists but Does Not Cover APT 35% 58% 46% 29% Not Very Prepared 18% 25% 49% 57% Not Prepared at All 2% 2% 4% 14% Total 22% 51% 26% 1% Enterprise Ability to Deal With an APT Attack FIGURE 7 FIGURE 8 60% 40% 20% 0% DETECT APT ATTACKS RESPOND TO APT ATTACKS STOP A SUCCESSFUL ATTACK VERY ABLE ABLE NOT ABLE NOT AT ALL ABLE
  • 10. 10© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS WHICH SPECIFIC CONTROLS IS YOUR ENTERPRISE USING TO PROTECT SENSITIVE DATA FROM APT ATTACKS? believe they, too, are ready to deal with an attack, with 15 percent considering themselves “very prepared” and 59 percent claiming to be “prepared.” While the total “prepared” percentage for this group (74 percent) is not as high as the “very likely” group, this population has a lower likelihood expectation of attack as well. The correspondence between likelihood and preparation continues in the lower likelihood categories. Among those who categorize their enterprises as “not very likely” targets of an APT, only 48 percent report feeling prepared for an attack to some extent. Of the group that considers its enterprises “not at all likely” to be subject to attack, only 29 percent claim to be prepared for attack (figure 8). Regardless of the degree of preparedness, it is clear that at least some controls and countermeasures are in place on which the respondents are relying to address an APT attack. What approaches are being used? Enterprises seem to be taking a risk-based approach to planning for an APT. As has been previously noted, nearly three-quarters of respondents indicate their belief that their enterprise is likely to be targeted for an APT attack; controls in the enterprises represented by these respondents are more prevalent than in the enterprises not characterized as highly likely to become an APT target. This is true not only of technical controls. Throughout the study, there is a significant correlation between the respondents who believe that their enterprises will be targeted by an APT and those who have adjusted components in the security program (such as awareness training and incident response plans) to prepare for potential attack from an APT. Respondents are leveraging a variety of preventive, detective and investigative controls to help reduce the likelihood of a successful breach. A very high percentage of those surveyed (95 percent) report that they are using antivirus and anti- malware and/or traditional network perimeter technologies (to thwart APTs), but critical controls for mobile devices, remote access technologies (RATs), sandboxing and endpoint control are much less prevalent (figure 9). Technical Controls Used to Protect Against APT Attacks FIGURE 9 0% 60% 40% 20% Percentage of Respondents 80% 100% Antivirus, Anti-malware Network Technologies (firewalls, routers,switches, etc.) Log Monitoring/Event Correlation IPS (signature/abnormal event detection and prevention based controls) User Security Training & Controls (IDM, password, awareness training, etc.) Network Segregation (zoning off) Endpoint Control Remote Access Technologies Mobile Security Gateways Sandboxes (environment with limited functionality used to test untrusted code) Mobile Anti-malware Controls
  • 11. 11© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS In addition to these technical controls, 73 percent of respondents (up 4 percentage points from 2014) are using training and education to help prevent against attacks such as spear phishing and social engineering, which specifically attempt to exploit the human factor. It is clear that a correlation exists between perceived likelihood of APT attack and degree of preparation to deal with the attack. A similar degree of alignment can be found between likelihood of APT attack and usage of more technical controls (figure 10). Educational training is also more prevalent as a defense within enterprises considered very likely to become targets. While it is a positive sign that a higher level of perceived likelihood of an APT breach correlates to the increased use of technical and educational controls, it is concerning that network perimeter technologies and antivirus and anti-malware top the list of controls used because APTs have been shown to leverage zero-day vulnerabilities, which render tools that look for known signatures and vulnerabilities irrelevant. As was noted previously in this publication, 88 percent of respondents recognize that BYOD, combined with rooting and jailbreaking, is significant in increasing the likelihood of an attack. Given this awareness, it is surprising to see that mobile security reflects such low usage to help defend against APTs. APT Impact on Policies and Practices The threat of APT attack calls for many defensive approaches, among them technical controls, IT/cybersecurity workforce training and certification, changes in human resource awareness training, and updates to third-party agreements. Additional considerations examined in the survey are the effect of APT threats on enterprise policies and the practices and attitudes of executive management toward cybersecurity initiatives. Nearly two-thirds of the survey participants (62 percent) indicate that their organizational leadership is becoming more involved in cybersecurity-related activities and 80 percent see a visible increase in support by senior management. Ninety percent of the respondents’ organizations now include cybersecurity in their organizational risk management strategy. Correlation Between Likelihood of APT Attack and Use of Technical Controls FIGURE 10 Very likely Likely Not very likely Not likely at all Total IPS (signature/abnormal event detection and prevention-based controls) 25% 53% 21% 1% 77% Antivirus, Anti-malware 22% 52% 25% 1% 95% Network Technologies (firewalls, routers, switches, etc.) 23% 51% 25% 1% 93% Network Segregation (zoning off) 24% 53% 21% 2% 73% Sandboxes (environment with limited functionality used to test untrusted code) 32% 52% 15% 1% 35% Log Monitoring/Event Correlation 25% 51% 22% 1% 75% Remote Access Technologies 24% 50% 25% 1% 59% End-point Control 25% 50% 24% 1% 64% Mobile Security Gateway 30% 51% 18% 1% 37% Mobile Anti-malware Controls 32% 51% 16% 1% 26% User Security Training and Controls (IDM, password, awareness training, etc.) 24% 53% 22% 1% 74% Total Respondents 122 279 133 7 541
  • 12. 12© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS Vendor Management Vendor management is an important factor in protecting outsourced data. Therefore, the study examined ongoing relationships with third parties to see whether enterprises are adjusting contract language or service level agreements (SLAs) to ensure that third parties are practicing due diligence to protect themselves from APTs and to require financial restitution in the event that—despite controls—they are breached, resulting in damage to the customer. Overall, 75 percent of respondents have not updated agreements with third parties for protection against APTs. While this is a disturbing statistic, especially in light of the numerous high-profile data breaches that have resulted from attacks that first targeted vendors supporting larger organizations, it does represent an improvement, albeit a negligible one, over the 2014 survey, in which 76 percent reported that they had not adjusted third-party agreements. The percentage improves slightly when cross-referenced with the degree of familiarity with APTs, as illustrated in figure 11. One-third of the respondents who indicate they are very familiar with APTs have updated their third-party contracts to address APTs, a figure that drops to only 19 percent among those who describe themselves as having no familiarity with APTs. Overall, 75 percent of respondents have not updated agreements with third parties for protection against APTs. Correlation Between Familiarity With APTs and Updating of Third-party Contracts FIGURE 11 0% 80% 60% 40% 20% 100% VERY FAMILIAR FAMILIAR SOMEWHAT FAMILIAR NOT AT ALL FAMILIAR Yes, we have updated our third-party contract language to address APTs. No, we have not updated our third-party contract language to address APTs.
  • 13. 13© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS Executive Involvement Given the increased attention that APTs have received in recent years, it might be expected that executives would become more involved in cybersecurity activities. Survey respondents were asked to indicate whether they note a change in executive activity within their enterprises. In a similar fashion to other findings in the study, there is a correlation between the perceived likelihood of the enterprise being an APT target and the level of executive involvement, with more likely targets reflecting increased executive involvement and less likely targets showing less executive engagement (figure 12). Those who indicated seeing increased executive involvement in security initiatives were asked the types of specific actions in which executives are engaging. Results indicate security budgets have increased (53 percent of respondents); the majority (80 percent) reported seeing increased visible support from senior executives, while 61 percent noted increased policy enforcement. When the responses are filtered according to the likelihood of the enterprise being targeted by APTs, the numbers shift (figure 13). Results indicate security budgets have increased (53% of respondents); the majority (80%) reported seeing increased visible support from senior executives, while 61% noted increased policy enforcement. Correlation Between Likelihood of APT Attack and Executive Involvement FIGURE 12 0% 80% 60% 40% 20% VERY LIKELY LIKELY NOT VERY LIKELY NOT AT ALL LIKELY Yes, executive leadership demonstrates increased involvement in cybersecurity activities. No, executive leadership does not demonstrate increased involvement in cybersecurity activities. Correlation Between Likelihood of APT Attack and Executive Actions FIGURE 13 0% 80% 60% 40% 20% 100% INCREASED SECURITY BUDGETS INCREASED VISIBLE SUPPORT FROM EXECUTIVE LEADERSHIP INCREASED SECURITY POLICY ENFORCEMENT VERY LIKELY LIKELY NOT VERY LIKELY NOT AT ALL LIKELY
  • 14. 14© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS Correlation Between Likelihood of APT Attack and Increase in Awareness Training Although enterprises characterized as very likely targets for an APT are enjoying increased security budgets and policy enforcement, all enterprises, regardless of perceived likelihood of APT attack, seem to be benefitting from a significant level of visible support from senior executives. Incident Management and Awareness Training Managing a successful APT attack is not always as easy as removing the violating threat. Many APTs are adaptable and have the ability to change to suit the circumstances. Typical incident response plans designed to stop and remediate might not be suitable for APTs; the plans should be reviewed and incorporation of specific provisions for APTs considered. The 2015 survey indicates an improvement in level of preparedness, with 79 percent of those who consider their enterprises very likely to be targeted by an APT reporting that adjustments have been made to their incident response plans (figure 14). This represents an increase of 9 percentage points over the 2014 survey. Unfortunately, the same attention is not being applied to awareness training. Overall, 56 percent of respondents report that their enterprises have not increased awareness training relative to APTs; however, this is a significant improvement from 2014 when 67 percent stated they had not increased APT-related awareness training. The percentages improve slightly for enterprises that are considered very likely or likely targets of an APT, but even in these cases, less than half are increasing awareness training (figure 15). This statistic is troubling as targeted spear phishing and web browsers are attack vectors that could possibly be mitigated with well-trained staff. Although enterprises characterized as very likely targets for an APT are enjoying increased security budgets and policy enforcement, all enterprises, regardless of perceived likelihood of APT attack, seem to be benefitting from a significant level of visible support from senior executives. Correlation Between Likelihood of Attack and Adjustment of Incident Response Plans FIGURE 14 0% 80% 60% 40% 20% 100% Yes, our incident response plan has been adjusted to address APT considerations. No, our incident response plan has not been adjusted to address APT considerations. VERY LIKELY LIKELY NOT VERY LIKELY NOT AT ALL LIKELY FIGURE 15 0% 80% 60% 40% 20% Yes, my enterprise has increased awareness training. No, my enterprise has not increased awareness training. VERY LIKELY LIKELY NOT VERY LIKELY NOT AT ALL LIKELY
  • 15. 15© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS Conclusions Like the 2014 survey, there are many positive findings to celebrate in the 2015 study. Overall, more people are aware of APTs and are making positive changes to increase their protection against them. The survey respondents— security professionals all—seem to be practicing good security management by utilizing a risk-based approach to managing APTs within their enterprises. This is reflected throughout the results as the respondents, who consider their enterprises more likely to experience an APT, report activities that suggest they have adopted a layered approach to managing their enterprise security. In almost all cases, the higher the perceived likelihood of becoming a target, the more consideration is being given to APTs in terms of technology, awareness training, vendor management, incident management and increased attention from executives. This activity and corresponding effort form an excellent base for information protection. However, APTs are still not clearly understood. They are different from traditional threats and need to be addressed differently. A gap in the understanding of what APTs are and how to defend against them remains, as demonstrated by the number of respondents who self-identity as familiar (to some degree) with APTs (67 percent) compared to those who feel that APTs are similar to traditional threats (51 percent). The data also indicate that enterprises have not really changed the ways in which they protect against APTs. The technical controls most often cited as being used to prevent APTs are network perimeter technologies such as firewalls and access lists within routers, as well as anti-malware and antivirus. While these controls are proficient for defending against traditional attacks, they are probably not as well suited for preventing APTs because APTs exploit zero-day threats, which leverage unknown vulnerabilities, and many APTs enter the enterprise through well- designed spear phishing attacks. This indicates that additional controls—and perhaps an increased focus on email security and user education—could be beneficial. Finally, the survey revealed a slight improvement relating to the availability of guidance focused on APTs. In 2014, 75 percent of respondents noted a lack of appropriate guidance; that number decreased to 66 percent in 2015. This improvement can probably be partially attributed to a generally increased level of awareness of APTs, resulting from recent high-profile APT-related attacks. ISACA is doing its part as well to address the marketplace’s need for guidance. ISACA’s Cybersecurity Nexus® (CSX) program provides education, training, certification and professional development—with a concentration on APTs—to support the efforts of professionals and practitioners as they address challenges in cybersecurity. Finally, the survey revealed a slight improvement relating to the availability of guidance focused on APTs. In 2014, 75% of respondents noted a lack of appropriate guidance; that number decreased to 66% in 2015. This improvement can probably be partially attributed to a generally increased level of awareness of APTs, resulting from recent high-profile APT-related attacks. To learn more visit us at www.isaca.org/APT-WP
  • 16. 16© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS ISACA® ISACA (isaca.org) helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards, networking, credentialing and career development. Established in 1969, ISACA is a global nonprofit association of 140,000 professionals in 180 countries. ISACA also offers the Cybersecurity Nexus™ (CSX), a holistic cybersecurity resource, and COBIT® , a business framework to govern enterprise technology. Disclaimer This is an educational resource and is not inclusive of all information that may be needed to assure a successful outcome. Readers should apply their own professional judgment to their specific circumstances. 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 Email: info@isaca.org www.isaca.org Provide feedback: www.isaca.org/APT-WP Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center Follow ISACA on Twitter: www.twitter.com/ISACANews Join ISACA on LinkedIn: www.linkd.in/ISACAOfficial Like ISACA on Facebook: www.facebook.com/ISACAHQ
  • 17. 17© 2015 ISACA. All Rights Reserved. 2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL STUDY RESULTS ACKNOWLEDGMENTS Lead Developer R. “Montana” Williams MA-IOP, CWDP Senior Manager, Cybersecurity Practices ISACA, USA Board of Directors Christos K. Dimitriadis Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, International President Rosemary M. Amato CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands, Vice President Garry J. Barnes CISA, CISM, CGEIT, CRISC, MAICD, Vital Interacts, Australia, Vice President Robert A. Clyde CISM, Clyde Consulting LLC, USA, Vice President Theresa Grafenstine CISA, CGEIT, CRISC, CPA, CIA, CGAP, CGMA, US House of Representatives, USA, Vice President Leonard Ong CISA, CISM, CGEIT, CRISC, CPP, CFE, PMP, CIPM,CIPT, CISSP ISSMP-ISSAP, CSSLP, CITBCM, GCIA,GCIH, GSNA, GCFA, ATD Solution, Singapore, Vice President Andre Pitkowski CGEIT, CRISC, OCTAVE, CRMA, ISO27kLA, ISO31kLA, APIT Consultoria de Informatica Ltd., Brazil, Vice President Eddie Schwartz CISA, CISM, CISSP-ISSEP, PMP, WhiteOps, USA, Vice President Gregory T. Grocholski CISA, SABIC, Saudi Arabia, Past International President Tony Hayes CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President Robert E Stroud CGEIT, CRISC, USA, Past International President Zubin Chagpar CISA, CISM, PMP, Amazon Web Services, UK, Director Matt Loeb CAE, ISACA, USA, Director Rajaramiyer Venketaramani Raghu CISA, CRISC, Versatilist Consulting India, Pvt., Ltd., India, Director Jo Stewart-Rattray CISA, CISM, CGEIT, CRISC, FACS CP, BRM Holdich, Australia, Director