2015-advanced-persistent-threat-awareness_whp_eng_1015

Study Results
Advanced persistent threats (APTs) continue to enjoy the spotlight in the
wake of their successful use to launch several high-profile data breaches. The
fourth in a series of ISACA studies designed to uncover information security
professionals’ understanding and opinions of APTs, technical controls, internal
incidents, policy adherence and management support, this report reveals
positive trends since the 2014 survey. Improvements can be seen in the level
of awareness of the unique aspects of APTs and the benefits of addressing
them through a variety of countermeasures. A strong correlation clearly exists
between the perceived likelihood of an APT attack on the enterprise and the
enterprise’s adoption of improved cybersecurity practices. Yet, not all avenues
for APT intrusion are fully locked down. Mobile device security is lagging, despite
acknowledgment that the “bring your own device” (BYOD) trend increases
APT risk, and a preference is seen for technical controls over education and
training, even though many successful APT attacks gain entry by manipulating
individuals’ innate trust and/or lack of understanding.
2015 Advanced
Persistent Threat
Awareness—
Third Annual
www.isaca.org/cyber

2© 2015 ISACA. All Rights Reserved.
2015 ADVANCED PERSISTENT THREAT AWARENESS—THIRD ANNUAL
STUDY RESULTS
Table of Contents
Introduction to the Report 03
Defining Advanced Persistent Threats 04
Description of the Population 06
Perspectives on APTs 07
Awareness 07
Direct APT Experience 09
APT Impact on Policies and Practices 11
Conclusions 15
List of Figures
Figure 1 Industries of Survey Participants 05
Figure 2 Geographic Distribution 06
Figure 3 Likelihood of APT Attack 06
Figure 4 Familiarity With APT 07
Figure 5 Perception of Nature of APT Threats 07
Figure 6 Degree of Enterprise Risk 08
Figure 7
Enterprise Ability to Deal
With an APT Attack
09
Figure 8
Correlation Between Likelihood of and
Preparedness for an APT Attack
09
Figure 9
Technical Controls Used to
Protect Against APT Attacks
10
Figure 10
Correlation Between Likelihood of APT
Attack and Use of Technical Controls
11
Figure 11
Correlation Between Familiarity
With APTs and Updating of Third-party
Contracts
12
Figure 12
Attack and Executive Involvement
13
Figure 13
Attack and Executive Actions
13
Figure 14
Correlation Between Likelihood of
Attack and Adjustment of Incident
Response Plans
14
Figure 15
Correlation Between Likelihood of
Attack and Increase in Awareness
Training
14

Introduction to the Report
In 2013, ISACA, in collaboration with Trend Micro®
, released
its first study on advanced persistent threat (APT) awareness.
ISACA’s Guidance and Practices Committee launched the
APT Awareness Study to comprehend better how well security
professionals understand APTs and identify what is being done
to prevent them. The study reported on data collected in 2012
and demonstrated that although APTs had received much market
attention, there was still a lack of clarity around what actually
defined an APT and how to protect and defend against it. To
determine whether the landscape had evolved, ISACA repeated
the survey in January 2014 and July 2015.
Each year, the survey is distributed to a sample of ISACA
member and nonmember security professionals, which includes
information security managers in different industries and
organizations throughout the world. The sample population
consists of current holders of ISACA’s Certified Information
Security Manager®
(CISM®
) credential and other information
security professionals. The 2015 survey, the results of which are
reported in this publication, provides an updated view of these
professionals’ perceptions of the APT and organizational attitudes
about its impact on business operations and economics.
The survey, which uses multiple-choice and Likert scale
formats, is organized in five sections:
• Demographics
• APT Awareness
• Direct APT Experience
• Security Controls, Processes and Responses
• APT Impact on Policies and Practices
How Secure Is Your Enterprise?
Take our free ISACA APT Awareness Survey Quiz and see
how well your organization scores on its APT-readiness.
Download it now!

STUDY RESULTS
1 “Cybercrime Will Cost Businesses Over $2 Trillion by 2019, Finds Juniper Research,” PR Newswire, 12 May 2015, www.prnewswire.com/news-releases/cybercrime-will-
cost-businesses-over-2-trillion-by-2019-finds-juniper-research-503449791.html
2 Verizon, Verizon 2015 PCI Compliance Report, 2015, www.verizonenterprise.com/pcireport/2015/,
3 FireEye Advanced Threat Report: 2013, https://www2.fireeye.com/advanced-threat-report-2013.html
4 Mandiant, M-Trends 2015: A View From the Front Lines, https://www2.fireeye.com/WEB-2015-MNDT-RPT-M-Trends-2015_LP.html
5 Verizon, Verizon 2015 PCI Compliance Report, www.verizonenterprise.com/pcireport/2015/
Defining Advanced Persistent Threats
Every year the damage and costs related to cyberattack multiply
at a shocking rate. Major cyberattacks targeting financial,
retail, healthcare, government and the entertainment industries
have resulted in tens of millions of exposed records, billions
spent on remediation and significant damage to many brands.
Cybercriminals continue to exploit individuals and enterprises
while increasing profits from more than US $300 billion in 2012
to an estimated US $1 trillion in 2014. Juniper Research has
predicted that profits will top US $2 trillion in 2019.1
But money is
not all the cybercriminals are after. They compound their financial
success by stealing sensitive data in espionage attempts.
Unfortunately, negative cybersecurity incidents show no signs
of decreasing. On the contrary, industry and vendor reports
indicate that attacks are on the rise as cybercrime, hacktivism
and advanced attacks continue to pester enterprise networks.
Admittedly, some progress in defending against cyberattacks
has been made: Many preventive controls have emerged that
have made it more difficult for those with malicious intent to
penetrate networks, and detective controls have helped to
identify quickly when a breach does occur. Still, some attacks
are very difficult to spot.
Efforts to stay ahead of cybercriminals and APTs are not
helped by the skills gap that exists in the information security
workforce. Current practitioners lack the requisite skills to
leverage the technology; understand the threat; and integrate
cybersecurity risk management strategies, tools and policies
to defend against the APT. The failure or inability to leverage
technology and implement strategies based on industry
standards and good practices is illustrated by Verizon’s 2015
report on the payment card industry (PCI), which notes that
only one in five businesses is compliant with the PCI Data
Security Standard (PCI DSS).2
As technology changes and information security tools evolve,
so too do the tactics, techniques and procedures of threat
actors. Social engineering remains at the center of APT
activity to gain footholds into information systems.
Early efforts began with phishing, then evolved to spear
phishing, and proceeded on to whaling, which often
included an attachment or a link that contained malware
or an exploit. However, over the past three years APTs
have moved on to the Internet as the main attack vector
(e.g., web sites, social media and mobile applications).
Watering hole (fake web site) attacks have increased in
frequency and often use a browser-based, zero-day attack.
In fact, recent reports by leading cybersecurity experts have
found that web-based attacks outnumber email-based attacks
nearly five to one,3
and web applications and point-of-sale
systems are leading hacker targets.4,5
Opinions differ on what makes a threat an APT. Some state
that APT is just a marketing term; others believe there is no
difference between an APT and a traditional threat; yet others
say that an APT is a nation-state-sponsored activity that is
geared toward political espionage. Which is true? APTs are
often seen in nation-state-sponsored attacks (but it is very hard
to prove), and they do often use the same attack vectors that
traditional threats leverage. However, they also employ different
attack methodologies and display different characteristics from
those evidenced by traditional threats.
Because so many differing opinions of what constitutes an
APT exist in the market, ISACA’s planning for the initial study
included the realization that it was critical to establish a
broadly accepted definition. This definition was retained in the
subsequent surveys. ISACA’s definition specifies that APTs
are often aimed at the theft of intellectual property (espionage)
as opposed to achieving immediate financial gain and are
prolonged, stealthy attacks. This wording aligns with the
definition used by the US National Institute of Standards and
Technology (NIST), which states that an APT is:

STUDY RESULTS
An adversary that possesses sophisticated levels of
expertise and significant resources which allow it to create
opportunities to achieve its objectives by using multiple
attack vectors (e.g., cyber, physical, and deception). These
objectives typically include establishing and extending
footholds within the information technology infrastructure
of the targeted organizations for purposes of exfiltrating
information; undermining or impeding critical aspects of
a mission, program, or organization; or positioning itself
to carry out these objectives in the future. The advanced
persistent threat: (i) pursues its objectives repeatedly over
an extended period of time; (ii) adapts to defenders’ efforts
to resist it; and (iii) is determined to maintain the level of
interaction needed to execute its objectives.6
This definition provides a good base from which to
understand the differences between traditional threats and
APTs. Interaction with a command-and-control center,
repeated pursuit of objectives, adaptation to defenders, and
persistence set APTs apart from the typical attack. There is
a “who” behind the APT; it is not just a random spray
of malware—someone is specifically targeting the
enterprise. The primary purpose of most APTs is to
extract information from systems—critical research,
enterprise intellectual property, government information
or other data. APTs are advanced and stealthy, often
possessing the ability to conceal themselves within the
enterprise network traffic, interacting just enough to get what
they need to accomplish their job. Their facility with disguise
and ability to morph when needed can be crippling to security
professionals’ attempts to identify or stop them.
In addition to their stealth and adaptability, APTs are
characterized by their persistence. For example, traditional
cyberthreats try to exploit a vulnerability, but often will move on
to something less secure if they cannot penetrate their initial
target. APTs, on the other hand, do not stop. Their single-
minded persistence in pursuing their target and repeated
efforts to complete the job they were created to do means
they will not go away after one failed attempt. They will make
continual attempts until they meet their objective—or until
they are mitigated and removed. The people and groups
behind APT attacks are determined to achieve success and
appropriately resourced to do so.
6 NIST, Special Publication 800-39: Managing Information Security Risk—Organization, Mission, and Information System View, USA, March 2011, http://csrc.nist.gov/
publications/PubsSPs.html#SP 800
Industries of Survey
Participants
FIGURE
1
WITHIN WHICH OF THE FOLLOWING INDUSTRIES
ARE YOU EMPLOYED?
Technology Services/Consulting
Financial/Banking
Government/Military—National/State/Local
Telecommunications/Communications
Manufacturing/Engineering
Insurance
Health Care/Medical
Miscellaneous
Mining/Construction/Petroleum/Agriculture
Utilities
Transportation
Retail/Wholesale/Distribution
Education/Student
0%
5%
35%
30%
25%
20%
15%
10%
Percentage of Respondents

STUDY RESULTS
IN WHICH OF THE FOLLOWING AREAS DO YOU RESIDE?
HOW LIKELY DO YOU FEEL THAT IT IS THAT YOUR
ORGANIZATION WILL BE THE TARGET OF AN APT?
Description of the
Population
Because this ongoing study’s purpose is to measure information
security characteristics such as understanding of APTs and
knowledge of internal controls, internal incidents, policy
adherence and management support, the survey population
consists of those who deal with those issues every day:
professionals with information security responsibilities. The
study’s global sample includes those who hold ISACA’s Certified
Information Security Manager (CISM) credential and other
information security professionals with whom ISACA interacts.
For the 2015 survey, SurveyMonkey®
(www.surveymonkey.
com) was used to collect the data from 661 individuals
globally, 96 percent of whom are members of ISACA.
Seventeen industries are represented in the study, the
most highly represented industry being the technology
services and consulting field, in which 32 percent of the
respondents work (figure 1).
The highest concentration of respondents resides in Europe/
Africa (40 percent), followed by North America (30 percent)
(figure 2).
Based on these demographic factors, a typical participant
can be described as:
• An ISACA member
• European/African or North American
• Working in the technology services/consulting industry
or the financial services/banking industry
9
Ponemon Institute, 2014 Global Report on the Cost of Cyber Crime, https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5207enw.pdf
10
Bodeau, Deborah J.; Richard Graubart; Cyber Resiliency Engineering Framework, The MITRE Corporation, 2011, www.mitre.org/sites/default/files/pdf/11_4436.pdf
Geographic Distribution
Likelihood of APT Attack
FIGURE
3
Europe/Africa
Asia
North America
Latin America
Oceania
40%
30%
19%
6%
5%
Likely
52%
Very likely
22%
Not at all likely
1%
Not very
likely
25%
FIGURE
2

STUDY RESULTS
DO YOU BELIEVE THAT APTS ARE SIMILAR OR
UNIQUE TO HISTORICAL THREATS?
HOW FAMILIAR ARE YOU WITH APTS?
Perspectives
on APTs
The analysis of the 2015 survey results suggests that there
may be a slight regression in level of awareness regarding
APTs as compared to the 2014 study. In 2014, 96 percent
claimed familiarity with APTs; that figure drops to 94 percent
in 2015.
The 2015 survey results indicate that 72 percent of
respondents believe their organizations have not been
targeted by an APT-related attack; while an almost
equal number (74 percent) think they will be targeted in
the near future (figure 3).
It is, of course, possible that the respondents’ stated belief
that their organizations have not been targeted may instead
reflect a lack of awareness that a breach has already
occurred. However, progress is being made on identifying
potential breaches before they occur and mitigating their
effect quickly. The 2015 study reports a significantly larger
percentage of respondents (over previous years’ studies) who
are adjusting practices by employing newer technologies,
antivirus/malware software, signature management, logging
and security awareness/training. These activities are
reflected in an expanded awareness of the steps of the APT
threat life cycle; three out of four respondents were able to
identify all seven steps of the life cycle. All this adds up to
improvements in cybersecurity practices. However, the same
degree of effort is not being applied to mobile security, as is
discussed later in this publication.
Awareness
Almost one-quarter of the 2015 respondents consider
themselves very familiar with APTs, and a total of 94 percent
characterize themselves as having at least some familiarity
(figure 4).
The degree of familiarity appears to be a positive indicator
and may contribute to a shift in how APTs are perceived. In
2014, 51 percent of the respondents saw APTs as unique
threats, a result that is reversed in 2015, where 51 percent
see the APT as similar to traditional threats (figure 5).
Familiarity With APT
Perception of Nature
of APT Threats
FIGURE
4
FIGURE
5
Very
familiar
22%
Familiar
45%
Somewhat
familiar
27%
Not at all
familiar
6%
Unique
49%
Similar to
Traditional Threats
51%

STUDY RESULTS
WHAT DO YOU BELIEVE TO BE THE HIGHEST RISK TO
YOUR ENTERPRISE ASSOCIATED WITH A SUCCESSFUL
APT ATTACK?
This may be indicative of the high degree of sophistication
demonstrated by current breaches, making all attack
methodologies used today appear more advanced (and,
therefore, APT-like). Also, many more attacks are now being
attributed to nation-state actors, who are known to rely on
APT-related tactics, techniques and procedures.
Recent breaches have highlighted the APT. Perhaps this higher
profile has resulted in blurring the lines between traditional
threats and advanced threats, creating confusion in the
marketplace. This is troubling because if security professionals
do not understand the differences between the threat classes,
it follows that they may find it difficult to properly identify,
defend against and respond to APTs. Given that a stunning 97
percent of the 2015 respondents report their belief that APTs
represent a credible threat to national security and economic
stability (up from 92 percent in 2014), the importance of having
a clear understanding of APTs is self-evident.
Other awareness highlights include:
• A growing belief that the use of social networking sites
increases the likelihood of a successful APT attack (95
percent in 2015, up from 92 percent in 2014)
• A broadly held conviction (89 percent of 2015 respondents)
that “bring your own device” (BYOD), combined with rooting
(Android manipulation by the owner of the device to gain
more access to OS and hardware functions) or jailbreaking
(iOS manipulation by the owner of the device to evade vendor
limitations), makes a successful APT attack more likely
While there is a high level of agreement among the 2015
respondents that APTs are cause for concern, there is less
agreement on the biggest risk to the enterprise in the event of a
successful APT attack (figure 6). The 2015 respondents agree
with the 2014 participants that loss of personally identifiable
information is the biggest risk to the enterprise. However, the
recent high-profile breaches may be the cause of the 2015
survey participants selecting reputation damage as the second
largest risk (24 percent), bumping loss of intellectual property
into third place (22 percent in 2015, down from 24 percent in
2014). 2015’s top two issues reverse the positions assigned by
the initial study’s (2013) respondents.
Degree of Enterprise Risk
FIGURE
6
Loss of Personal Information of Employees or Customers
0%
5%
30%
25%
20%
15%
10%
Reputational Damage
Loss of Intellectual Property
Financial Loss (tangible)
Contractual Breach (due to the above) or Legal Issues
Loss of Availability - i.e., Business Continuity Issues

STUDY RESULTS
Direct APT Experience
While respondents may have developed risk scenarios of a
successful APT attack, most have not yet had to deal with
the actuality of an attack. Only 28 percent of respondents
report having been subject to an APT attack. Of those,
25 percent are employed in the technology services and
consulting field, and 19 percent work in government or
military (national/state/local). Additionally, among those who
have been subject to attack, 65 percent were able to identify
its source.
All respondents were asked whether they consider their
enterprises prepared to deal with the threat of an APT. There
is a significant amount of confidence among respondents
that that they do have the ability to detect, respond to, and
stop an APT attack (figure 7).
It is worth looking further into enterprises’ ability to respond
to attack. Respondents were asked to indicate their
enterprises’ ability to respond, with the different levels of
preparedness specifically defined: “Very prepared” means
having a documented and tested plan in place; “Prepared”
signifies having an incident management plan, although
it does not specifically cover APTs; “Not very prepared”
and “Not prepared at all” are clear and are not included in
calculating any degree of preparedness. Overall, more
than 67 percent of the 2015 respondents believe that
they are ready to respond to APT attacks to some
degree; this represents a decrease of 7 percentage
points from 2014’s statistic of 74 percent. The degrees of
preparedness reported are 18 percent in the “very prepared”
category and close to 50 percent in the “prepared” category.
This leaves 33 percent of respondents not confident that they
are prepared to deal with an event triggered by this class of
threat.
Interesting correlations can be drawn between the perceived
likelihood of an enterprise being subject to attack and
its degree of preparedness to deal with it. Among the 22
percent of respondents who believe it is “very likely” that
their organizations will be the target of an APT attack, only
45 percent consider themselves “very prepared” and 35
percent place themselves in the “prepared” category (figure
8). Combining the two groups reveals that 80 percent of
those who characterize their enterprise as “very likely” to
be targeted are prepared—to some degree—to deal with
APTs (up from 75 percent in 2014). Likewise, those who
identify their enterprises as “likely” targets (52 percent)
Correlation Between
Likelihood of and Preparedness
for an APT Attack
Very
likely
Likely
Not very
likely
Not at all
likely
Very Prepared—
Documented and Tested
Plan in Place
45% 15% 2% 0%
Prepared—Incident
Management Exists but
Does Not Cover APT
35% 58% 46% 29%
Not Very Prepared 18% 25% 49% 57%
Not Prepared at All 2% 2% 4% 14%
Total 22% 51% 26% 1%
Enterprise Ability to Deal
With an APT Attack
FIGURE
7
FIGURE
8
60%
40%
20%
0%
DETECT
APT ATTACKS
RESPOND TO
APT ATTACKS
STOP A
SUCCESSFUL
ATTACK
VERY ABLE ABLE NOT ABLE NOT AT ALL ABLE

STUDY RESULTS
WHICH SPECIFIC CONTROLS IS YOUR ENTERPRISE USING TO PROTECT SENSITIVE DATA FROM APT ATTACKS?
believe they, too, are ready to deal with an attack, with 15
percent considering themselves “very prepared” and 59
percent claiming to be “prepared.” While the total “prepared”
percentage for this group (74 percent) is not as high as the
“very likely” group, this population has a lower likelihood
expectation of attack as well.
The correspondence between likelihood and preparation
continues in the lower likelihood categories. Among those who
categorize their enterprises as “not very likely” targets of an
APT, only 48 percent report feeling prepared for an attack to
some extent. Of the group that considers its enterprises “not
at all likely” to be subject to attack, only 29 percent claim to be
prepared for attack (figure 8).
Regardless of the degree of preparedness, it is clear that at
least some controls and countermeasures are in place on
which the respondents are relying to address an APT attack.
What approaches are being used?
Enterprises seem to be taking a risk-based approach to
planning for an APT. As has been previously noted, nearly
three-quarters of respondents indicate their belief that their
enterprise is likely to be targeted for an APT attack; controls
in the enterprises represented by these respondents are more
prevalent than in the enterprises not characterized as highly
likely to become an APT target. This is true not only of technical
controls. Throughout the study, there is a significant correlation
between the respondents who believe that their enterprises
will be targeted by an APT and those who have adjusted
components in the security program (such as awareness
training and incident response plans) to prepare for potential
attack from an APT.
Respondents are leveraging a variety of preventive, detective
and investigative controls to help reduce the likelihood of a
successful breach. A very high percentage of those surveyed
(95 percent) report that they are using antivirus and anti-
malware and/or traditional network perimeter technologies (to
thwart APTs), but critical controls for mobile devices, remote
access technologies (RATs), sandboxing and endpoint control
are much less prevalent (figure 9).
Technical Controls Used to Protect Against APT Attacks
FIGURE
9
0%
60%
40%
20%
80%
100%
Antivirus, Anti-malware
Network Technologies (firewalls, routers,switches, etc.)
Log Monitoring/Event Correlation
IPS (signature/abnormal event detection and prevention based controls)
User Security Training & Controls
(IDM, password, awareness training, etc.)
Network Segregation (zoning off)
Endpoint Control
Remote Access Technologies
Mobile Security Gateways
Sandboxes
(environment with limited functionality used to test untrusted code)
Mobile Anti-malware Controls

STUDY RESULTS
In addition to these technical controls, 73 percent of
respondents (up 4 percentage points from 2014) are
using training and education to help prevent against
attacks such as spear phishing and social engineering,
which specifically attempt to exploit the human factor.
It is clear that a correlation exists between perceived likelihood
of APT attack and degree of preparation to deal with the
attack. A similar degree of alignment can be found between
likelihood of APT attack and usage of more technical controls
(figure 10).
Educational training is also more prevalent as a defense
within enterprises considered very likely to become
targets. While it is a positive sign that a higher level of
perceived likelihood of an APT breach correlates to the
increased use of technical and educational controls, it
is concerning that network perimeter technologies and
antivirus and anti-malware top the list of controls used
because APTs have been shown to leverage zero-day
vulnerabilities, which render tools that look for known
signatures and vulnerabilities irrelevant.
As was noted previously in this publication, 88 percent of
respondents recognize that BYOD, combined with rooting
and jailbreaking, is significant in increasing the likelihood of an
attack. Given this awareness, it is surprising to see that mobile
security reflects such low usage to help defend against APTs.
APT Impact on Policies and Practices
The threat of APT attack calls for many defensive approaches,
among them technical controls, IT/cybersecurity workforce
training and certification, changes in human resource
awareness training, and updates to third-party agreements.
Additional considerations examined in the survey are the
effect of APT threats on enterprise policies and the practices
and attitudes of executive management toward cybersecurity
initiatives. Nearly two-thirds of the survey participants
(62 percent) indicate that their organizational leadership
is becoming more involved in cybersecurity-related
activities and 80 percent see a visible increase in support
by senior management. Ninety percent of the respondents’
organizations now include cybersecurity in their organizational
risk management strategy.
Correlation Between Likelihood
of APT Attack and Use of
Technical Controls
FIGURE
10
Very
likely
Likely
Not very
likely
Not
likely at
all
Total
IPS (signature/abnormal
event detection and
prevention-based controls)
25% 53% 21% 1% 77%
Antivirus,
Anti-malware
22% 52% 25% 1% 95%
Network Technologies
(firewalls, routers, switches,
etc.)
23% 51% 25% 1% 93%
Network Segregation
(zoning off)
24% 53% 21% 2% 73%
Sandboxes (environment
with limited functionality used
to test untrusted code)
32% 52% 15% 1% 35%
Log Monitoring/Event
Correlation
25% 51% 22% 1% 75%
Remote Access
Technologies
24% 50% 25% 1% 59%
End-point Control 25% 50% 24% 1% 64%
Mobile Security Gateway 30% 51% 18% 1% 37%
Mobile Anti-malware
Controls
32% 51% 16% 1% 26%
User Security Training
and Controls (IDM,
password, awareness
training, etc.)
24% 53% 22% 1% 74%
Total
Respondents
122 279 133 7 541

STUDY RESULTS
Vendor Management
Vendor management is an important factor in protecting
outsourced data. Therefore, the study examined ongoing
relationships with third parties to see whether enterprises
are adjusting contract language or service level agreements
(SLAs) to ensure that third parties are practicing due diligence
to protect themselves from APTs and to require financial
restitution in the event that—despite controls—they are
breached, resulting in damage to the customer.
Overall, 75 percent of respondents have not updated
agreements with third parties for protection against APTs. While
this is a disturbing statistic, especially in light of the numerous
high-profile data breaches that have resulted from attacks
that first targeted vendors supporting larger organizations,
it does represent an improvement, albeit a negligible one,
over the 2014 survey, in which 76 percent reported that they
had not adjusted third-party agreements. The percentage
improves slightly when cross-referenced with the degree of
familiarity with APTs, as illustrated in figure 11. One-third of
the respondents who indicate they are very familiar with APTs
have updated their third-party contracts to address APTs, a
figure that drops to only 19 percent among those who describe
themselves as having no familiarity with APTs.
Overall, 75 percent of respondents have not
updated agreements with third parties for
protection against APTs.
Correlation Between Familiarity
With APTs and Updating of
Third-party Contracts
FIGURE
11
0%
80%
60%
40%
20%
100%
VERY FAMILIAR FAMILIAR
SOMEWHAT
FAMILIAR
NOT AT
ALL FAMILIAR
Yes, we have updated our
third-party contract
language to address APTs.
No, we have not updated our
third-party contract language
to address APTs.

STUDY RESULTS
Executive Involvement
Given the increased attention that APTs have received in
recent years, it might be expected that executives would
become more involved in cybersecurity activities. Survey
respondents were asked to indicate whether they note
a change in executive activity within their enterprises. In
a similar fashion to other findings in the study, there is a
correlation between the perceived likelihood of the enterprise
being an APT target and the level of executive involvement,
with more likely targets reflecting increased executive
involvement and less likely targets showing less executive
engagement (figure 12).
Those who indicated seeing increased executive involvement
in security initiatives were asked the types of specific actions
in which executives are engaging. Results indicate security
budgets have increased (53 percent of respondents); the
majority (80 percent) reported seeing increased visible
support from senior executives, while 61 percent noted
increased policy enforcement.
When the responses are filtered according to the likelihood
of the enterprise being targeted by APTs, the numbers shift
(figure 13).
Results indicate security budgets have
increased (53% of respondents); the
majority (80%) reported seeing increased
visible support from senior executives, while
61% noted increased policy enforcement.
of APT Attack and Executive
Involvement
FIGURE
12
0%
80%
60%
40%
20%
VERY LIKELY LIKELY NOT VERY LIKELY NOT AT ALL LIKELY
Yes, executive leadership
demonstrates increased
involvement in
cybersecurity activities.
No, executive leadership
does not demonstrate
increased involvement in
cybersecurity activities.
Correlation Between
Likelihood of APT Attack and
Executive Actions
FIGURE
13
0%
80%
60%
40%
20%
100%
INCREASED
SECURITY BUDGETS
INCREASED VISIBLE
SUPPORT FROM
EXECUTIVE
LEADERSHIP
INCREASED
SECURITY POLICY
ENFORCEMENT
VERY LIKELY
LIKELY
NOT VERY LIKELY
NOT AT ALL LIKELY

STUDY RESULTS
Correlation Between
Likelihood of APT Attack and
Increase in Awareness Training
Although enterprises characterized as very likely targets for
an APT are enjoying increased security budgets and policy
enforcement, all enterprises, regardless of perceived likelihood
of APT attack, seem to be benefitting from a significant level
of visible support from senior executives.
Incident Management and Awareness Training
Managing a successful APT attack is not always as easy as
removing the violating threat. Many APTs are adaptable and
have the ability to change to suit the circumstances. Typical
incident response plans designed to stop and remediate
might not be suitable for APTs; the plans should be reviewed
and incorporation of specific provisions for APTs considered.
The 2015 survey indicates an improvement in level of
preparedness, with 79 percent of those who consider
their enterprises very likely to be targeted by an APT
reporting that adjustments have been made to their incident
response plans (figure 14). This represents an increase of 9
percentage points over the 2014 survey.
Unfortunately, the same attention is not being applied to
awareness training. Overall, 56 percent of respondents
report that their enterprises have not increased
awareness training relative to APTs; however, this is
a significant improvement from 2014 when 67 percent
stated they had not increased APT-related awareness
training. The percentages improve slightly for enterprises
that are considered very likely or likely targets of an APT, but
even in these cases, less than half are increasing awareness
training (figure 15). This statistic is troubling as targeted spear
phishing and web browsers are attack vectors that could
possibly be mitigated with well-trained staff.
Although enterprises characterized as
very likely targets for an APT are enjoying
increased security budgets and policy
enforcement, all enterprises, regardless of
perceived likelihood of APT attack, seem
to be benefitting from a significant level of
visible support from senior executives.
of Attack and Adjustment of
Incident Response Plans
FIGURE
14
0%
80%
60%
40%
20%
100%
Yes, our incident response
plan has been adjusted to
address APT considerations.
No, our incident response
plan has not been adjusted to
address APT considerations.
FIGURE
15
0%
80%
60%
40%
20%
Yes, my enterprise has
increased awareness training.
No, my enterprise has not
increased awareness training.

STUDY RESULTS
Conclusions
Like the 2014 survey, there are many
positive findings to celebrate in the
2015 study. Overall, more people are
aware of APTs and are making positive
changes to increase their protection
against them. The survey respondents—
security professionals all—seem to be
practicing good security management
by utilizing a risk-based approach to
managing APTs within their enterprises.
This is reflected throughout the results
as the respondents, who consider their
enterprises more likely to experience
an APT, report activities that suggest
they have adopted a layered approach
to managing their enterprise security. In
almost all cases, the higher the perceived
likelihood of becoming a target, the
more consideration is being given to
APTs in terms of technology, awareness
training, vendor management, incident
management and increased attention
from executives. This activity and
corresponding effort form an excellent
base for information protection.
However, APTs are still not clearly
understood. They are different from
traditional threats and need to be
addressed differently. A gap in the
understanding of what APTs are and
how to defend against them remains,
as demonstrated by the number of
respondents who self-identity as
familiar (to some degree) with APTs
(67 percent) compared to those who
feel that APTs are similar to traditional
threats (51 percent).
The data also indicate that enterprises
have not really changed the ways in
which they protect against APTs. The
technical controls most often cited
as being used to prevent APTs are
network perimeter technologies such as
firewalls and access lists within routers,
as well as anti-malware and antivirus.
While these controls are proficient for
defending against traditional attacks,
they are probably not as well suited
for preventing APTs because APTs
exploit zero-day threats, which leverage
unknown vulnerabilities, and many
APTs enter the enterprise through well-
designed spear phishing attacks. This
indicates that additional controls—and
perhaps an increased focus on email
security and user education—could
be beneficial.
Finally, the survey revealed a slight
improvement relating to the availability
of guidance focused on APTs. In 2014,
75 percent of respondents noted a lack
of appropriate guidance; that number
decreased to 66 percent in 2015. This
improvement can probably be partially
attributed to a generally increased
level of awareness of APTs, resulting
from recent high-profile APT-related
attacks. ISACA is doing its part as well
to address the marketplace’s need
for guidance. ISACA’s Cybersecurity
Nexus®
(CSX) program provides
education, training, certification and
professional development—with a
concentration on APTs—to support
the efforts of professionals and
practitioners as they address
challenges in cybersecurity.
Finally, the survey
revealed a slight
improvement relating
to the availability of
guidance focused on
APTs. In 2014, 75%
of respondents noted
a lack of appropriate
guidance; that number
decreased to 66% in
2015. This improvement
can probably be partially
attributed to a generally
increased level of
awareness of APTs,
resulting from recent
high-profile APT-related
attacks.
To learn more visit us at
www.isaca.org/APT-WP

STUDY RESULTS
ISACA®
ISACA (isaca.org) helps global
professionals lead, adapt and assure
trust in an evolving digital world by
offering innovative and world-class
knowledge, standards, networking,
credentialing and career development.
Established in 1969, ISACA is a global
nonprofit association of 140,000
professionals in 180 countries. ISACA
also offers the Cybersecurity Nexus™
(CSX), a holistic cybersecurity resource,
and COBIT®
, a business framework to
govern enterprise technology.
Disclaimer
This is an educational resource and
is not inclusive of all information that
may be needed to assure a successful
outcome. Readers should apply their
own professional judgment to their
specific circumstances.
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
www.isaca.org
Provide feedback:
www.isaca.org/APT-WP
Participate in the ISACA
Knowledge Center:
www.isaca.org/knowledge-center
Follow ISACA on Twitter:
www.twitter.com/ISACANews
Join ISACA on LinkedIn:
www.linkd.in/ISACAOfficial
Like ISACA on Facebook:
www.facebook.com/ISACAHQ

STUDY RESULTS
ACKNOWLEDGMENTS
Lead Developer
R. “Montana” Williams
MA-IOP, CWDP
Senior Manager, Cybersecurity Practices
ISACA, USA
Board of Directors
Christos K. Dimitriadis
Ph.D., CISA, CISM, CRISC,
INTRALOT S.A., Greece, International
President
Rosemary M. Amato
CISA, CMA, CPA,
Deloitte Touche Tohmatsu Ltd.,
The Netherlands, Vice President
Garry J. Barnes
CISA, CISM, CGEIT, CRISC, MAICD,
Vital Interacts, Australia, Vice President
Robert A. Clyde
CISM,
Clyde Consulting LLC, USA, Vice President
Theresa Grafenstine
CISA, CGEIT, CRISC, CPA, CIA, CGAP, CGMA,
US House of Representatives, USA, Vice
President
Leonard Ong
CISA, CISM, CGEIT, CRISC, CPP, CFE, PMP,
CIPM,CIPT, CISSP ISSMP-ISSAP, CSSLP,
CITBCM, GCIA,GCIH, GSNA, GCFA,
ATD Solution, Singapore, Vice President
Andre Pitkowski
CGEIT, CRISC, OCTAVE,
CRMA, ISO27kLA, ISO31kLA,
APIT Consultoria de Informatica Ltd.,
Brazil, Vice President
Eddie Schwartz
CISA, CISM, CISSP-ISSEP, PMP,
WhiteOps, USA, Vice President
Gregory T. Grocholski
CISA,
SABIC, Saudi Arabia,
Past International President
Tony Hayes
CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,
Queensland Government, Australia,
Past International President
Robert E Stroud
CGEIT, CRISC,
USA, Past International President
Zubin Chagpar
CISA, CISM, PMP,
Amazon Web Services, UK, Director
Matt Loeb
CAE,
ISACA, USA, Director
Rajaramiyer Venketaramani Raghu
CISA, CRISC,
Versatilist Consulting India, Pvt., Ltd.,
India, Director
Jo Stewart-Rattray
CISA, CISM, CGEIT, CRISC, FACS CP,
BRM Holdich, Australia, Director

2015-advanced-persistent-threat-awareness_whp_eng_1015

More Related Content

What's hot

Viewers also liked

Similar to 2015-advanced-persistent-threat-awareness_whp_eng_1015

2015-advanced-persistent-threat-awareness_whp_eng_1015