Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Persistent Threat
Awareness
Third Annual
Study Results
Advanced persistent threats (APTs) continue to enjoy the spotlight in the
wake of their successful use to launch several high-profile data breaches. The
fourth in a series of ISACA studies designed to uncover information security
professionals understanding and opinions of APTs, technical controls, internal
incidents, policy adherence and management support, this report reveals
positive trends since the 2014 survey. Improvements can be seen in the level
of awareness of the unique aspects of APTs and the benefits of addressing
them through a variety of countermeasures. A strong correlation clearly exists
between the perceived likelihood of an APT attack on the enterprise and the
enterprises adoption of improved cybersecurity practices. Yet, not all avenues
for APT intrusion are fully locked down. Mobile device security is lagging, despite
acknowledgment that the bring your own device (BYOD) trend increases
APT risk, and a preference is seen for technical controls over education and
training, even though many successful APT attacks gain entry by manipulating
individuals innate trust and/or lack of understanding.
www.isaca.org/cyber
Table of Contents
List of Figures
03
04
06
Perspectives on APTs
07
09
11
05
Figure 2
Geographic Distribution
06
Figure 3
06
Figure 4
07
Figure 5
07
Figure 6
08
Figure 7
09
Figure 8
09
Figure 9
10
Figure 10
11
Figure 11
12
Figure 12
13
Figure 13
13
Figure 14
14
Figure 15
14
07
Awareness
Conclusions
Figure 1
15
1 Cybercrime Will Cost Businesses Over $2 Trillion by 2019, Finds Juniper Research, PR Newswire, 12 May 2015, www.prnewswire.com/news-releases/cybercrime-willcost-businesses-over-2-trillion-by-2019-finds-juniper-research-503449791.html
2 Verizon, Verizon 2015 PCI Compliance Report, 2015, www.verizonenterprise.com/pcireport/2015/,
3 FireEye Advanced Threat Report: 2013, https://www2.fireeye.com/advanced-threat-report-2013.html
4 Mandiant, M-Trends 2015: A View From the Front Lines, https://www2.fireeye.com/WEB-2015-MNDT-RPT-M-Trends-2015_LP.html
5 Verizon, Verizon 2015 PCI Compliance Report, www.verizonenterprise.com/pcireport/2015/
FIGURE
Industries of Survey
Participants
Financial/Banking
Government/MilitaryNational/State/Local
Telecommunications/Communications
Manufacturing/Engineering
Insurance
Miscellaneous
Health Care/Medical
Mining/Construction/Petroleum/Agriculture
Education/Student
Utilities
Transportation
Retail/Wholesale/Distribution
0%
5%
10%
15%
20%
25%
30%
35%
Percentage of Respondents
6 NIST, Special Publication 800-39: Managing Information Security RiskOrganization, Mission, and Information System View, USA, March 2011, http://csrc.nist.gov/
publications/PubsSPs.html#SP 800
Description of the
Population
FIGURE
Geographic Distribution
IN WHICH OF THE FOLLOWING AREAS DO YOU RESIDE?
30%
Latin America
40
North America
5%
%
19
Asia
Oceania
Europe/Africa
FIGURE
An ISACA member
1%
22%
Very likely
25%
Not very
likely
52%
Likely
Ponemon Institute, 2014 Global Report on the Cost of Cyber Crime, https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5207enw.pdf
10
Bodeau, Deborah J.; Richard Graubart; Cyber Resiliency Engineering Framework, The MITRE Corporation, 2011, www.mitre.org/sites/default/files/pdf/11_4436.pdf
Perspectives
on APTs
FIGURE
6%
22%
Not at all
familiar
Very
familiar
27%
Somewhat
familiar
45%
Familiar
FIGURE
Perception of Nature
of APT Threats
Awareness
Almost one-quarter of the 2015 respondents consider
themselves very familiar with APTs, and a total of 94 percent
characterize themselves as having at least some familiarity
(figure 4).
The degree of familiarity appears to be a positive indicator
and may contribute to a shift in how APTs are perceived. In
2014, 51 percent of the respondents saw APTs as unique
threats, a result that is reversed in 2015, where 51 percent
see the APT as similar to traditional threats (figure 5).
51%
Similar to
Traditional Threats
49%
Unique
FIGURE
Reputational Damage
0%
5%
10%
15%
20%
25%
30%
Percentage of Respondents
FIGURE
60%
40%
20%
DETECT
APT ATTACKS
VERY ABLE
FIGURE
RESPOND TO
APT ATTACKS
ABLE
NOT ABLE
STOP A
SUCCESSFUL
ATTACK
0%
Correlation Between
Likelihood of and Preparedness
for an APT Attack
Very
likely
Likely
Not very
likely
Not at all
likely
Very Prepared
Documented and Tested
Plan in Place
45%
15%
2%
0%
PreparedIncident
Management Exists but
Does Not Cover APT
35%
58%
46%
29%
18%
25%
49%
57%
2%
2%
4%
14%
Total
22%
51%
26%
1%
FIGURE
Antivirus, Anti-malware
Network Technologies (firewalls, routers,switches, etc.)
Log Monitoring/Event Correlation
IPS (signature/abnormal event detection and prevention based controls)
User Security Training & Controls
(IDM, password, awareness training, etc.)
20%
40%
60%
80%
100%
Percentage of Respondents
10
FIGURE
10
Very
likely
Likely
Not very
likely
Not
likely at
all
Total
IPS (signature/abnormal
event detection and
prevention-based controls)
25%
53%
21%
1%
77%
Antivirus,
Anti-malware
22%
52%
25%
1%
95%
Network Technologies
(firewalls, routers, switches,
etc.)
23%
51%
25%
1%
93%
Network Segregation
(zoning off)
24%
53%
21%
2%
73%
Sandboxes (environment
with limited functionality used
to test untrusted code)
32%
52%
15%
1%
35%
Log Monitoring/Event
Correlation
25%
51%
22%
1%
75%
Remote Access
Technologies
24%
50%
25%
1%
59%
End-point Control
25%
50%
24%
1%
64%
30%
51%
18%
1%
37%
Mobile Anti-malware
Controls
32%
51%
16%
1%
26%
24%
53%
22%
1%
74%
Total
Respondents
122
279
133
541
11
Vendor Management
Vendor management is an important factor in protecting
outsourced data. Therefore, the study examined ongoing
relationships with third parties to see whether enterprises
are adjusting contract language or service level agreements
(SLAs) to ensure that third parties are practicing due diligence
to protect themselves from APTs and to require financial
restitution in the event thatdespite controlsthey are
breached, resulting in damage to the customer.
Overall, 75 percent of respondents have not updated
agreements with third parties for protection against APTs. While
this is a disturbing statistic, especially in light of the numerous
high-profile data breaches that have resulted from attacks
that first targeted vendors supporting larger organizations,
it does represent an improvement, albeit a negligible one,
over the 2014 survey, in which 76 percent reported that they
had not adjusted third-party agreements. The percentage
improves slightly when cross-referenced with the degree of
familiarity with APTs, as illustrated in figure 11. One-third of
the respondents who indicate they are very familiar with APTs
have updated their third-party contracts to address APTs, a
figure that drops to only 19 percent among those who describe
themselves as having no familiarity with APTs.
FIGURE
11
100%
80%
60%
40%
20%
0%
Yes, we have updated our
third-party contract
language to address APTs.
VERY FAMILIAR
FAMILIAR
NOT AT
ALL FAMILIAR
12
Executive Involvement
Given the increased attention that APTs have received in
recent years, it might be expected that executives would
become more involved in cybersecurity activities. Survey
respondents were asked to indicate whether they note
a change in executive activity within their enterprises. In
a similar fashion to other findings in the study, there is a
correlation between the perceived likelihood of the enterprise
being an APT target and the level of executive involvement,
with more likely targets reflecting increased executive
involvement and less likely targets showing less executive
engagement (figure 12).
Those who indicated seeing increased executive involvement
in security initiatives were asked the types of specific actions
in which executives are engaging. Results indicate security
budgets have increased (53 percent of respondents); the
majority (80 percent) reported seeing increased visible
support from senior executives, while 61 percent noted
increased policy enforcement.
When the responses are filtered according to the likelihood
of the enterprise being targeted by APTs, the numbers shift
(figure 13).
FIGURE
12
60%
40%
20%
0%
Yes, executive leadership
demonstrates increased
involvement in
cybersecurity activities.
VERY LIKELY
LIKELY
FIGURE
13
Correlation Between
Likelihood of APT Attack and
Executive Actions
100%
80%
60%
VERY LIKELY
LIKELY
40%
20%
INCREASED
SECURITY BUDGETS
INCREASED VISIBLE
SUPPORT FROM
EXECUTIVE
LEADERSHIP
INCREASED
SECURITY POLICY
ENFORCEMENT
0%
13
FIGURE
14
100%
80%
60%
40%
20%
FIGURE
15
LIKELY
0%
Correlation Between
Likelihood of APT Attack and
Increase in Awareness Training
80%
60%
40%
20%
LIKELY
0%
No, my enterprise has not
increased awareness training.
NOT VERY LIKELY
14
Conclusions
Like the 2014 survey, there are many
positive findings to celebrate in the
2015 study. Overall, more people are
aware of APTs and are making positive
changes to increase their protection
against them. The survey respondents
security professionals allseem to be
practicing good security management
by utilizing a risk-based approach to
managing APTs within their enterprises.
This is reflected throughout the results
as the respondents, who consider their
enterprises more likely to experience
an APT, report activities that suggest
they have adopted a layered approach
to managing their enterprise security. In
almost all cases, the higher the perceived
likelihood of becoming a target, the
more consideration is being given to
APTs in terms of technology, awareness
training, vendor management, incident
management and increased attention
from executives. This activity and
corresponding effort form an excellent
base for information protection.
However, APTs are still not clearly
understood. They are different from
traditional threats and need to be
addressed differently. A gap in the
understanding of what APTs are and
how to defend against them remains,
as demonstrated by the number of
respondents who self-identity as
familiar (to some degree) with APTs
(67 percent) compared to those who
feel that APTs are similar to traditional
threats (51 percent).
The data also indicate that enterprises
have not really changed the ways in
15
ISACA
ISACA (isaca.org) helps global
professionals lead, adapt and assure
trust in an evolving digital world by
offering innovative and world-class
knowledge, standards, networking,
credentialing and career development.
Established in 1969, ISACA is a global
nonprofit association of 140,000
professionals in 180 countries. ISACA
also offers the Cybersecurity Nexus
(CSX), a holistic cybersecurity resource,
and COBIT, a business framework to
govern enterprise technology.
Disclaimer
This is an educational resource and
is not inclusive of all information that
may be needed to assure a successful
outcome. Readers should apply their
own professional judgment to their
specific circumstances.
Provide feedback:
www.isaca.org/APT-WP
Participate in the ISACA
Knowledge Center:
www.isaca.org/knowledge-center
Follow ISACA on Twitter:
www.twitter.com/ISACANews
Join ISACA on LinkedIn:
www.linkd.in/ISACAOfficial
Like ISACA on Facebook:
www.facebook.com/ISACAHQ
16
ACKNOWLEDGMENTS
Lead Developer
R. Montana Williams
MA-IOP, CWDP
Senior Manager, Cybersecurity Practices
ISACA, USA
Board of Directors
Christos K. Dimitriadis
Ph.D., CISA, CISM, CRISC,
INTRALOT S.A., Greece, International
President
Rosemary M. Amato
CISA, CMA, CPA,
Deloitte Touche Tohmatsu Ltd.,
The Netherlands, Vice President
Garry J. Barnes
CISA, CISM, CGEIT, CRISC, MAICD,
Vital Interacts, Australia, Vice President
Robert E Stroud
CGEIT, CRISC,
USA, Past International President
Zubin Chagpar
CISA, CISM, PMP,
Amazon Web Services, UK, Director
Matt Loeb
CAE,
ISACA, USA, Director
Rajaramiyer Venketaramani Raghu
CISA, CRISC,
Versatilist Consulting India, Pvt., Ltd.,
India, Director
Jo Stewart-Rattray
CISA, CISM, CGEIT, CRISC, FACS CP,
BRM Holdich, Australia, Director
Robert A. Clyde
CISM,
Clyde Consulting LLC, USA, Vice President
Theresa Grafenstine
CISA, CGEIT, CRISC, CPA, CIA, CGAP, CGMA,
US House of Representatives, USA, Vice
President
Leonard Ong
CISA, CISM, CGEIT, CRISC, CPP, CFE, PMP,
CIPM,CIPT, CISSP ISSMP-ISSAP, CSSLP,
CITBCM, GCIA,GCIH, GSNA, GCFA,
ATD Solution, Singapore, Vice President
Andre Pitkowski
CGEIT, CRISC, OCTAVE,
CRMA, ISO27kLA, ISO31kLA,
APIT Consultoria de Informatica Ltd.,
Brazil, Vice President
Eddie Schwartz
CISA, CISM, CISSP-ISSEP, PMP,
WhiteOps, USA, Vice President
Gregory T. Grocholski
CISA,
SABIC, Saudi Arabia,
Past International President
Tony Hayes
CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,
Queensland Government, Australia,
Past International President
17