Enterprise Views of Advanced Persistent Threats...“Nothing specific to APTs, just protecting against techniques such as social engineering that would be used in non-APT attacks.”

© 2013 451 Research, LLC. www.451research.com

Enterprise Views of Advanced

Persistent Threats

Daniel Kennedy


Presenters

Daniel Kennedy – Research Director, Information Security & Networking Daniel is Research Director for Information Security and Networking at TheInfoPro, a division of 451 Research, where he is responsible for managing all phases of the TIP research process for those two coverage areas. Prior to TheInfoPro he was a Partner in the information security consultancy Praetorian Security, LLC where he directed strategy on risk assessment and security certification. Before that he was Global Head of Information Security for D.B. Zwirn & Co. as well as Vice President of Application Security and Development Manager at Pershing LLC, a division of the Bank of New York.


< 100 1%

100-999 7%

1,000-4,999 20%

5,000-10,000 17%

> 10,000 55%

< $500K 19%

$500K-$999K 9%

$1M-$1.9M 13%

$2M-$3.9M 18%

$4M-$6.9M 14%

$7M-$9.9M 4%

$10M-$19.9M 13%

$20M-$30M 4%

> $30M 6%

< $499.99M 16%

$500M-$999.99M 7%

$1B-$4.99B 29%

$5B-$9.99B 15%

$10B-$19.99B 13%

$20B-$29.99B 7%

$30B-$40B 4%

> $40B 9%

Financial Services 24%

Healthcare/Pharmaceuticals 11%

Consumer Goods/Retail

11% Industrial/Manufacturi

ng 9%

Other 8%

Services: Business/Accounting/E

ngineerin 8%

Education 7%

Telecom/Technology 7%

Materials/Chemicals 6%

Energy/Utilities 5%

Transportation 3% Public Sector

1%

Demographics

Top Left Chart: n=207; Top Right Chart, n=207; Bottom Left Chart, n=207; Bottom Right Chart, n=141.

Employee Size

Industry Verticals Enterprise Revenue

Information Security Budget Level

Source: Information Security – Wave 16 |


APT’s are:

• Adversaries. This is not a piece of arbitrary malware or an arbitrary exploit; it’s

a thinking, sentient individual or group.

• Goal-oriented. They have chosen you as their quarry. They will have generic

or specific objectives such as intellectual property, and they are results-

focused.

• Deliberate. Having chosen their target and objectives, they will often do

research and advanced reconnaissance – e.g., identifying which security

products you use so they can pre-test to assure non-detection.

• Patient. Once (of rather if) discovered, the adversary is commonly found to

have been present for more than six months, unnoticed or undetected.

• Adaptive. They are playing chess, and will use 1..n tools and techniques.

• Persistent. There is a level of target stickiness.


• APTs – more sophisticated attackers. I hate to use these buzzwords because every time you do, a kitten dies.

• External threats, any cyber related, APT related. But APT is a term we don't use, the 'A' part, nobody believes methods they're using are advanced, like phishing. We see it as trendy. But we respect what's behind it [the threat].

• The threat landscape. Advanced persistent threats and getting the right technologies in place to deal with these APTs.

• Evaluating the security infrastructure in light of APT – what additional next-gen technologies would provide the greatest coverage without much overlap.

• Mandiant – they have made strides in APTs. • FireEye for APT; we're exploring this now.


APT Targeting

Distinctiveness of Threat

No 55%

Yes 45%

Likeliness to Target

Yes 63%

No 37%

Left Chart, Q. Do you believe that advanced represent a unique external threat to enterprise security? n=38. Right Chart, Q. Do you believe that your organization has ever been the target of an advanced, persistent adversary? n=30. Source: Information Security – Wave 16 |


Thoughts on ‘APT’

5%

5%

5%

5%

5%

5%

5%

9%

9%

9%

9%

9%

23%

Advanced Attackers

Attacker Type

Cloud-based Security

Cyberwar

Ongoing Malicious Access

State Sponsored

Stealth

Advanced Malware

Critical Industry

Mobile Device Security

Overused

Persistent Attackers

Marketing

What are your general thoughts on the term ‘APT’? (2012)

n=22.

Information Security Wave 15


“Nothing specific to APTs, just protecting against techniques such as social engineering that would be used in non-APT attacks.”

“I don’t think the term APT is a buzzword and doesn’t really describe anything in particular, but the whole idea of advanced malware is truthfully becoming a problem. It’s very targeted and runs at a low level where it is hard to detect.”

“The human firewall – human behavior – how to moderate and address it. Also, which technologies are hype? I want to know what NOT to waste my time on. APT and DLP come to mind – are they real?”


Adaptive Persistent Threats (APTs)

3%

5%

5%

5%

8%

11%

13%

24%

26%

Constant Threat

Adaptive Attackers

Marketing

Uses Zero Day Vulnerabilities

State Sponsored

Stealthy

Targeted

Advanced Attackers

Persistent Attackers

Q. How would you define the term ‘APT’? n=38.



APT Motivations and Antagonists

Adversary Likeliness

3%

3%

5%

26%

63%

Cyber Crime

Individual Hackers

Hacktivist Groups

Organized Crime

Nation States

Motivations

3%

3%

5%

34%

37%

45%

50%

71%

Intellectual Property

Terrorism

IP Theft

Hacktivism

Sabotage

Cyber-warfare

Espionage

Financial Theft

Left Chart, Q. Which adversaries do you believe are most likely to be APTs? n=38. Right Chart, Q. What motivations do you associate with APTs? n=38. Source: Information Security – Wave 16 |


APT Action and Evolution

Response Tactics Budget Alterations

Left Chart, Q. What is your organization doing to detect and respond to APTs? n=38. Top Right Chart, Q. Do you believe that the discussion of APTs in the media has resulted in greater focus from senior management on security? Bottom Right Chart, Q. Has it resulted in greater budget allocation to security? n=38. Source: Information Security – Wave 16 |

Yes 34%

No 66%

Yes 42%

No 58%

Media Propagation

3%

3%

5%

5%

5%

5%

5%

8%

8%

11%

11%

16%

26%

Nothing

Web Content Filtering

Continuous Monitoring

Enterprise Log Management

Homegrown Solution

Managed Security ServiceProvider

Mandiant

Security Awareness Training

SIEM

Everything

Firewall

Standard Security Practices

Incident Response


Internal vs. External Threats Q. Are you more concerned with internal or external threats? n=196.


External 63%

Internal 37%


Threat Rankings – Personnel Type

1%

1%

1%

1%

1%

1%

1%

1%

1%

1%

2%

7%

17%

18%

22%

23%

27%

39%

51%

BYOD

Departing Employees

Engineers

Field Workers

High Ranked Officials

Hosting Partners

Overeager

Programmers

The Uninformed

Visitors

Students

Technical Staff Without Elevated Privilege

Business Partners

Remote Employees

Outsourced Service Provider Personnel

Management/Executive Team

Business Unit Staff (Non-IT Technical)

Technical Staff Elevated Privilege (Including IT Systems Administrators)

Contractors and Temporary Staff

Q. Which of the personnel types below do you consider to be the greatest internal IT security risk to your organization? n=197.


For access to TheInfoPro’s reports and services, please contact [email protected]. Methodology questions may be addressed to [email protected].

451 Research, a division of The 451 Group, is focused on the business of enterprise IT innovation. The company’s analysts provide critical and timely insight into the competitive dynamics of innovation in emerging technology segments. Business value is delivered via daily concise and insightful published research, periodic deeper-dive reports, data tools, market-sizing research, analyst advisory, and conferences and events. Clients of the company – at vendor, investor, service-provider and end-user organizations – rely on 451 Research’s insight to support both strategic and tactical decision-making.

TheInfoPro, a service of 451 Research, is widely regarded as ‘The Voice of the Customer’, providing independent, ‘real world’ intelligence on key IT sectors including Cloud Computing, Information Security, Networking, Servers and Virtualization, and Storage. Using one-on-one interviews conducted within a proprietary network composed of the world’s largest buyers and users of IT, TheInfoPro provides data and insights that are used for strategic planning, technology benchmarking, competitive analysis, and vendor selection and negotiation.

Reproduction and distribution of this publication, in whole or in part, in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. 451 Research disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although 451 Research may discuss legal issues related to the information technology business, 451 Research does not provide legal advice or

services and their research should not be construed or used as such. 451 Research shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended

results. The opinions expressed herein are subject to change without notice.

TheInfoPro™ and logo are registered trademarks and property of 451 Research, LLC. © 2013 451 Research, LLC and/or its Affiliates. All Rights Reserved.

WWW.451RESEARCH.COM 20 West 37th Street, 3rd Floor, New York, NY 10018 P 212.672.0010 F 212.688.6598

Documents

Enterprise Views of Advanced Persistent Threats...“Nothing specific to APTs, just protecting against techniques such as social engineering that would be used in non-APT attacks.”