New study reveals breadth — and apparent success — of the typical advanced persistent threat (APT)-type attack
Advanced persistent threat (APT)-style attacks may be even more pervasive than thought: Organizations have suffered on average of nine such targeted attacks in the past 12 months, a new study finds.
Even more chilling: Nearly half of those organizations say the attackers successfully stole confidential or sensitive information from their internal networks, according to a new report by the Ponemon Institute called “The State of Advanced Persistent Threats,” which was commissioned by Trusteer. Ponemon surveyed 755 IT and IT security professionals who have had firsthand experience with prevention or detection of targeted attacks on their organizations.
In line with previous reports from other sources, Ponemon found that it took victim organizations painfully long periods of time to even discover they had been hit by these attacks. On average, these attacks went undiscovered for 225 days — a delay respondents attribute to a lack of sufficient endpoint security tools and lean internal resources. According to the Verizon Data Breach Investigations Report (DBIR) released in August, organizations typically don’t discover that they’ve been breached for months and even years after the fact — and nearly 70 percent of them learn from a third party.
But in a dramatic shift from the Verizon report, the new Ponemon study found that most organizations say they are seeing a decline in “opportunistic” or random, nontargeted attacks and an increase in targeted ones. Some 67 percent say opportunistic attacks have not increased in the past 12 months, while 48 percent say targeted attacks have either rapidly increased or increased in same period. The survey defines opportunistic attacks as those where the attackers “have a general idea of what or whom they want to compromise” and only hack them if they encounter exploitable vulnerabilities. “In contrast, targeted attacks are those in which attackers specifically choose their target and do not give up until this target is compromised,” according to the report.
Verizon’s DBIR, meanwhile, found that 75 percent of all confirmed data breaches last year were the result of financially motivated cyberattacks, while 20 percent were cyberespionage for stealing intellectual property or other information for competitive purposes.
The divergent data here could be a function of organizations becoming more aware of targeted attacks, notes George Tubin, senior security strategist at Trusteer, an IBM company. “As the industry becomes more mature and defining our terms better of what’s opportunistic versus targeted, we’re getting some clarity,” he says.
Cyberespionage actors are getting stealthier, encrypting their malware to evade detection, for example, he says.
Nearly 70 percent of organizations say zero-day malware attacks are their biggest threats, and 93 percent say malware was the method of attack employed by the APT actors who targeted them. Half say those attacks originated via phishing.
Anti-malware and intrusion detection systems (IDS) are mostly no match for exploits and malware, according to the report. Some 76 percent of respondents say exploits and malware got past their AV software, and 72 percent say they got past their IDS.
IDS, IPS, and AV are the top three tools these organizations have in place for detecting targeted attacks. Around 60 percent say opportunistic attacks are easier to prevent than targeted ones, and 46 percent say they are easier to detect.
Java and Adobe Reader — two majorly exploited applications — are the biggest thorns in the sides of organizations when it comes to patching. Some 80 percent say Java is the hardest to keep updated with the latest patches; 72 percent, Reader; and 65 percent, Microsoft Windows. “Sixty-four percent say their company continued to operate one or more of these applications in the production environment knowing that vulnerabilities exist and a viable security patch was available but was not implemented,” the report says. And 73 percent say: “If I could, I would discontinue using Java.”
And not surprisingly, the root of much of the APT troubles in these organizations is lack of budget. Nearly 70 percent say their budgets are inadequate for fighting APTs, and 31 percent say they have sufficient in-house resources.
Trusteer’s Tubin says the actual numbers of APT targeted attacks per year, as well as the percentage of successful ones that exfiltrate information, are probably even higher than the Ponemon report shows. “Newer attack techniques that bypass detection technologies are not being picked up,” he says. This stuff is very stealthy … it sits on the network for a very long time, so it’s very likely these companies have additional APTs going on that they just haven’t discovered yet.”