ARN

Assessing the APT threat

  • John Dix (Network World)
  • 07 November, 2011 22:28

Do security vendors secretly create the attacks their tools are designed to ward off? Of course not, but that old chestnut hints at a broader suspicion about whether the current state of security is really as bad as the security firms make it out to be, especially when it comes to the latest poster child: advanced persistent threats.

To ascertain just how real the APT threat is, the Enterprise Strategy Group surveyed 244 security professionals in companies with more than 1,000 employees. "When we started this project there was a fair amount of debate about APTs," says Jon Oltsik, a principal analyst at ESG and a Network World blogger. "Was this type of attack real and unique or were APTs nothing more than a marketing term to add an alarming label to pedestrian types of cyber attacks?"

IN DEPTH: What is an 'advanced persistent threat,' anyway?

The pros are divided. Some 50% view APTs -- examples of which include Stuxnet, Aurora and Zeus -- as a unique type of threat, while 48% say they are somewhat unique but similar to other threats, and 2% say they are not unique.

It appears the more you know about APTs, the more likely you are to perceive them as unique. Most CISOs said "they didn't think APTs were anything new until they were attacked," Oltsik writes. "As they watched APT attacks unfold, they were blown away by how they adapted, moved around the network, rooted themselves in systems, and used sophisticated (and often homegrown) innovation to fool security tools and remain stealthy."

The actual attack rates are surprising. Some 20% of those surveyed said they are certain they have been targeted, while another 39% said they are fairly certain they have been targeted. The latter is telling given that stealth and patience are hallmarks of APT attacks. Operation Aurora, originally directed at Google, spanned nine months. [see "Living with the knowledge that we're infected"]

What are companies doing to fight back? Some 50% do formal penetration testing one or more times per quarter, and for up-to-the-minute information about ongoing attacks, 68% rely on net management tools, 51% use log file analysis, 43% use IDS/IPS alerts and 41% lean on SIEM tools.

Of the survey respondents that are most prepared for APTs, 90% say they have implemented new or modified security processes to deal with APTs, while 60% have invested in new defense technologies. Training is also key: 56% of this prepared group say they are adding APT training for the security staff, while more than half will also train general employees about the threats. (This comprehensive study has many other relevant findings; click here to learn more.)

The take-away seems to be this: Those that know the most are most afraid of APTs. So if you're not sweating them, maybe you should be.

Read more about wide area network in Network World's Wide Area Network section.