Sie sind auf Seite 1von 17

2015 Advanced

Persistent Threat
Awareness
Third Annual
Study Results
Advanced persistent threats (APTs) continue to enjoy the spotlight in the
wake of their successful use to launch several high-profile data breaches. The
fourth in a series of ISACA studies designed to uncover information security
professionals understanding and opinions of APTs, technical controls, internal
incidents, policy adherence and management support, this report reveals
positive trends since the 2014 survey. Improvements can be seen in the level
of awareness of the unique aspects of APTs and the benefits of addressing
them through a variety of countermeasures. A strong correlation clearly exists
between the perceived likelihood of an APT attack on the enterprise and the
enterprises adoption of improved cybersecurity practices. Yet, not all avenues
for APT intrusion are fully locked down. Mobile device security is lagging, despite
acknowledgment that the bring your own device (BYOD) trend increases
APT risk, and a preference is seen for technical controls over education and
training, even though many successful APT attacks gain entry by manipulating
individuals innate trust and/or lack of understanding.

Personal Copy of: Mr. Daren Wayne Darrow

www.isaca.org/cyber

2015 ADVANCED PERSISTENT THREAT AWARENESSTHIRD ANNUAL


STUDY RESULTS

Table of Contents

List of Figures

Introduction to the Report

03

Defining Advanced Persistent Threats

04

Description of the Population

06

Perspectives on APTs

07

Direct APT Experience

09

APT Impact on Policies and Practices

11

2015 ISACA. All Rights Reserved.

Industries of Survey Participants

05

Figure 2

Geographic Distribution

06

Figure 3

Likelihood of APT Attack

06

Figure 4

Familiarity With APT

07

Figure 5

Perception of Nature of APT Threats

07

Figure 6

Degree of Enterprise Risk

08

Figure 7

Enterprise Ability to Deal


With an APT Attack

09

Figure 8

Correlation Between Likelihood of and


Preparedness for an APT Attack

09

Figure 9

Technical Controls Used to


Protect Against APT Attacks

10

Figure 10

Correlation Between Likelihood of APT


Attack and Use of Technical Controls

11

Figure 11

Correlation Between Familiarity


With APTs and Updating of Third-party
Contracts

12

Figure 12

Correlation Between Likelihood of APT


Attack and Executive Involvement

13

Figure 13

Correlation Between Likelihood of APT


Attack and Executive Actions

13

Figure 14

Correlation Between Likelihood of


Attack and Adjustment of Incident
Response Plans

14

Figure 15

Correlation Between Likelihood of


Attack and Increase in Awareness
Training

14

07

Awareness

Conclusions

Figure 1

15

Personal Copy of: Mr. Daren Wayne Darrow

Introduction to the Report


In 2013, ISACA, in collaboration with Trend Micro, released
its first study on advanced persistent threat (APT) awareness.
ISACAs Guidance and Practices Committee launched the
APT Awareness Study to comprehend better how well security
professionals understand APTs and identify what is being done
to prevent them. The study reported on data collected in 2012
and demonstrated that although APTs had received much market
attention, there was still a lack of clarity around what actually
defined an APT and how to protect and defend against it. To
determine whether the landscape had evolved, ISACA repeated
the survey in January 2014 and July 2015.
Each year, the survey is distributed to a sample of ISACA
member and nonmember security professionals, which includes
information security managers in different industries and
organizations throughout the world. The sample population
consists of current holders of ISACAs Certified Information
Security Manager (CISM) credential and other information
security professionals. The 2015 survey, the results of which are
reported in this publication, provides an updated view of these
professionals perceptions of the APT and organizational attitudes
about its impact on business operations and economics.
The survey, which uses multiple-choice and Likert scale
formats, is organized in five sections:
Demographics
APT Awareness
Direct APT Experience
Security Controls, Processes and Responses
APT Impact on Policies and Practices

How Secure Is Your Enterprise?


Take our free ISACA APT Awareness Survey Quiz and see
how well your organization scores on its APT-readiness.
Download it now!

2015 ISACA. All Rights Reserved.

Personal Copy of: Mr. Daren Wayne Darrow

2015 ADVANCED PERSISTENT THREAT AWARENESSTHIRD ANNUAL


STUDY RESULTS

Defining Advanced Persistent Threats


Every year the damage and costs related to cyberattack multiply
at a shocking rate. Major cyberattacks targeting financial,
retail, healthcare, government and the entertainment industries
have resulted in tens of millions of exposed records, billions
spent on remediation and significant damage to many brands.
Cybercriminals continue to exploit individuals and enterprises
while increasing profits from more than US $300 billion in 2012
to an estimated US $1 trillion in 2014. Juniper Research has
predicted that profits will top US $2 trillion in 2019.1 But money is
not all the cybercriminals are after. They compound their financial
success by stealing sensitive data in espionage attempts.
Unfortunately, negative cybersecurity incidents show no signs
of decreasing. On the contrary, industry and vendor reports
indicate that attacks are on the rise as cybercrime, hacktivism
and advanced attacks continue to pester enterprise networks.
Admittedly, some progress in defending against cyberattacks
has been made: Many preventive controls have emerged that
have made it more difficult for those with malicious intent to
penetrate networks, and detective controls have helped to
identify quickly when a breach does occur. Still, some attacks
are very difficult to spot.
Efforts to stay ahead of cybercriminals and APTs are not
helped by the skills gap that exists in the information security
workforce. Current practitioners lack the requisite skills to
leverage the technology; understand the threat; and integrate
cybersecurity risk management strategies, tools and policies
to defend against the APT. The failure or inability to leverage
technology and implement strategies based on industry
standards and good practices is illustrated by Verizons 2015
report on the payment card industry (PCI), which notes that
only one in five businesses is compliant with the PCI Data
Security Standard (PCI DSS).2
As technology changes and information security tools evolve,
so too do the tactics, techniques and procedures of threat

actors. Social engineering remains at the center of APT


activity to gain footholds into information systems.
Early efforts began with phishing, then evolved to spear
phishing, and proceeded on to whaling, which often
included an attachment or a link that contained malware
or an exploit. However, over the past three years APTs
have moved on to the Internet as the main attack vector
(e.g., web sites, social media and mobile applications).
Watering hole (fake web site) attacks have increased in
frequency and often use a browser-based, zero-day attack.
In fact, recent reports by leading cybersecurity experts have
found that web-based attacks outnumber email-based attacks
nearly five to one,3 and web applications and point-of-sale
systems are leading hacker targets.4,5
Opinions differ on what makes a threat an APT. Some state
that APT is just a marketing term; others believe there is no
difference between an APT and a traditional threat; yet others
say that an APT is a nation-state-sponsored activity that is
geared toward political espionage. Which is true? APTs are
often seen in nation-state-sponsored attacks (but it is very hard
to prove), and they do often use the same attack vectors that
traditional threats leverage. However, they also employ different
attack methodologies and display different characteristics from
those evidenced by traditional threats.
Because so many differing opinions of what constitutes an
APT exist in the market, ISACAs planning for the initial study
included the realization that it was critical to establish a
broadly accepted definition. This definition was retained in the
subsequent surveys. ISACAs definition specifies that APTs
are often aimed at the theft of intellectual property (espionage)
as opposed to achieving immediate financial gain and are
prolonged, stealthy attacks. This wording aligns with the
definition used by the US National Institute of Standards and
Technology (NIST), which states that an APT is:

1 Cybercrime Will Cost Businesses Over $2 Trillion by 2019, Finds Juniper Research, PR Newswire, 12 May 2015, www.prnewswire.com/news-releases/cybercrime-willcost-businesses-over-2-trillion-by-2019-finds-juniper-research-503449791.html
2 Verizon, Verizon 2015 PCI Compliance Report, 2015, www.verizonenterprise.com/pcireport/2015/,
3 FireEye Advanced Threat Report: 2013, https://www2.fireeye.com/advanced-threat-report-2013.html
4 Mandiant, M-Trends 2015: A View From the Front Lines, https://www2.fireeye.com/WEB-2015-MNDT-RPT-M-Trends-2015_LP.html
5 Verizon, Verizon 2015 PCI Compliance Report, www.verizonenterprise.com/pcireport/2015/

2015 ISACA. All Rights Reserved.

Personal Copy of: Mr. Daren Wayne Darrow

2015 ADVANCED PERSISTENT THREAT AWARENESSTHIRD ANNUAL


STUDY RESULTS

An adversary that possesses sophisticated levels of


expertise and significant resources which allow it to create
opportunities to achieve its objectives by using multiple
attack vectors (e.g., cyber, physical, and deception). These
objectives typically include establishing and extending
footholds within the information technology infrastructure
of the targeted organizations for purposes of exfiltrating
information; undermining or impeding critical aspects of
a mission, program, or organization; or positioning itself
to carry out these objectives in the future. The advanced
persistent threat: (i) pursues its objectives repeatedly over
an extended period of time; (ii) adapts to defenders efforts
to resist it; and (iii) is determined to maintain the level of
interaction needed to execute its objectives.6
This definition provides a good base from which to
understand the differences between traditional threats and
APTs. Interaction with a command-and-control center,
repeated pursuit of objectives, adaptation to defenders, and
persistence set APTs apart from the typical attack. There is
a who behind the APT; it is not just a random spray
of malwaresomeone is specifically targeting the
enterprise. The primary purpose of most APTs is to
extract information from systemscritical research,
enterprise intellectual property, government information
or other data. APTs are advanced and stealthy, often
possessing the ability to conceal themselves within the
enterprise network traffic, interacting just enough to get what
they need to accomplish their job. Their facility with disguise
and ability to morph when needed can be crippling to security
professionals attempts to identify or stop them.
In addition to their stealth and adaptability, APTs are
characterized by their persistence. For example, traditional
cyberthreats try to exploit a vulnerability, but often will move on
to something less secure if they cannot penetrate their initial
target. APTs, on the other hand, do not stop. Their singleminded persistence in pursuing their target and repeated
efforts to complete the job they were created to do means
they will not go away after one failed attempt. They will make
continual attempts until they meet their objectiveor until
they are mitigated and removed. The people and groups
behind APT attacks are determined to achieve success and
appropriately resourced to do so.

FIGURE

Industries of Survey
Participants

WITHIN WHICH OF THE FOLLOWING INDUSTRIES


ARE YOU EMPLOYED?
Technology Services/Consulting

Financial/Banking

Government/MilitaryNational/State/Local

Telecommunications/Communications

Manufacturing/Engineering

Insurance
Miscellaneous

Health Care/Medical

Mining/Construction/Petroleum/Agriculture

Education/Student

Utilities

Transportation

Retail/Wholesale/Distribution

0%

5%

10%

15%

20%

25%

30%

35%

Percentage of Respondents
6 NIST, Special Publication 800-39: Managing Information Security RiskOrganization, Mission, and Information System View, USA, March 2011, http://csrc.nist.gov/
publications/PubsSPs.html#SP 800

2015 ISACA. All Rights Reserved.

Personal Copy of: Mr. Daren Wayne Darrow

2015 ADVANCED PERSISTENT THREAT AWARENESSTHIRD ANNUAL


STUDY RESULTS

Description of the
Population

FIGURE

Geographic Distribution
IN WHICH OF THE FOLLOWING AREAS DO YOU RESIDE?

Because this ongoing studys purpose is to measure information


security characteristics such as understanding of APTs and
knowledge of internal controls, internal incidents, policy
adherence and management support, the survey population
consists of those who deal with those issues every day:
professionals with information security responsibilities. The
studys global sample includes those who hold ISACAs Certified
Information Security Manager (CISM) credential and other
information security professionals with whom ISACA interacts.

For the 2015 survey, SurveyMonkey (www.surveymonkey.


com) was used to collect the data from 661 individuals
globally, 96 percent of whom are members of ISACA.
Seventeen industries are represented in the study, the
most highly represented industry being the technology
services and consulting field, in which 32 percent of the
respondents work (figure 1).
The highest concentration of respondents resides in Europe/
Africa (40 percent), followed by North America (30 percent)
(figure 2).

30%

Latin America

40

North America

5%

%
19
Asia

Oceania

Europe/Africa

FIGURE

Based on these demographic factors, a typical participant


can be described as:

Likelihood of APT Attack


HOW LIKELY DO YOU FEEL THAT IT IS THAT YOUR
ORGANIZATION WILL BE THE TARGET OF AN APT?

An ISACA member

1%

European/African or North American


Working in the technology services/consulting industry
or the financial services/banking industry

Not at all likely

22%

Very likely

25%

Not very
likely

52%
Likely

Ponemon Institute, 2014 Global Report on the Cost of Cyber Crime, https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5207enw.pdf

10

Bodeau, Deborah J.; Richard Graubart; Cyber Resiliency Engineering Framework, The MITRE Corporation, 2011, www.mitre.org/sites/default/files/pdf/11_4436.pdf

2015 ISACA. All Rights Reserved.

Personal Copy of: Mr. Daren Wayne Darrow

2015 ADVANCED PERSISTENT THREAT AWARENESSTHIRD ANNUAL


STUDY RESULTS

Perspectives
on APTs

FIGURE

Familiarity With APT


HOW FAMILIAR ARE YOU WITH APTS?

The analysis of the 2015 survey results suggests that there


may be a slight regression in level of awareness regarding
APTs as compared to the 2014 study. In 2014, 96 percent
claimed familiarity with APTs; that figure drops to 94 percent
in 2015.
The 2015 survey results indicate that 72 percent of
respondents believe their organizations have not been
targeted by an APT-related attack; while an almost
equal number (74 percent) think they will be targeted in
the near future (figure 3).
It is, of course, possible that the respondents stated belief
that their organizations have not been targeted may instead
reflect a lack of awareness that a breach has already
occurred. However, progress is being made on identifying
potential breaches before they occur and mitigating their
effect quickly. The 2015 study reports a significantly larger
percentage of respondents (over previous years studies) who
are adjusting practices by employing newer technologies,
antivirus/malware software, signature management, logging
and security awareness/training. These activities are
reflected in an expanded awareness of the steps of the APT
threat life cycle; three out of four respondents were able to
identify all seven steps of the life cycle. All this adds up to
improvements in cybersecurity practices. However, the same
degree of effort is not being applied to mobile security, as is
discussed later in this publication.

6%

22%

Not at all
familiar

Very
familiar

27%

Somewhat
familiar

45%

Familiar

FIGURE

Perception of Nature
of APT Threats

DO YOU BELIEVE THAT APTS ARE SIMILAR OR


UNIQUE TO HISTORICAL THREATS?

Awareness
Almost one-quarter of the 2015 respondents consider
themselves very familiar with APTs, and a total of 94 percent
characterize themselves as having at least some familiarity
(figure 4).
The degree of familiarity appears to be a positive indicator
and may contribute to a shift in how APTs are perceived. In
2014, 51 percent of the respondents saw APTs as unique
threats, a result that is reversed in 2015, where 51 percent
see the APT as similar to traditional threats (figure 5).

2015 ISACA. All Rights Reserved.

51%

Similar to
Traditional Threats

Personal Copy of: Mr. Daren Wayne Darrow

49%
Unique

2015 ADVANCED PERSISTENT THREAT AWARENESSTHIRD ANNUAL


STUDY RESULTS

This may be indicative of the high degree of sophistication


demonstrated by current breaches, making all attack
methodologies used today appear more advanced (and,
therefore, APT-like). Also, many more attacks are now being
attributed to nation-state actors, who are known to rely on
APT-related tactics, techniques and procedures.

FIGURE

Degree of Enterprise Risk

WHAT DO YOU BELIEVE TO BE THE HIGHEST RISK TO


YOUR ENTERPRISE ASSOCIATED WITH A SUCCESSFUL
APT ATTACK?

Recent breaches have highlighted the APT. Perhaps this higher


profile has resulted in blurring the lines between traditional
threats and advanced threats, creating confusion in the
marketplace. This is troubling because if security professionals
do not understand the differences between the threat classes,
it follows that they may find it difficult to properly identify,
defend against and respond to APTs. Given that a stunning 97
percent of the 2015 respondents report their belief that APTs
represent a credible threat to national security and economic
stability (up from 92 percent in 2014), the importance of having
a clear understanding of APTs is self-evident.

Loss of Personal Information of Employees or Customers

Reputational Damage

Other awareness highlights include:


A growing belief that the use of social networking sites
increases the likelihood of a successful APT attack (95
percent in 2015, up from 92 percent in 2014)

Loss of Intellectual Property

A broadly held conviction (89 percent of 2015 respondents)


that bring your own device (BYOD), combined with rooting
(Android manipulation by the owner of the device to gain
more access to OS and hardware functions) or jailbreaking
(iOS manipulation by the owner of the device to evade vendor
limitations), makes a successful APT attack more likely

Financial Loss (tangible)

While there is a high level of agreement among the 2015


respondents that APTs are cause for concern, there is less
agreement on the biggest risk to the enterprise in the event of a
successful APT attack (figure 6). The 2015 respondents agree
with the 2014 participants that loss of personally identifiable
information is the biggest risk to the enterprise. However, the
recent high-profile breaches may be the cause of the 2015
survey participants selecting reputation damage as the second
largest risk (24 percent), bumping loss of intellectual property
into third place (22 percent in 2015, down from 24 percent in
2014). 2015s top two issues reverse the positions assigned by
the initial studys (2013) respondents.

Contractual Breach (due to the above) or Legal Issues

Loss of Availability - i.e., Business Continuity Issues

0%

5%

10%

15%

20%

25%

30%

Percentage of Respondents

2015 ISACA. All Rights Reserved.

Personal Copy of: Mr. Daren Wayne Darrow

2015 ADVANCED PERSISTENT THREAT AWARENESSTHIRD ANNUAL


STUDY RESULTS

Direct APT Experience

FIGURE

While respondents may have developed risk scenarios of a


successful APT attack, most have not yet had to deal with
the actuality of an attack. Only 28 percent of respondents
report having been subject to an APT attack. Of those,
25 percent are employed in the technology services and
consulting field, and 19 percent work in government or
military (national/state/local). Additionally, among those who
have been subject to attack, 65 percent were able to identify
its source.

Enterprise Ability to Deal


With an APT Attack

60%

40%

All respondents were asked whether they consider their


enterprises prepared to deal with the threat of an APT. There
is a significant amount of confidence among respondents
that that they do have the ability to detect, respond to, and
stop an APT attack (figure 7).
It is worth looking further into enterprises ability to respond
to attack. Respondents were asked to indicate their
enterprises ability to respond, with the different levels of
preparedness specifically defined: Very prepared means
having a documented and tested plan in place; Prepared
signifies having an incident management plan, although
it does not specifically cover APTs; Not very prepared
and Not prepared at all are clear and are not included in
calculating any degree of preparedness. Overall, more
than 67 percent of the 2015 respondents believe that
they are ready to respond to APT attacks to some
degree; this represents a decrease of 7 percentage
points from 2014s statistic of 74 percent. The degrees of
preparedness reported are 18 percent in the very prepared
category and close to 50 percent in the prepared category.
This leaves 33 percent of respondents not confident that they
are prepared to deal with an event triggered by this class of
threat.
Interesting correlations can be drawn between the perceived
likelihood of an enterprise being subject to attack and
its degree of preparedness to deal with it. Among the 22
percent of respondents who believe it is very likely that
their organizations will be the target of an APT attack, only
45 percent consider themselves very prepared and 35
percent place themselves in the prepared category (figure
8). Combining the two groups reveals that 80 percent of
those who characterize their enterprise as very likely to
be targeted are preparedto some degreeto deal with
APTs (up from 75 percent in 2014). Likewise, those who
identify their enterprises as likely targets (52 percent)

2015 ISACA. All Rights Reserved.

20%

DETECT
APT ATTACKS
VERY ABLE

FIGURE

RESPOND TO
APT ATTACKS
ABLE

NOT ABLE

STOP A
SUCCESSFUL
ATTACK

0%

NOT AT ALL ABLE

Correlation Between
Likelihood of and Preparedness
for an APT Attack
Very
likely

Likely

Not very
likely

Not at all
likely

Very Prepared
Documented and Tested
Plan in Place

45%

15%

2%

0%

PreparedIncident
Management Exists but
Does Not Cover APT

35%

58%

46%

29%

Not Very Prepared

18%

25%

49%

57%

Not Prepared at All

2%

2%

4%

14%

Total

22%

51%

26%

1%

Personal Copy of: Mr. Daren Wayne Darrow

2015 ADVANCED PERSISTENT THREAT AWARENESSTHIRD ANNUAL


STUDY RESULTS

believe they, too, are ready to deal with an attack, with 15


percent considering themselves very prepared and 59
percent claiming to be prepared. While the total prepared
percentage for this group (74 percent) is not as high as the
very likely group, this population has a lower likelihood
expectation of attack as well.
The correspondence between likelihood and preparation
continues in the lower likelihood categories. Among those who
categorize their enterprises as not very likely targets of an
APT, only 48 percent report feeling prepared for an attack to
some extent. Of the group that considers its enterprises not
at all likely to be subject to attack, only 29 percent claim to be
prepared for attack (figure 8).
Regardless of the degree of preparedness, it is clear that at
least some controls and countermeasures are in place on
which the respondents are relying to address an APT attack.
What approaches are being used?

FIGURE

Enterprises seem to be taking a risk-based approach to


planning for an APT. As has been previously noted, nearly
three-quarters of respondents indicate their belief that their
enterprise is likely to be targeted for an APT attack; controls
in the enterprises represented by these respondents are more
prevalent than in the enterprises not characterized as highly
likely to become an APT target. This is true not only of technical
controls. Throughout the study, there is a significant correlation
between the respondents who believe that their enterprises
will be targeted by an APT and those who have adjusted
components in the security program (such as awareness
training and incident response plans) to prepare for potential
attack from an APT.
Respondents are leveraging a variety of preventive, detective
and investigative controls to help reduce the likelihood of a
successful breach. A very high percentage of those surveyed
(95 percent) report that they are using antivirus and antimalware and/or traditional network perimeter technologies (to
thwart APTs), but critical controls for mobile devices, remote
access technologies (RATs), sandboxing and endpoint control
are much less prevalent (figure 9).

Technical Controls Used to Protect Against APT Attacks


WHICH SPECIFIC CONTROLS IS YOUR ENTERPRISE USING TO PROTECT SENSITIVE DATA FROM APT ATTACKS?

Antivirus, Anti-malware
Network Technologies (firewalls, routers,switches, etc.)
Log Monitoring/Event Correlation
IPS (signature/abnormal event detection and prevention based controls)
User Security Training & Controls
(IDM, password, awareness training, etc.)

Network Segregation (zoning off)


Endpoint Control
Remote Access Technologies
Mobile Security Gateways
Sandboxes
(environment with limited functionality used to test untrusted code)

Mobile Anti-malware Controls


0%

20%

40%

60%

80%

100%

Percentage of Respondents

2015 ISACA. All Rights Reserved.

Personal Copy of: Mr. Daren Wayne Darrow

10

2015 ADVANCED PERSISTENT THREAT AWARENESSTHIRD ANNUAL


STUDY RESULTS

In addition to these technical controls, 73 percent of


respondents (up 4 percentage points from 2014) are
using training and education to help prevent against
attacks such as spear phishing and social engineering,
which specifically attempt to exploit the human factor.

FIGURE

10

Correlation Between Likelihood


of APT Attack and Use of
Technical Controls

It is clear that a correlation exists between perceived likelihood


of APT attack and degree of preparation to deal with the
attack. A similar degree of alignment can be found between
likelihood of APT attack and usage of more technical controls
(figure 10).
Educational training is also more prevalent as a defense
within enterprises considered very likely to become
targets. While it is a positive sign that a higher level of
perceived likelihood of an APT breach correlates to the
increased use of technical and educational controls, it
is concerning that network perimeter technologies and
antivirus and anti-malware top the list of controls used
because APTs have been shown to leverage zero-day
vulnerabilities, which render tools that look for known
signatures and vulnerabilities irrelevant.
As was noted previously in this publication, 88 percent of
respondents recognize that BYOD, combined with rooting
and jailbreaking, is significant in increasing the likelihood of an
attack. Given this awareness, it is surprising to see that mobile
security reflects such low usage to help defend against APTs.

APT Impact on Policies and Practices


The threat of APT attack calls for many defensive approaches,
among them technical controls, IT/cybersecurity workforce
training and certification, changes in human resource
awareness training, and updates to third-party agreements.
Additional considerations examined in the survey are the
effect of APT threats on enterprise policies and the practices
and attitudes of executive management toward cybersecurity
initiatives. Nearly two-thirds of the survey participants
(62 percent) indicate that their organizational leadership
is becoming more involved in cybersecurity-related
activities and 80 percent see a visible increase in support
by senior management. Ninety percent of the respondents
organizations now include cybersecurity in their organizational
risk management strategy.

2015 ISACA. All Rights Reserved.

Very
likely

Likely

Not very
likely

Not
likely at
all

Total

IPS (signature/abnormal
event detection and
prevention-based controls)

25%

53%

21%

1%

77%

Antivirus,
Anti-malware

22%

52%

25%

1%

95%

Network Technologies
(firewalls, routers, switches,
etc.)

23%

51%

25%

1%

93%

Network Segregation
(zoning off)

24%

53%

21%

2%

73%

Sandboxes (environment
with limited functionality used
to test untrusted code)

32%

52%

15%

1%

35%

Log Monitoring/Event
Correlation

25%

51%

22%

1%

75%

Remote Access
Technologies

24%

50%

25%

1%

59%

End-point Control

25%

50%

24%

1%

64%

Mobile Security Gateway

30%

51%

18%

1%

37%

Mobile Anti-malware
Controls

32%

51%

16%

1%

26%

User Security Training


and Controls (IDM,
password, awareness
training, etc.)

24%

53%

22%

1%

74%

Total
Respondents

122

279

133

541

Personal Copy of: Mr. Daren Wayne Darrow

11

2015 ADVANCED PERSISTENT THREAT AWARENESSTHIRD ANNUAL


STUDY RESULTS

Vendor Management
Vendor management is an important factor in protecting
outsourced data. Therefore, the study examined ongoing
relationships with third parties to see whether enterprises
are adjusting contract language or service level agreements
(SLAs) to ensure that third parties are practicing due diligence
to protect themselves from APTs and to require financial
restitution in the event thatdespite controlsthey are
breached, resulting in damage to the customer.
Overall, 75 percent of respondents have not updated
agreements with third parties for protection against APTs. While
this is a disturbing statistic, especially in light of the numerous
high-profile data breaches that have resulted from attacks
that first targeted vendors supporting larger organizations,
it does represent an improvement, albeit a negligible one,
over the 2014 survey, in which 76 percent reported that they
had not adjusted third-party agreements. The percentage
improves slightly when cross-referenced with the degree of
familiarity with APTs, as illustrated in figure 11. One-third of
the respondents who indicate they are very familiar with APTs
have updated their third-party contracts to address APTs, a
figure that drops to only 19 percent among those who describe
themselves as having no familiarity with APTs.

Overall, 75 percent of respondents have not


updated agreements with third parties for
protection against APTs.

2015 ISACA. All Rights Reserved.

FIGURE

11

Correlation Between Familiarity


With APTs and Updating of
Third-party Contracts

100%

80%

60%

40%

20%

0%
Yes, we have updated our
third-party contract
language to address APTs.

VERY FAMILIAR

Personal Copy of: Mr. Daren Wayne Darrow

FAMILIAR

No, we have not updated our


third-party contract language
to address APTs.
SOMEWHAT
FAMILIAR

NOT AT
ALL FAMILIAR

12

2015 ADVANCED PERSISTENT THREAT AWARENESSTHIRD ANNUAL


STUDY RESULTS

Executive Involvement
Given the increased attention that APTs have received in
recent years, it might be expected that executives would
become more involved in cybersecurity activities. Survey
respondents were asked to indicate whether they note
a change in executive activity within their enterprises. In
a similar fashion to other findings in the study, there is a
correlation between the perceived likelihood of the enterprise
being an APT target and the level of executive involvement,
with more likely targets reflecting increased executive
involvement and less likely targets showing less executive
engagement (figure 12).
Those who indicated seeing increased executive involvement
in security initiatives were asked the types of specific actions
in which executives are engaging. Results indicate security
budgets have increased (53 percent of respondents); the
majority (80 percent) reported seeing increased visible
support from senior executives, while 61 percent noted
increased policy enforcement.
When the responses are filtered according to the likelihood
of the enterprise being targeted by APTs, the numbers shift
(figure 13).

Results indicate security budgets have


increased (53% of respondents); the
majority (80%) reported seeing increased
visible support from senior executives, while
61% noted increased policy enforcement.

FIGURE

12

Correlation Between Likelihood


of APT Attack and Executive
Involvement
80%

60%

40%

20%

0%
Yes, executive leadership
demonstrates increased
involvement in
cybersecurity activities.
VERY LIKELY

LIKELY

FIGURE

13

No, executive leadership


does not demonstrate
increased involvement in
cybersecurity activities.
NOT VERY LIKELY

NOT AT ALL LIKELY

Correlation Between
Likelihood of APT Attack and
Executive Actions
100%

80%

60%

VERY LIKELY
LIKELY

40%

NOT VERY LIKELY


NOT AT ALL LIKELY

20%

INCREASED
SECURITY BUDGETS

2015 ISACA. All Rights Reserved.

Personal Copy of: Mr. Daren Wayne Darrow

INCREASED VISIBLE
SUPPORT FROM
EXECUTIVE
LEADERSHIP

INCREASED
SECURITY POLICY
ENFORCEMENT

0%

13

2015 ADVANCED PERSISTENT THREAT AWARENESSTHIRD ANNUAL


STUDY RESULTS

Although enterprises characterized as very likely targets for


an APT are enjoying increased security budgets and policy
enforcement, all enterprises, regardless of perceived likelihood
of APT attack, seem to be benefitting from a significant level
of visible support from senior executives.

FIGURE

14

Correlation Between Likelihood


of Attack and Adjustment of
Incident Response Plans

Incident Management and Awareness Training

100%

Managing a successful APT attack is not always as easy as


removing the violating threat. Many APTs are adaptable and
have the ability to change to suit the circumstances. Typical
incident response plans designed to stop and remediate
might not be suitable for APTs; the plans should be reviewed
and incorporation of specific provisions for APTs considered.
The 2015 survey indicates an improvement in level of
preparedness, with 79 percent of those who consider
their enterprises very likely to be targeted by an APT
reporting that adjustments have been made to their incident
response plans (figure 14). This represents an increase of 9
percentage points over the 2014 survey.
Unfortunately, the same attention is not being applied to
awareness training. Overall, 56 percent of respondents
report that their enterprises have not increased
awareness training relative to APTs; however, this is
a significant improvement from 2014 when 67 percent
stated they had not increased APT-related awareness
training. The percentages improve slightly for enterprises
that are considered very likely or likely targets of an APT, but
even in these cases, less than half are increasing awareness
training (figure 15). This statistic is troubling as targeted spear
phishing and web browsers are attack vectors that could
possibly be mitigated with well-trained staff.

80%
60%

40%
20%

Yes, our incident response


plan has been adjusted to
address APT considerations.
VERY LIKELY

FIGURE

15

LIKELY

No, our incident response


plan has not been a djusted to
address APT considerations.
NOT VERY LIKELY

0%

NOT AT ALL LIKELY

Correlation Between
Likelihood of APT Attack and
Increase in Awareness Training
80%

Although enterprises characterized as


very likely targets for an APT are enjoying
increased security budgets and policy
enforcement, all enterprises, regardless of
perceived likelihood of APT attack, seem
to be benefitting from a significant level of
visible support from senior executives.

60%

40%
20%

Yes, my enterprise has


increased awareness training.
VERY LIKELY

2015 ISACA. All Rights Reserved.

Personal Copy of: Mr. Daren Wayne Darrow

LIKELY

0%
No, my enterprise has not
increased awareness training.
NOT VERY LIKELY

NOT AT ALL LIKELY

14

2015 ADVANCED PERSISTENT THREAT AWARENESSTHIRD ANNUAL


STUDY RESULTS

Conclusions
Like the 2014 survey, there are many
positive findings to celebrate in the
2015 study. Overall, more people are
aware of APTs and are making positive
changes to increase their protection
against them. The survey respondents
security professionals allseem to be
practicing good security management
by utilizing a risk-based approach to
managing APTs within their enterprises.
This is reflected throughout the results
as the respondents, who consider their
enterprises more likely to experience
an APT, report activities that suggest
they have adopted a layered approach
to managing their enterprise security. In
almost all cases, the higher the perceived
likelihood of becoming a target, the
more consideration is being given to
APTs in terms of technology, awareness
training, vendor management, incident
management and increased attention
from executives. This activity and
corresponding effort form an excellent
base for information protection.
However, APTs are still not clearly
understood. They are different from
traditional threats and need to be
addressed differently. A gap in the
understanding of what APTs are and
how to defend against them remains,
as demonstrated by the number of
respondents who self-identity as
familiar (to some degree) with APTs
(67 percent) compared to those who
feel that APTs are similar to traditional
threats (51 percent).
The data also indicate that enterprises
have not really changed the ways in

which they protect against APTs. The


technical controls most often cited
as being used to prevent APTs are
network perimeter technologies such as
firewalls and access lists within routers,
as well as anti-malware and antivirus.
While these controls are proficient for
defending against traditional attacks,
they are probably not as well suited
for preventing APTs because APTs
exploit zero-day threats, which leverage
unknown vulnerabilities, and many
APTs enter the enterprise through welldesigned spear phishing attacks. This
indicates that additional controlsand
perhaps an increased focus on email
security and user educationcould
be beneficial.
Finally, the survey revealed a slight
improvement relating to the availability
of guidance focused on APTs. In 2014,
75 percent of respondents noted a lack
of appropriate guidance; that number
decreased to 66 percent in 2015. This
improvement can probably be partially
attributed to a generally increased
level of awareness of APTs, resulting
from recent high-profile APT-related
attacks. ISACA is doing its part as well
to address the marketplaces need
for guidance. ISACAs Cybersecurity
Nexus (CSX) program provides
education, training, certification and
professional developmentwith a
concentration on APTsto support
the efforts of professionals and
practitioners as they address
challenges in cybersecurity.

Finally, the survey


revealed a slight
improvement relating
to the availability of
guidance focused on
APTs. In 2014, 75%
of respondents noted
a lack of appropriate
guidance; that number
decreased to 66% in
2015. This improvement
can probably be partially
attributed to a generally
increased level of
awareness of APTs,
resulting from recent
high-profile APT-related
attacks.

To learn more visit us at


www.isaca.org/APT-WP
2015 ISACA. All Rights Reserved.

Personal Copy of: Mr. Daren Wayne Darrow

15

2015 ADVANCED PERSISTENT THREAT AWARENESSTHIRD ANNUAL


STUDY RESULTS

ISACA
ISACA (isaca.org) helps global
professionals lead, adapt and assure
trust in an evolving digital world by
offering innovative and world-class
knowledge, standards, networking,
credentialing and career development.
Established in 1969, ISACA is a global
nonprofit association of 140,000
professionals in 180 countries. ISACA
also offers the Cybersecurity Nexus
(CSX), a holistic cybersecurity resource,
and COBIT, a business framework to
govern enterprise technology.

Disclaimer
This is an educational resource and
is not inclusive of all information that
may be needed to assure a successful
outcome. Readers should apply their
own professional judgment to their
specific circumstances.

3701 Algonquin Road, Suite 1010


Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
www.isaca.org

Provide feedback:
www.isaca.org/APT-WP
Participate in the ISACA
Knowledge Center:
www.isaca.org/knowledge-center
Follow ISACA on Twitter:
www.twitter.com/ISACANews
Join ISACA on LinkedIn:
www.linkd.in/ISACAOfficial
Like ISACA on Facebook:
www.facebook.com/ISACAHQ

2015 ISACA. All Rights Reserved.

Personal Copy of: Mr. Daren Wayne Darrow

16

2015 ADVANCED PERSISTENT THREAT AWARENESSTHIRD ANNUAL


STUDY RESULTS

ACKNOWLEDGMENTS
Lead Developer
R. Montana Williams
MA-IOP, CWDP
Senior Manager, Cybersecurity Practices
ISACA, USA

Board of Directors
Christos K. Dimitriadis
Ph.D., CISA, CISM, CRISC,
INTRALOT S.A., Greece, International
President
Rosemary M. Amato
CISA, CMA, CPA,
Deloitte Touche Tohmatsu Ltd.,
The Netherlands, Vice President
Garry J. Barnes
CISA, CISM, CGEIT, CRISC, MAICD,
Vital Interacts, Australia, Vice President

Robert E Stroud
CGEIT, CRISC,
USA, Past International President
Zubin Chagpar
CISA, CISM, PMP,
Amazon Web Services, UK, Director
Matt Loeb
CAE,
ISACA, USA, Director
Rajaramiyer Venketaramani Raghu
CISA, CRISC,
Versatilist Consulting India, Pvt., Ltd.,
India, Director
Jo Stewart-Rattray
CISA, CISM, CGEIT, CRISC, FACS CP,
BRM Holdich, Australia, Director

Robert A. Clyde
CISM,
Clyde Consulting LLC, USA, Vice President
Theresa Grafenstine
CISA, CGEIT, CRISC, CPA, CIA, CGAP, CGMA,
US House of Representatives, USA, Vice
President
Leonard Ong
CISA, CISM, CGEIT, CRISC, CPP, CFE, PMP,
CIPM,CIPT, CISSP ISSMP-ISSAP, CSSLP,
CITBCM, GCIA,GCIH, GSNA, GCFA,
ATD Solution, Singapore, Vice President
Andre Pitkowski
CGEIT, CRISC, OCTAVE,
CRMA, ISO27kLA, ISO31kLA,
APIT Consultoria de Informatica Ltd.,
Brazil, Vice President
Eddie Schwartz
CISA, CISM, CISSP-ISSEP, PMP,
WhiteOps, USA, Vice President
Gregory T. Grocholski
CISA,
SABIC, Saudi Arabia,
Past International President
Tony Hayes
CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,
Queensland Government, Australia,
Past International President

2015 ISACA. All Rights Reserved.

Personal Copy of: Mr. Daren Wayne Darrow

17