Attacks/Breaches
12/3/2013
05:37 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Businesses Suffer An Average Of 9 Targeted Attacks Per Year

New study reveals breadth -- and apparent success -- of the typical advanced persistent threat (APT)-type attack

Advanced persistent threat (APT)-style attacks may be even more pervasive than thought: Organizations have suffered on average of nine such targeted attacks in the past 12 months, a new study finds.

Even more chilling: Nearly half of those organizations say the attackers successfully stole confidential or sensitive information from their internal networks, according to a new report by the Ponemon Institute called "The State of Advanced Persistent Threats," which was commissioned by Trusteer. Ponemon surveyed 755 IT and IT security professionals who have had firsthand experience with prevention or detection of targeted attacks on their organizations.

In line with previous reports from other sources, Ponemon found that it took victim organizations painfully long periods of time to even discover they had been hit by these attacks. On average, these attacks went undiscovered for 225 days -- a delay respondents attribute to a lack of sufficient endpoint security tools and lean internal resources. According to the Verizon Data Breach Investigations Report (DBIR) released in August, organizations typically don't discover that they've been breached for months and even years after the fact -- and nearly 70 percent of them learn from a third party.

But in a dramatic shift from the Verizon report, the new Ponemon study found that most organizations say they are seeing a decline in "opportunistic" or random, nontargeted attacks and an increase in targeted ones. Some 67 percent say opportunistic attacks have not increased in the past 12 months, while 48 percent say targeted attacks have either rapidly increased or increased in same period. The survey defines opportunistic attacks as those where the attackers "have a general idea of what or whom they want to compromise" and only hack them if they encounter exploitable vulnerabilities. "In contrast, targeted attacks are those in which attackers specifically choose their target and do not give up until this target is compromised," according to the report.

Verizon's DBIR, meanwhile, found that 75 percent of all confirmed data breaches last year were the result of financially motivated cyberattacks, while 20 percent were cyberespionage for stealing intellectual property or other information for competitive purposes.

The divergent data here could be a function of organizations becoming more aware of targeted attacks, notes George Tubin, senior security strategist at Trusteer, an IBM company. "As the industry becomes more mature and defining our terms better of what's opportunistic versus targeted, we're getting some clarity," he says.

Cyberespionage actors are getting stealthier, encrypting their malware to evade detection, for example, he says.

Nearly 70 percent of organizations say zero-day malware attacks are their biggest threats, and 93 percent say malware was the method of attack employed by the APT actors who targeted them. Half say those attacks originated via phishing.

Anti-malware and intrusion detection systems (IDS) are mostly no match for exploits and malware, according to the report. Some 76 percent of respondents say exploits and malware got past their AV software, and 72 percent say they got past their IDS.

IDS, IPS, and AV are the top three tools these organizations have in place for detecting targeted attacks. Around 60 percent say opportunistic attacks are easier to prevent than targeted ones, and 46 percent say they are easier to detect.

[The Verizon Data Breach Investigations Report 2013 says financial cybercrime accounting for three-fourths of real-world breaches, followed by cyberespionage in one-fifth of breaches. See No 'One Size Fits All' In Data Breaches, New Verizon Report Finds.]

Java and Adobe Reader -- two majorly exploited applications -- are the biggest thorns in the sides of organizations when it comes to patching. Some 80 percent say Java is the hardest to keep updated with the latest patches; 72 percent, Reader; and 65 percent, Microsoft Windows. "Sixty-four percent say their company continued to operate one or more of these applications in the production environment knowing that vulnerabilities exist and a viable security patch was available but was not implemented," the report says. And 73 percent say: "If I could, I would discontinue using Java."

And not surprisingly, the root of much of the APT troubles in these organizations is lack of budget. Nearly 70 percent say their budgets are inadequate for fighting APTs, and 31 percent say they have sufficient in-house resources.

Trusteer's Tubin says the actual numbers of APT targeted attacks per year, as well as the percentage of successful ones that exfiltrate information, are probably even higher than the Ponemon report shows. "Newer attack techniques that bypass detection technologies are not being picked up," he says. This stuff is very stealthy ... it sits on the network for a very long time, so it's very likely these companies have additional APTs going on that they just haven't discovered yet."

The full Ponemon report is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web