Those findings come from a new report on APTs released Tuesday by market researcher Enterprise Strategy Group (ESG). The study is based on a survey of about 250 U.S. information security professionals, conducted in August.
Who's wielding APTs against businesses? Respondents said they suspect--in order of likelihood--such attacks to be coming from hacktivist groups such as Anonymous, organized criminal rings, competitors conducting reconnaissance or perpetrating industrial espionage, foreign governments, and terrorists.
Increasingly, security professionals are turning to more automated technology to help them spot and then stop APTs. "Even sophisticated IT shops preparing for APTs are using automation more," said Jon Oltsik, senior principal analyst at ESG and the primary author of the study, in an interview. "Automation detects an attack that's underway, and they're willing to use automation to take a system off the network, or block a protocol." The days of only using manual remediation, he said, appear to be over.
[The people charged with overseeing enterprise security may make you vulnerable to attack. Are Your IT Pros Abusing Admin Passwords?]
Notably, of all organizations surveyed, the 52 businesses that ESG rated as best prepared to stop APTs used network management tools (at 69%), security incident and event management tools (58%), log file analysis (46%), and intrusion detection or prevention system alerts (44%). But respondents to the study also complained that they need even more sophisticated tools, as well as better training, and more personnel. "There's a real skill shortage, across the board. We saw people saying that they didn't have the right skills to identify attacks in progress, to do analysis of attacks," said Oltsik.
One aspect of APTs that makes them difficult to spot is that they can be deceptively simple. Many experts, for example, think that social engineering attacks are the leading APT attack vector. Because such attacks rely not on sophisticated technology, but simply tricking people into revealing information directly (for example, divulging passwords over the phone) or indirectly (opening a malicious attachment that then installs a Trojan application on their PC), they're incredibly difficult to combat.
In fact, there's only one sure-fire technique for blocking social engineering attacks: training employees to spot them. But according to ESG's study, both executives and non-IT employees don't seem to be getting enough training. Roughly half of respondents rate both the overall security knowledge and APT awareness of non-IT employees at their business as only fair, if not poor.
Other than training, how else can businesses better combat APTs? The study found that the best-prepared businesses took a very proactive approach to risk management, including maintaining and enforcing security policies that covered everything from physical security and data encryption to access controls and background checks on users with access to sensitive data.
Furthermore, 44% of the best prepared businesses conduct formal penetration tests against their network--employing outside experts to simulate hack attacks and discover unseen weaknesses--more than once per quarter. Conversely, only 15% of businesses that ESG rates as "somewhat" prepared to combat APTs were conducting penetration tests more than once per quarter.
For businesses that need to do a better job of battling APTs, Oltsik recommends starting with three steps. First, make employees think seriously about security. Next, accurately assess the business's current information security vulnerabilities. "If you can't do that, yourself get professional help," he said.
Finally, senior executives must take a more proactive approach to security, especially in light of the study's finding that the rise of APTs hasn't led to any changes in budgeting, training, or security assessment frequency at 51% of surveyed businesses, he said. "Think about security as the cost of doing business. It's not something you glue on after the fact, you have to add it to every layer of your organization, and IT."
The good news, however, is that half of surveyed businesses have altered their security behavior in light of APTs. In particular, 51% said that senior executives had allocated funds to increase the amount of security training for general employees; 33% had begun meeting more frequently with their chief information security officer (CISO) or IT risk team; and 18% had created the role of CSO or CISO, or another type of senior security position.