ADVANCED PERSISTENT THREAT AWARENESS

STUDY RESULTS

Advanced Persistent
Threat Awareness
Study Results
Advanced persistent threat (APT) has been a term
used frequently during security threat discussion;
however, confusion exists as to what an APT is
and how to manage the risk associated with it.
Although the study reveals that a large number
of respondents feel that APTs are important and
have the ability to impact national security and
economic stability, the study also demonstrates
that the controls being used to defend against
APT might not be sufficient to adequately protect
enterprise networks.

Sponsored By

2013 ISACA. ALL RIGHTS RESERVED. 1

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

ISACA
With more than 100,000 constituents ISACA continually updates and
in 180 countries, ISACA (www.isaca.org) expands the practical guidance
is a leading global provider of and product family based on the 3701 Algonquin Road, Suite 1010
knowledge, certifications, community, COBIT framework. COBIT helps Rolling Meadows, IL 60008 USA
advocacy and education on IT professionals and enterprise Phone: +1.847.253.1545
information systems (IS) assurance leaders fulfill their IT governance
Fax: +1.847.253.1443
and security, enterprise governance and management responsibilities,
and management of IT, and IT-related particularly in the areas of assurance, Email: info@isaca.org
risk and compliance. Founded in 1969, security, risk and control, and deliver
www.isaca.org
the nonprofit, independent ISACA value to the business.
hosts international conferences,
publishes the ISACA Journal, and Disclaimer Provide feedback:
develops international IS auditing ISACA has designed and created www.isaca.org/cybersecurity
and control standards, which help Advanced Persistent Threat Participate in the ISACA Knowledge
its constituents ensure trust in, and Awareness Study Results (the Center:
value from, information systems. It Work) primarily as an educational www.isaca.org/knowledge-center
also advances and attests IT skills resource for those interested in Follow ISACA on Twitter:
and knowledge through the globally APT. The Work should not be www.twitter.com/ISACANews
respected Certified Information considered inclusive of all proper
Join ISACA on LinkedIn:
Systems Auditor (CISA), Certified information, procedures and tests www.linkd.in/ISACAOfficial
Information Security Manager or exclusive of other information,
(CISM ), Certified in the Governance procedures and tests that are
Like ISACA on Facebook:
www.facebook.com/ISACAHQ
of Enterprise IT (CGEIT) and reasonably directed to obtaining
Certified in Risk and Information the same results. In determining
Systems Control TM (CRISCTM) the propriety of any specific
designations. information, procedure or test,
security, governance and assurance
professionals should apply their
own professional judgment to the
specific circumstances presented by
the particular systems or information
technology environment.

2013 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval
system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of
ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and noncommercial use and for consulting/
advisory engagements, and must include full attribution of the materials source. No other right or permission is granted with respect to this work.

2013 ISACA. ALL RIGHTS RESERVED. 2

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

ISACA Wishes to Recognize:

Contributors ISACA Board of Directors Guidance and Practices Committee
Vilius Benetis, Gregory T. Grocholski, Phil J. Lageschulte,
Ph.D., CISA, CRISC, BAIP, CISA, The Dow Chemical Co., CGEIT, CPA, KPMG LLP,
Lithuania USA, International President USA, Chairman

Jeimy J. Cano, Allan Boardman, Dan Haley,

Ph.D., CFE, CMAS, Ecopetrol, CISA, CISM, CGEIT, CRISC, ACA, CISA, CGEIT, CRISC, MCP, Johnson &
Colombia CA (SA), CISSP, Morgan Stanley, Johnson,
UK, Vice President USA
Christos K. Dimitriadis,
Ph.D., CISA, CISM, CRISC, Juan Luis Carselle, Yves Marcel Le Roux,
INTRALOT S.A., CISA, CGEIT, CRISC, Wal-Mart, CISM, CISSP, CA Technologies,
Greece Mexico, Vice President France

Jo Stewart-Rattray, Christos K. Dimitriadis, Aureo Monteiro

CISA, CISM, CGEIT, CRISC, Ph.D., CISA, CISM, CRISC, Tavares Da Silva,
CSEPS, BRM Holdich, INTRALOT S.A., CISM, CGEIT, Vista Point,
Australia Greece, Vice President Brazil
Ramses Gallego,
CISM, CGEIT, CCSK, CISSP, SCPM, Jotham Nyamari,
Knowledge Board Six Sigma Black Belt, Dell, CISA, Deloitte,
Spain, Vice President USA
Marc Vael,
Ph.D., CISA, CISM, CGEIT, Tony Hayes, Connie Lynn Spinelli,
CRISC, CISSP, Valuendo, CGEIT, AFCHSE, CHE, FACS, FCPA, CISA, CRISC, CFE, CGMA, CIA, CISSP,
Belgium, Chairman FIIA, Queensland Government, CMA, CPA, BKD LLP,
Australia, Vice President USA
Rosemary M. Amato,
CISA, CMA, CPA, Jeff Spivey, Siang Jun Julia Yeo,
Deloitte Touche Tohmatsu Ltd., CRISC, CPP, PSP, CISA, CPA (Australia), Mastercard Asia/
The Netherlands Security Risk Management Inc., Pacific Pte. Ltd, Singapore
USA, Vice President
Steven A. Babb, Nikolaos Zacharopoulos,
CGEIT, CRISC, Betfair, Marc Vael, CISA, CISSP, DeutschePostDHL,
UK Ph.D., CISA, CISM, CGEIT, Germany
CRISC, CISSP, Valuendo,
Thomas E. Borton,
Belgium, Vice President
CISA, CISM, CRISC, CISSP,
Cost Plus, Kenneth L. Vander Wal, Special Recognition
USA CISA, CPA, Ernst & Young LLP (retired),
USA, Past International President
Phil J. Lageschulte,
CGEIT, CPA, KPMG LLP, Emil DAngelo,
USA CISA, CISM, Bank of Tokyo-Mitsubishi
UFJ Ltd. (retired),
Jamie Pasfield,
USA, Past International President
CGEIT, ITIL V3, MSP,
PRINCE2, Pfizer, John Ho Chi,
UK CISA, CISM, CRISC, CBCP, CFE,
Ernst & Young LLP,
Salomon Rico,
Singapore, Director
CISA, CISM, CGEIT,
Deloitte LLP, Krysten McCabe,
Mexico CISA, The Home Depot,
USA, Director

Jo Stewart-Rattray,
CISA, CISM, CGEIT, CRISC, CSEPS, BRM
Holdich, Australia, Director

2013 ISACA. ALL RIGHTS RESERVED. 3

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

Table of Contents List of Figures

Introduction to the Report 05 Figure 01 

Industry Distribution 08

Defining Advanced Persistent Threats 06 Figure 02 Geographic Distribution 08

Description of the Population 08 Figure 03 

Familiarity With APTs 09

Perspectives on APT 09 Figure 04 

C omparison of APTs
Awareness 09 and Traditional Threats 10

Direct APT Experience 11

Figure 05 
Highest Enterprise Risk
Security Controls, Processes and Responses 12
of Successful APT Attack 10
APT Impact on Policies and Practices 15

Figure 06 E nterprise Perceived Likelihood

Conclusions 19 of Becoming APT Target 11

Figure 07 
Enterprise Ability to
Deal With APT Attack 11

Figure 08 
C orrelation Between Likelihood of
and Preparedness for an APT Attack 12

Figure 09 
Technical Controls Used to
Protect Against APT Attacks 13

Figure 10 
C orrelation Between Likelihood of APT
Attack and Use of Technical Controls 14

Figure 11 
Correlation Between Familiarity With APTs
and Update of Third-party Agreements 15

Figure 12 
C orrelation Between Likelihood of APT
Attack and Executive Involvement 16

Figure 13 
C orrelation Between Likelihood of APT
Attack and Executive Actions Taken 17

Figure 14 
Adjustment of Incident
Response Plans 17

Figure 15 
Increase in
Awareness Training 18

2013 ISACA. ALL RIGHTS RESERVED. 4

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

Introduction to the Report

The Advanced Persistent Threat (APT) Awareness
Study was undertaken by ISACA in the fourth quarter of
2012. APTs have made headlines in the last few years
for breaching some of the most well-known enterprise
networks. Once thought to be limited to attacks on
government networks, the Google Aurora attack in 2010
made it very clear that APTs are not just government
threats. Large-scale breaches followed and made
international headlines. RSAs 2011 breach was classified
as being caused by an APT and, of course, awareness of
Stuxnet and Flame is widespread. ISACAs Guidance and
Practices Committee launched the APT Awareness Study
to comprehend better how well security professionals
understand APTs and what is being done to prevent them.

The survey was open to ISACA member and nonmember

security professionals. The sample was defined to
include information security managers in different
industries and organizations throughout the world.
The sample population was created by inviting current
Certified Information Security Managers (CISMs) and
information security professionals through LinkedIn.

The survey was organized in five major sections and

used multiple-choice and Likert scale formats:

Demographics
APT Awareness
Direct APT Experience
Security Controls, Processes and Responses
APT Impact on Policies and Practices

2013 ISACA. ALL RIGHTS RESERVED. 5

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

Defining Advanced Persistent Threats

Information security breaches resulting the definition for the study was critical. This definition provides a good
in lost data, financial damage to APTs are often aimed at the theft base from which to understand
companies, disruption of services of intellectual property (espionage) the differences between traditional
and reputational damage are nothing as opposed to achieving immediate threats and APTs. Repeated pursuit
new. Enterprises have faced malicious financial gain and are prolonged, of objectives, adaptation to defenders
activity directed at them as well as stealthy attacks. This report aligns and persistence differentiate APTs
threats from nonmalicious users with the definition of the US National from a typical attack. Primarily, the
ever since they networked systems. Institute of Standards and Technology purpose of the majority of APTs is to
Malware, social engineering, (NIST), which states that an APT is: extract information from systemsthis
hacking, SQL injections and denial of could be critical research, enterprise
An adversary that possesses
service are attack vectors that many intellectual property or government
sophisticated levels of expertise and
security professionals wish they had significant resources which allow it
information, among other things.
not experienced, but, unfortunately, to create opportunities to achieve its
have. Many preventive controls have objectives by using multiple attack
emerged that have made it more vectors (e.g., cyber, physical, and
difficult for those with malicious intent deception). These objectives typically
to penetrate networks, while detective include establishing and extending
controls have helped to identify quickly footholds within the information
when a breach does occur. technology infrastructure of the
Recent large-scale security breaches targeted organizations for purposes of
have highlighted a new class of threat exfiltrating information, undermining or
to networks. APTs have made global impeding critical aspects of a mission,
headlines, to the dismay of many program, or organization; or positioning
itself to car wry out these objectives
enterprises. Traditionally considered
in the future. The advanced persistent
as nation-state-sponsored activities
threat: (i) pursues its objectives
aimed at government networks, the
repeatedly over an extended period of
threats have become problematic
time; (ii) adapts to defenders efforts
for enterprises as well. RSA, Google,
to resist it; and (iii) is determined to
NASA and the Iranian government
maintain the level of interaction needed
have experienced large security
to execute its objectives.1
breaches due to APTs, demonstrating
that APTs effectively target both
enterprise and government networks. APTs differ significantly
APTs differ significantly from traditional from traditional threats,
threats, yet they leverage many of the
same attack vectors. Because so many
yet they leverage many of
different opinions of what constitutes the same attack vectors.
an APT exist in the market, establishing

1 N ational Institute of Standards and Technology (NIST), Special Publication 800-39, Managing Information Security
Risk, Organization, Mission, and Information System View, USA, 2011

2013 ISACA. ALL RIGHTS RESERVED. 6

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

The APT is advanced and stealthy, often

possessing the ability to conceal itself within
the enterprise network traffic, interacting just
enough to get what it needs to accomplish its
job. This ability to disguise itself and morph
when needed can be crippling to security
professionals attempts to identify or stop
an APT attack. The APTs single-minded
persistence on pursuing its target and repeated
efforts to complete the job it has been created
to do means it will not go away after one failed
attempt. It will continually attempt to penetrate
the desired target until it meets its objective.
Stealthiness, adaptability and persistence
characterize this class of threat. For
example, traditional cyberthreats often try
to exploit a vulnerability but will move right
on to something less secure if they cannot
penetrate their initial target, whereas the
APT does not stop. The people and groups
behind APT attacks are determined and have
the resources to be able to launch zero-day
attacks on enterprises. This makes it hard to
defend against them.
Spear phishing has become a very common
method used by those launching APTs as an
entry point to an enterprise. Often email filters
are not effective enough to identify these
well-designed spear phishes and then it takes
only a single user to click a link and open an
attachment for an APT to begin to execute its
first phase of an attack. Adding the human
factor to a threat class that does not prey
on known vulnerabilities makes defense and
prevention even more challenging.

2013 ISACA. ALL RIGHTS RESERVED. 7

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

Description of 01

FIGURE
Industry

the Population
Distribution
WITHIN WHICH OF THE FOLLOWING INDUSTRIES
Because the studys purpose was to measure ARE YOU EMPLOYED?
information security characteristics such as Technology Service/Consulting
knowledge of APTs, knowledge of internal
controls, internal incidents, policy adherence Financial Banking
and management support, the study surveyed
those who deal with those issues every Government/ Military/ National/ State/ Local
day: professionals with information security
responsibilities. The studys purposive global Telecommunications/ Communication
sample included those who hold ISACAs
CISM credential and information security Manufacturing/ Engineering

professionals within groups on LinkedIn

Insurance
focused on cybersecurity and APTs.
SurveyMonkey (www.surveymonkey.com) was used to Education/ Student
collect the data from 1,551 individuals globally, 93.1
percent of whom were members of ISACA.
Retail/ Wholesales/ Distribution
More than 20 industries were represented in the study,
the majority of respondents (30.9 percent) were from the Utilities
technology services and consulting field (figure 01).

Health Care/ Medical

All Other Responses

0% 5% 10% 15% 20% 25% 30% 35%

Percentage of Respondents

02
The majority of respondents reside in
FIGURE

Europe/Africa (38.3 percent), followed by Geographic

North America (32.0 percent) (figure 02). Distribution
A TYPICAL PARTICIPANT CAN BE DESCRIBED AS: IN WHICH OF THE FOLLOWING AREAS DO YOU RESIDE?
A n ISACA member (1,434)

European/African (591) or North American (493)

Belonging to the technology services consulting industry

19% 3% Oceania

38
Asia Latin
(457) or the financial services/banking industry (340) % 8% America
Europe / Africa

32%
North America

2013 ISACA. ALL RIGHTS RESERVED. 8

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

Perspectives 03

FIGURE
Familiarity
With APTs
on APT HOW FAMILIAR ARE YOU WITH APTS?

Many positive indicators were identified

throughout the study, but it should also be
noted that responses seemed to conflict as
further analysis was completed. Positives such
as increased management attention, security
budgets and policy enforcement conflicted
25%
Very
Familiar
with respondents indications that they are not
increasing security awareness nor changing the
way they deal with third parties.

53.4% of respondents indicated

that they do not believe APTs
differ from traditional threats. 42%
Familiar

Awareness
The survey results reveal that 25.1 percent of
respondents are very familiar with APTs, with
a total of 96.2 percent expressing that they

29%
are at least somewhat familiar (figure 03).

Somewhat
Familiar

4%
Not At All
Familiar

2013 ISACA. ALL RIGHTS RESERVED. 9

 DO YOU BELIEVE THAT APTs ARE SIMILAR OR UNIQUE
ADVANCED PERSISTENT THREAT AWARENESS TO HISTORICAL THREATS?
STUDY RESULTS

04
While this degree of familiarity with APTs is
Comparison of

FIGURE
a positive indicator, it appears to be negated APTs and
by the 53.4 percent response indicating that Traditional Threats
survey participants do not believe APTs differ
from traditional threats (figure 04). DO YOU BELIEVE THAT APTS ARE SIMILAR OR
UNIQUE TO HISTORICAL THREATS?
This finding is troubling because it implies that
confusion does exist regarding the nature of an
APT and its difference from a traditional threat. 54%
Similar
If security professionals do not understand
the differences between the threat classes,
they will find it difficult to properly identify,
defend against and respond to an APT. With 46%
Unique
93.9 percent of respondents report that they
believe that APTs represent a credible threat
to national security and economic stability, the
importance of having a clear understanding of
what they are is self-evident.

05
Highest Enterprise
FIGURE

OTHER AWARENESS HIGHLIGHTS INCLUDE:

89.7 percent of respondents believe that the use of Risk of Successful
social networking sites increases the likelihood of a
successful APT attack.
APT Attack
87.3 percent think that bring your own device (BYOD), WHAT DO YOU BELIEVE TO BE THE HIGHEST RISK
combined with rooting (Android manipulation by the owner TO YOUR ENTERPRISE ASSOCIATED WITH A
of the device to gain more access to operating system (OS)
SUCCESSFUL APT ATTACK?
and hardware functions) or jailbreaking (iOS manipulation
by the owner of the device to evade vendor limitations),
makes a successful APT attack more likely. Loss of Availability

While there was a high level of agreement Loss of Intellectual Property

among respondents that APTs are cause for
concern, there was less agreement on the Loss of Personal Information
biggest risk to the enterprise in the event of
a successful APT attack. Loss of enterprise
intellectual property was the highest response, Contractual Breach or Legal Issues
at 25.5 percent, and loss of customer or
employee personally identifiable information Financial Loss (tangible)
(PII) finished next, at 23.6 percent (figure 05).
Reputation Damage

0% 5% 10% 15% 20% 25% 30%

Percentage of Respondents

2013 ISACA. ALL RIGHTS RESERVED. 10

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

06
Direct APT Experience Enterprise Perceived

FIGURE
While the respondents have identified the risk Likelihood of
scenarios of a successful APT attack, most
Becoming APT Target
have not yet had to deal with the actuality of HOW LIKELY DO YOU FEEL THAT YOUR ORGANIZATION
an attack. Only 21.6 percent of respondents WILL BE THE TARGET OF AN APT?
reported having been subject to an APT attack.
Of those, 26.2 percent were employed in the
technology services and consulting field,
followed by 22.7 percent working in financial
35%
45%
services. Additionally, those who had been
subject to attack were asked if they were Not Very Likely
able to identify the source of the attack; 65.4
Likely
percent answered affirmatively.
Although only 21.6 percent of respondents
reported that their enterprise has already been 18% Very
Likely
victimized by an APT, roughly three times
that number63.0 percentbelieve that it is 2% Not At
All Likely
only a matter of time before their enterprise is
targeted. (figure 06)

07
Enterprise Ability

63%
FIGURE

of respondents think it is to Deal With

only a matter of time until APT Attack
their enterprise is targeted by an APT. HOW ABLE IS YOUR ENTERPISE TO DEAL
WITH AN APT ATTACK?
All respondents were asked if they considered
their enterprise prepared to deal with the threat
of APTs. The majority indicated their belief that DETECT APT
ATTACKS
they do have the ability to detect, respond to
and stop a successful APT attack (figure 07).

Overall, nearly 60 percent of RESPOND

respondents believe that they are TO APT
ATTACKS

ready to respond to APT attacks.

STOP A
SUCCESSFUL
ATTACK

0% 20% 40% 60%

VERY ABLE ABLE NOT ABLE NOT AT ALL ABLE

2013 ISACA. ALL RIGHTS RESERVED. 11

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

08
Security Controls, Correlation Between

FIGURE
Processes and Responses Likelihood of and Preparedness
for an APT Attack
As noted previously, the majority of
respondents believe they are well positioned CORRELATION BETWEEN LIKELIHOOD OF AND
to identify, respond to and stop an APT attack. PREPAREDNESS FOR AN APT ATTACK.
What controls and countermeasures are
How likely do you feel that your organization
needed to ensure that this is true? will be the target of an APT?

Throughout the survey, patterns emerge to Very

Likely
Likely
Not Very
Likely
Not at
all Likely
indicate that although confusion exists on
Very prepared
what an APT is and is not, enterprises seem to 31.1% 14% 4.8% 23.1%
We have a documented
be taking a risk-based approach to planning and tested plan in place (69) (90) (21) (6)
for APT
for APTs. Controls are more prevalent in
enterprises that feel they could be targeted for Prepared
49.5% 53.2% 46.7% 26.9%
an APT attack than in those that do not feel the
But incident management
does not specifically (110) (303) (205) (7)

likelihood of becoming an APT target is high. cover APT

15.8% 30.2% 42.1% 34.6%

Incident Management Plans Not very prepared
(35) (172) (185) (9)
Overall, nearly 60 percent of respondents
believe that they are ready to respond to APT Not prepared at all
3.6% 2.6% 6.4% 15.4%
attacks. When asked the degree to which their
(8) (15) (28) (4)

enterprise is prepared to deal with an APT

attack today, 14 percent responded that they
very prepared category and 49.5 percent
are very prepared, which indicated that they
placed themselves in the prepared category.
have a documented and tested plan in place for
This demonstrates that a healthy 80.6 percent
APT. Another 49.6 percent responded that they
of those who characterize their enterprise as
are prepared, which was defined as having an
very likely to be targeted are ready to deal with
incident management plan although it does not
it. Likewise, those that identified their enterprise
specifically cover APT. This leaves 37.4 percent
as a likely target (45.1 percent) state that they
of respondents not confident that they are
too are ready to deal with an attack, with 14.0
prepared to deal with an event triggered by this
percent considering themselves very prepared
class of threat.
and 53.2 percent claiming that they are
Upon further analysis of the results, a prepared (total of 67.2 percent). While the total
relationship can be seen between the perceived prepared percentage for this group is not as
likelihood of the respondents enterprise being high as the very likely group, this population
subject to an APT attack and the level of has a lower likelihood expectation as well.
enterprise preparedness to deal with such an
The correspondence between likelihood and
incident. Seemingly, higher perceived likelihood
preparation continues in the lower categories.
of being targeted corresponds to greater
Among those in the group responding as
enterprise preparedness.
not very likely that their enterprise would be
Among the 17.9 percent of respondents who felt targeted by an APT, 51.5 percent report feeling
it was very likely that their organization would at least prepared for an attack, and among
be the target of an APT attack, 31.1 percent the not at all likely group, only half consider
identified themselves as being in the themselves prepared (figure 08).

2013 ISACA. ALL RIGHTS RESERVED. 12

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

09
Technology Technical Controls

FIGURE
Respondents are leveraging a variety of Used to Protect
preventive and detective technical controls Against APT Attacks
as well as education, training and policy to
help reduce the likelihood of a successful WHICH SPECIFIC CONTROLS IS YOUR
breach. A very high percentage of those ENTERPRISE USING TO PROTECT SENSITIVE
surveyed responded that they are using DATA FROM APT ATTACKS?
antivirus and anti-malware and/or traditional
network perimeter technologies to thwart IPS - signature / abnormal event
detection and prevention based controls
APTs, but much lower scores were seen for
critical controls for mobile devices, remote
access technologies (RATs), and logging/event Anti-Virus, Anti Malware
correlation (figure 09).

In addition to these technical controls, 70.6 Network Technologies -

firewall, routers, switches, etc.
percent of those surveyed responded that
they are using training and education to help
prevent against attacks such as spear phishing Network Segregation - zoning off
and social engineering, which specifically
attempt to exploit the human factor.
Sandboxes - environment with limited
functionality used for testing
A very high percentage of those
surveyed responded that they are Log Monitoring /Event Correction

using antivirus and anti-malware

Remote Access Technologies
and/or traditional network perimeter
technologies to thwart APTs.
Endpoint Control

Mobile Security Gateways

Mobile Anti-Malware Controls

0% 20% 40% 60% 80% 100%

2013 ISACA. ALL RIGHTS RESERVED. 13

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

10
In the incident management section, a Correlation Between Likelihood

FIGURE
correlation was demonstrated between of APT Attack and Use of
perceived likelihood of APT attack and degree Technical Controls
of preparation to deal with the attack. A
similar alignment is reflected here, in that the WHICH SPECIFIC CONTROLS ARE YOUR
enterprises that are perceived to be a likely ENTERPRISE USING TO PROTECT SENSITIVE
or very likely target of APT seem to be using DATA FROM APT ATTACKS?
more technical controls than those that do not
classify themselves as likely targets for the Mobile
Anti-Malware
threat class (figure 10). Controls

Educational training also proved to be more Mobile Security

prevalent as a defense within enterprises who Gateway
felt it very likely (82.0 percent) or likely (74.1
percent) to become targets.
Endpoint Control

While it is a positive sign that a higher

Remote Access
level of perceived likelihood of an APT Technologies

breach correlates to the increased use

Leg Monitoring
of technical and educational controls, Event Correlation

it is concerning that network perimeter

technologies and antivirus and anti- Sandboxes

malware top the list of controls used.

Network
Segregation
While it is a positive sign that a higher level
of perceived likelihood of an APT breach
correlates to the increased use of technical
and educational controls, it is concerning that Network
network perimeter technologies and antivirus Technologies

and anti-malware top the list of controls used.

APTs are quite advanced and are known to
avoid the approaches typically caught by these
controls. For example, APTs do not tend to Anti-Virus,
target known vulnerabilities that have been Anti-Malware

patched nor use recognizable signatures that

may be needed for intrusion detection and
prevention systems.
IPS
Mobile security reflects very low usage to help
defend against APTs despite the fact that 87.3 0% 20% 40% 60% 80% 100%
percent of respondents recognized BYOD with
rooting and jailbreaking as significant in the NOT AT ALL LIKELY LIKELY
likelihood of an attack. NOT VERY LIKELY VERY LIKELY

2013 ISACA. ALL RIGHTS RESERVED. 14

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

11
APT Impact on Correlation Between Familiarity

FIGURE
Policies and Practices With APTs and Update of
Third-party Agreements
The threat of APT attack calls for many
defensive approaches, among them technical HAS YOUR ENTERPRISE CHANGED THE LANGUAGE IN
controls, changes in human resource SERVICE LEVEL AGREEMENTS WITH THIRD PARTIES
awareness training and updates to third-party TO ACCOMMODATE FOR APTS?
agreements. Another consideration examined
in the survey is the effect of APT threats on the
policies in the enterprise and the practices and
attitudes from executive management toward YES
cybersecurity initiatives.

Vendor Management
Vendor management is an important factor
for protecting outsourced data. Therefore, the
survey examined the ongoing relationship with NO
third parties to see if enterprises are adjusting
contract language or service level agreements
(SLAs) to ensure to ensure that third parties have
0% 20% 40% 60% 80% 100%
practiced due diligence to protect themselves
from APTs and to require financial restitution in VERY FAMILIAR NOT VERY FAMILIAR
the event that despite controls they are breached FAMILIAR NOT AT ALL FAMILIAR
resulting in damage to the customer.

Overall, 81.8 percent of respondents have

not updated agreements with third parties for
protection against APT, a percentage that is
especially surprising when more than two-
thirds of respondents (67.6 percent) report
familiarity with APTs. Figure 11 illustrates how
familiarity with APTs and the update of third-
party agreements align.

82% of respondents have not

updated agreements with third
parties for protection against APTs.

2013 ISACA. ALL RIGHTS RESERVED. 15

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

12
Executive Involvement Correlation Between

FIGURE
Given the increased attention APTs have Likelihood of APT Attack
received in recent years, it might be expected and Executive Involvement
that executives would be becoming more
involved in cybersecurity activities. The survey DO YOU BELIEVE THAT EXECUTIVE MANAGEMENT
respondents were asked to indicate whether WITHIN YOUR ENTERPRISE IS BECOMING MORE
they noted a change in executive activity within INVOLVED WITH CYBERSECURITY ACTIVITIES AS A
their enterprise. In a similar fashion to other RESULT OF RECENT, VISIBLE APT ATTACKS?
findings in the study, there was a correlation
between the perceived likelihood of the
enterprise being an APT target and the level of
executive involvement, with more likely targets YES
reflecting increased executive involvement
and less likely targets showing less executive
engagement (figure 12).

Those who indicated seeing increased

executive involvement in security initiatives NO
were asked the types of specific actions in
which executives were engaging. Given a
list of possible activities that consisted of
0% 20% 40% 60% 80%
increased security budgets, increased visible
support from senior executives, and increased VERY LIKELY NOT VERY LIKELY
policy enforcement, the majority (79.8 percent) LIKELY NOT AT ALL LIKELY
reported seeing increased visible support from
senior executives, while 66.0 percent noted
increased policy enforcement. Less than half
(46.9 percent) had experienced an increase in
their security budget.

2013 ISACA. ALL RIGHTS RESERVED. 16

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

13
However, when the responses are filtered Correlation Between Likelihood

FIGURE
according to the likelihood of the enterprise of APT Attack and Executive
being targeted by APTs, the numbers shift Actions Taken
(figure 13).
IF YES, WHAT ACTIONS ARE THEY TAKING?
It is interesting that the highest incidences of
increased security budgets are occurring in not
only the enterprises that find it very likely that Increased
they will be targeted by APTs, but also in those Security
Budgets
who find it not at all likely. Likewise, increased
policy enforcement is occurring at a similar rate
in enterprises that find it not very likely to be
Increased
targets (65.9 percent) as in enterprises that find Visible Support
it very likely (65.8 percent). from Executive
Leadership

Incident Management and

Awareness Training
Managing a successful APT attack is not Increased
Security Policy
always as easy as removing the violating threat. Enforcement
Many APTs are adaptable and have the ability
to change to suit the circumstances. Typical 0% 20% 40% 60% 80% 100%
incident response plans designed to stop and
VERY LIKELY LIKELY NOT VERY LIKELY NOT AT ALL LIKELY
remediate might not be suitable for an APT; the
plans should be reviewed and incorporation of
specific provisions for APTs considered. This

14
survey indicates that many respondents have Adjustment
FIGURE

made a start in this area: More than half of the of Incident

respondents who believe their enterprise is a Response Plans
likely target for APT have considered that the
existing incident management plans may need ARE INFORMATION SECURITY MANAGERS ADJUSTING
adjustment (figure 14). THEIR INCIDENT RESPONSE PLANS TO ACCOMMODATE
FOR APT ATTACKS?

YES

NO

0% 20% 40% 60% 80%

VERY LIKELY LIKELY NOT VERY LIKELY NOT AT ALL LIKELY

2013 ISACA. ALL RIGHTS RESERVED. 17

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

15
Regrettably, the same consideration is not Correlation Between Perceived

FIGURE
being given to user awareness training. Overall, Livelihood of APT Attack and
67.3 percent of respondents report that they Increase in Awareness Training
have not increased awareness training relative
to APTs. The percentages improve slightly for HAS YOUR ENTERPRISE INCREASED SECURITY
enterprises that are considered very likely TRAINING AS A RESULT OF APTS?
or likely targets of an APT, but even in these
cases, less than half are increasing awareness
training (figure 15).
YES

67% OF RESPONDENTS
REPORT THAT THEY
HAVE NOT INCREASED AWARENESS
TRAINING RELATIVE TO APTs. NO

0% 20% 40% 60% 80%

VERY LIKELY LIKELY NOT VERY LIKELY NOT AT ALL LIKELY

2013 ISACA. ALL RIGHTS RESERVED. 18

ADVANCED PERSISTENT THREAT AWARENESS
STUDY RESULTS

Conclusions
The survey demonstrated many understanding of what APTs are and network segregation and perhaps
positive findings. The participating how to defend against them. This an increased focus on email security
security professionals seem is demonstrated by the number of and user education could be
to be practicing good security respondents who label themselves beneficial. Additionally, the lack of
management by utilizing a risk-based as at least familiar with APTs (67.6 consideration being given to third
approach to managing APTs within percent) as compared to those parties is troubling. Enterprises must
their enterprise. who feel that APTs are similar to be sure that the data they outsource
This is shown throughout the traditional threats (53.4 percent). are protectedeven if the provider
research, as enterprises that itself experiences an APT attack.
Additional data show that the market
considered themselves more likely
has not really changed the ways
to experience an APT seem to have
in which it protects against APTs. Finally, 79.1 percent of
adopted a layered approach to
The technical controls most often respondents noted that there
managing their enterprise security.
identified as being used to prevent
In almost all cases, the higher the is a lack of guidance in the
against APTs are network perimeter
perceived likelihood of becoming
a target, the more consideration
technologies such as firewalls and market focused on APT. As
access lists within routers, as well part of its continual effort to
is being given to APTs in terms of
as anti-malware and antivirus.
technology, awareness training, serve its members and other
While these controls are proficient
vendor management, incident
management and increased attention
for defending against traditional constituents, ISACA is creating
attacks, they are probably not as a series of products to address
from executives. This activity and
suited for preventing APTs. This is
corresponding effort are excellent for challenges in cybersecurity,
true for a number of reasons: APTs
information protection.
exploit zero-day threats, which are one component of which will
However, APTs are new to the often unknown vulnerabilities, and
concentrate on APTs.
market. They are different from many APTs enter the enterprise
traditional threats and need to be through well-designed spear
considered as a different class of phishing attacks. This indicates
threat. There is still a gap in the that additional controls - such as

To learn more visit us at

WWW.ISACA.ORG/CYBERSECURITY

2013 ISACA. ALL RIGHTS RESERVED. 19

 Fight Back Against
Your Attackers with a
Custom Defense
Standard security products simply cant cope with the
custom nature of targeted attacks, not to mention their
dedicated perpetrators. The Trend Micro Custom Defense
arms you with a full spectrum of custom detection and
intelligence. By weaving your security infrastructure into a
tailored and adaptable defense, this unique solution equips
you to discover and rapidly respond to your attackers.

Learn more at www.trendmicro.com/apt

2013 Trend Micro, Inc. All rights

reserved. Trend Micro and the t-ball
logo are trademarks or registered
trademarks of Trend Micro, Inc.