Report Indicates Many Organizations Not Adequately Prepared for Persistent APT Onslaught
This summer, Dmitri Alperovitch, VP of Threat Research at McAfee, revealed the discoveries of a series of targeted intrusions into 70+ global organizations that took place over the last 5 years. Along with revealing the attacks dubbed “Operation Shady RAT”, Alperovitch commented, “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised.”
Some criticized the specifics of Shady RAT and Alperovitch’s comments, dismissing them as marketing FUD (Fear, Uncertainty and Doubt) — but it appears many folks serving information security functions could be agreement with Alperovitch, at least in terms of the wide array of companies that could have experienced a breach.
Today, a report (paid) coming from The Enterprise Strategy Group revealed that a majority of mid-to-large U.S.-based corporations believe they have been the targets of sophisticated cyber attacks looking to steal sensitive data.
The report, which included responses 244 security professionals working at U.S. based organizations with more than more than 1,000 employees, revealed that 59 percent of respondents are “certain” or “fairly certain” that their organization has been the target of a previous APT attack. Additionally, 72 percent of organizations think they are a “highly likely” or “somewhat likely” target of future APT attacks.
Scared, Unprepared for APTs
Alarmingly, nearly one-third of the large organizations surveyed believe that they are vulnerable to future APTs, indicating that many organizations are ill prepared to protect against future attacks.
Additionally, 46% of large organizations that ESG categorized as “most prepared for APTs” (based upon their existing security policies, procedures, and technical safeguards) say they are vulnerable to future sophisticated attacks.
According to the report, 93% of security professionals working at enterprise organizations are either “extremely concerned” or “concerned” about APTs and the impact that APT attacks could have on vital U.S. interests such as national security and the economy.
“Security professionals who understand the threat landscape best readily admit that their organizations are not only under attack but also vulnerable,” said Jon Oltsik, senior principal analyst at ESG and the primary author of the report. “Even more frightening, the companies that have already taken proper steps to secure their assets still believe they are vulnerable to APTs. If those organizations with strong cybersecurity policies are vulnerable to APT attacks, it’s safe to conclude that nearly all organizations are vulnerable.”
Just yesterday, Symantec uncovered a coordinated cyber-campaign designed to steal information from various companies across the world that hit many chemical and defense firms. Some of the attacks infected computers with the well-known PoisonIvy Trojan via email attachment sent to specific recipients in organizations that appeared to be meeting invitations from business partners.
“Virtually everyone is falling prey to these intrusions, regardless of whether they are the United Nations, a multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team, or even an unfortunate computer security firm,” Alperovitch added during his revealing of Shady RAT. “I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know,” Alperovitch concluded.
Overall, the data presented in the ESG research report and other industry reports indicate that many organizations may not be adequately prepared for a persistent APT onslaught. ESG reminds us of the importance of security professionals to educate executive managers about APT risks, assess their existing security defenses, and bolster security analysis and forensic skills.
“Security professionals have the most knowledge about and experience with APTs. This group believes that APTs are real, unique, and extremely dangerous. It is imperative that business executives, IT managers, law enforcement officials, and legislators recognize the risks, accept this warning, understand what’s at stake, and begin to address cybersecurity weaknesses as soon as possible. The longer we delay, the more damage we will likely incur,” Oltsik concluded.