Critics slam ISACA's APT report

"Fighting off an APT attack using firewalls and anti-virus is akin to shooting at a nuclear warhead with a bow and arrow."

Critics slam ISACA's APT report
Critics slam ISACA's APT report

Research just published claims to show that IT security professionals are relying on their conventional anti-virus (AV) and anti-malware technologies to act as a `last line of defence' against APTs (Advanced Persistent Threats).

APTs are those cyber-criminal security attacks that involve multiple vectors of subversion and infection, with a general principle that the hacker will employee every "every trick in the book" to compromise a target system, and that money and time are essentially no object.

The US Air Force coined the term back in 2006 when it started analysing the complex attacks staged against its military computer systems.

After polling more than 1,200 security professionals, not-for-profit IT security association ISACA has produced its second annual APT awareness study, which shows 96 percent of respondents rely on AV and anti-malware to defend their systems against APTs.

Interestingly, just 60 percent of respondents said they employed remote access technologies as a defence strategy against APT attacks, with just 40 percent relying on mobile security gateways, and only 30 percent using sandboxing techniques.

What is interesting about this approach is that it is the almost exact opposite of the strategies used around four-and-a-half years ago when Stonesoft released its ground-breaking research on AETs (Advanced Evasive Threats), and distinguished them from APTs.

The good news is that this second annual APT report from ISACA suggests that more people are aware of APT threats and are taking steps to improve their security posture as a result. The slightly bad news, however, is that 20 percent of enterprises have experienced an APT attack, but only 15 percent claim to be "very prepared" for an attack.

According to Steve Armstrong, technical security director with pen testing specialist Logically Secure, ISACA has effectively released a security report based upon a survey of security people.  

"This is like asking a bunch of turkeys if they thought Christmas was a major risk to their long term survival. The answer will be yes, and the advice would obviously be that they need to learn how to prevent the Christmas Persistent Threat (CPT) happening to them," he said,

Armstrong went on to say that the ISACA report - like the mythical Christmas turkey analysis - would not pass the BBC's `More or Less' analysis, as the survey group is self fulfilling, and the report is more about marketing than news.

Scepticism about the analysis was shared by Professor John Walker, a director of CSIRT & cyber forensics with Integral Xssurance, who said that it is frustrating that APTs are not better understood by the IT security professional community, even though research on the threat has been around for four years.

"We still appear to be at the definition stage with AETs and APTs - and this report does little to help people better understand the complex threat that APTs truly are," he said, adding that the irony is that, after McAfee criticised Stonesoft for its original analysis on AETs and APTs, the security vendor bought out Stonesoft £243m in May last year.

Over at Encode UK, Graham Mann, the vendor's managing director, also pointed out the information gulf on the subject of APTs.

“There still seems to exist a wide disparity between the realities of APT and the general understanding of the issue. This disparity is illustrated none more so than in how some organisations perceive themselves defending off an APT attack using firewalls and anti-virus," he said.

"Such tactics are akin to shooting at a nuclear warhead with a bow and arrow," he added.

Mann went on to say that the overriding issue, however, is not so much the defence but rather the identification of an APT attack.

"The fact that none of the organisations for which we have undertaken actual - but simulated - APT attacks have detected such an attack bears this out. If you can't detect an attack then you certainly can't defend against it, it's that simple," he explained.

Mark Sparshott, director of EMEA with Proofpoint, was more upbeat, but suggested that the fact that 50 percent of security professionals who responded to the survey do not see APTs as highly differentiated from traditional attacks means that they should really consider a career change. 

“Encouragingly 92 percent of respondents recognised Social Networking makes APT attacks easier with personal information harvested from these sites used to craft compelling and believable targeted emails,” he added.