One in five security professionals recently surveyed by ISACA say its organization has experienced an advanced persistent threat (APT) attack.
While the term APT is used with increasing frequency when discussing security threats, ISACA found there's still confusion as to what an APT is and how to manage the risks associated with it. The ISACA's Advanced Persistent Threat Awareness report, released in mid-February, includes input from 1,551 information security professionals representing 20 industries from across the globe.
Fortinet defines APTs as being operated by highly-skilled teams or governments and using advanced technology and multiple methods and vectors to reach specific targets and obtain sensitive or classified information. Also known as targeted attacks, recon is carried out on each target to determine the best method of entry. Social engineering or zero-day vulnerabilities are the most common infection vectors.
ISACA's study reveals a large number of respondents believe APTs are a threat to their organizations and important enough to impact national security and economic stability. But it also finds that companies, and many employees, don't understand the difference between lower-level cyberattacks and APTs. That may be why ISACA found the controls being used to defend against APTs are not sufficient to adequately protect enterprise networks.
For instance, more than 90 percent of the security professional surveyed say they are using antivirus, anti-malware and/or traditional network perimeter technologies to defend their enterprises against APTs. Less than 60 percent are using additional layers of protection such as sandboxing, mobile and traditional endpoint control.
In a recent conversation with Network World, Fortinet CEO Ken Xie said Fortinet is deploying additional technologies -- and seeing others start to implement, too - that include sandboxing (both local to the device and in the cloud) and IP reputation. With FortiClient, he said, \"We can evaluate an incoming file if there's no signature, but if the file looks suspicious, we can run it through a light on-device sandbox. If we still can't determine the nature of the file, we'll send it to our cloud service, which opens the file in a protected setting. If it is safe, it goes through. If it's bad, we stop it.\"
FortiGuard Labs also launched cloud-based sandboxing and IP reputation services aimed at fending off APTs. The IP Reputation Service investigates and monitors IPs that are compromised or behaving abnormally. The service uses a number of different techniques including historical analysis, honeypots and botnet analysis to provide immediate protection for FortiGate, FortiWeb and FortiDDoS platforms against wide-scale, automated attacks.
The IP Reputation Service also \"learns\" from a global footprint of threat sensors, tracking malicious events to IP addresses in real time.
As Xie told Computerworld, a signature-only model is no longer a good enough deterrent from today's rapidly evolving threats.
\"While I'm not suggesting that the signature is dead (FortiGuard Labs researchers are issuing 250,000 new signatures a day), additional technology is now needed to detect and mitigate the increasing number of malware variants out there.\"