Trend Micro commissioned Quocirca to look at attitudes towards targeted attacks in a range of organizations with more than 2500 employees in the UK, France and Germany. The results show a good awareness of what constitutes a targeted attack and the dire effect it can have, but also demonstrated that many companies are not deploying new defenses against the new attacks. It demonstrates, suggests Rik Ferguson, VP of security research at Trend Micro, a knowledge gap between the nature of the attack and the technologies that can mitigate them.
“Respondents were very clear on what constitutes a targeted attack, the means and methods that are employed to gain persistent access to highly sensitive data,” he said, “however the majority of enterprises are still relying on technology designed to combat the more widespread, less customized malware to which we have become accustomed.”
Perhaps more worrying is that not only should organizations understand the threat, they should empirically understand the limitations of sole reliance on anti-virus and firewalls. “The majority of organisations,” says the report, “admit they have discovered malware running on their networks that had not been detected by existing security measures... Given the damage that can result, this apparent complacency is worrying.”
The modern technically competent attacker will use zero-day malware via zero-day vulnerabilities on the end of compelling socially-engineered spear-phishing – a route that will almost inevitably defeat firewalls and anti-virus defenses. But despite understanding and experiencing this threat, more than half of the respondents said they were neither deploying nor even evaluating any new tools to mitigate it. Those tools do exist. They include, says the report, “tools for sandboxing, file integrity monitoring, network traffic inspection/deep packet inspection and behavioural analysis.” And they work. “Once such a technology was deployed, the number saying they had blocked attacks rose considerably.”
Security defenses are a form of insurance. It has long been recognised that insurance is often treated seriously only after a loss. It is clear from this survey that the threat posed by targeted attacks is recognized within organizations. “The survey showed that IT security managers are managing to set some of their budget aside specifically defending against targeted attacks,” Bob Tarzey, a director at Quocirca told Infosecurity. And yet that isn’t enough for a full defense. “Only if the board level fully understands the risk is the appropriate level of funding likely to be found,” he continued, “and all too often that will be after a serious attack has already taken its toll on a given business.” Just like traditional insurance. And as this survey shows, if that attack is already in process, many companies will neither know about it nor be able to stop it.