As organizations grapple with the explosion of new and novel threats, they are often constrained by both time and resources to address them. With the cybersecurity skills gap expected to reach 1.8 million by 2022, according to The Wall Street Journal, teams are often left with a need to prioritize their workloads based on what will maximize the return on their efforts.

While, for most, this means addressing commodity malware and deploying antivirus solutions for signature-based threats, large organizations are particularly susceptible to the most dangerous attack out there: the unknown unknown, which, in cybersecurity, manifests as an advanced threat.

What Is an Advanced Persistent Threat (APT)?

Advanced threats are what keep chief information security officers (CISOs) up at night. They are the most difficult to detect and defend, but pose the greatest risk to the organization. These attacks are typically perpetrated by highly capable, well-equipped threat actors — commonly nation states or state-sponsored groups — via specific, targeted actions.

Threat intelligence researchers and intelligence agencies are constantly inventing entertaining monikers for these groups, such as Office Monkeys and Stone Panda, but their work is far more notable than their identities. While these hacking collectives are largely nameless and faceless, you’ve likely seen their work in the form of high-profile data breaches. In each of these instances, the attackers used evasive tactics, which made it significantly more difficult to see where the attacks originated and how they traversed the network.

How Do Companies Defend Against Advanced Persistent Threats?

With essentially unlimited resources at their disposal, advanced threat actors present an interesting challenge for security teams who don’t enjoy that same luxury. With the cost of a data breach reaching $3.9 million and average advanced persistent threat (APT) dwell times exceeding 80 days, the pressure has never been higher for security operations center (SOC) teams to act quickly and decisively in detection and response. And while not all threats are created equal, the same applies to cyberdefenses.

With so many questions about how to best defend against advanced threats, IBM Security partnered with the SANS Institute to better understand how organizations are addressing them. In a survey of more than 360 security practitioners from various industries and company sizes, SANS explored what threats organizations have seen in their environments, common detection blind spots and how security teams respond.

Let’s take a closer look at some of the major takeaways from the SANS survey.

What You Don’t Know Can Hurt You

One of the key tenants of advanced threat defense is organizationwide visibility. Visibility is what gives SOC teams home-field advantage over threat actors, because analysts are intimately familiar with the organization’s infrastructure and normal operating state. A lack of environmental visibility often contributes to blind spots in detection and makes it difficult to respond with incomplete or missing information. More than 48 percent of respondents said that a lack of insight into where data is being processed is the top visibility gap in advanced threat detection.

This issue is compounded further by the adoption of cloud services and the rise of the hybrid cloud. Cloud infrastructure can introduce a host of threat vectors that may not be present in on-premises environments, such as cross-cloud and cross-tenant attacks. Almost 77 percent of respondents are entirely in the cloud or have a hybrid strategy, which illustrates just how important it is for the modern SOC to monitor and analyze this attack surface.

Organizations still struggle with detecting shadow IT, particularly in the cloud, because unapproved software-as-a-service (SaaS) app use by line of business users puts corporate information at risk. Visibility into this activity is particularly important for insider threat detection; organizations need to see if users are exfiltrating data to personal cloud storage services, such as Google Drive or Dropbox.

While cloud isn’t more or less secure than deployment on-premises, 55 percent of respondents said they had blind spots in cloud environments where their current security analytics solution cannot integrate. Security teams should look for solutions that integrate across infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and SaaS solutions to enable visibility into cloud activity and risk to correlate data against existing, noncloud log sources.

Anomalous User Activity Could Indicate an Advanced Attack

Another key takeaway from the report is the lack of insight into user activity. Credentials compromise, often by phishing, is one of the most common vectors for advanced threats. When attackers steal credentials from a privileged user, they often exploit them to launch additional attacks from within and then abuse the victim’s level of access to spread their foothold to other systems. Advanced attackers often move quickly to steal and abuse legitimate account credentials, and the higher the privilege of these accounts, the more targeted they are. Some of the largest and most notable breaches in recent memory have been caused by credentials compromise, including Target and Starwood.

In the survey, respondents cited credentials hijacking (52 percent) and privileged user abuse (49 percent) as the most common threats in their environment, yet only 40 percent of organizations track user behavior anomalies as a metric for their SOC team. There is a detection gap in organizations’ ability to monitor exactly what is baselined as normal in their environment to detect anomalies, with more than 47 percent struggling to do so. Organizations should look to employ solutions that baseline normal user access and detect when a user deviates from this behavior.

To learn more, register to download the full report, “SANS Institute: Effectively Addressing Advanced Threats.”

More from Intelligence & Analytics

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today