As organizations grapple with the explosion of new and novel threats, they are often constrained by both time and resources to address them. With the cybersecurity skills gap expected to reach 1.8 million by 2022, according to The Wall Street Journal, teams are often left with a need to prioritize their workloads based on what will maximize the return on their efforts.

While, for most, this means addressing commodity malware and deploying antivirus solutions for signature-based threats, large organizations are particularly susceptible to the most dangerous attack out there: the unknown unknown, which, in cybersecurity, manifests as an advanced threat.

What Is an Advanced Persistent Threat (APT)?

Advanced threats are what keep chief information security officers (CISOs) up at night. They are the most difficult to detect and defend, but pose the greatest risk to the organization. These attacks are typically perpetrated by highly capable, well-equipped threat actors — commonly nation states or state-sponsored groups — via specific, targeted actions.

Threat intelligence researchers and intelligence agencies are constantly inventing entertaining monikers for these groups, such as Office Monkeys and Stone Panda, but their work is far more notable than their identities. While these hacking collectives are largely nameless and faceless, you’ve likely seen their work in the form of high-profile data breaches. In each of these instances, the attackers used evasive tactics, which made it significantly more difficult to see where the attacks originated and how they traversed the network.

How Do Companies Defend Against Advanced Persistent Threats?

With essentially unlimited resources at their disposal, advanced threat actors present an interesting challenge for security teams who don’t enjoy that same luxury. With the cost of a data breach reaching $3.9 million and average advanced persistent threat (APT) dwell times exceeding 80 days, the pressure has never been higher for security operations center (SOC) teams to act quickly and decisively in detection and response. And while not all threats are created equal, the same applies to cyberdefenses.

With so many questions about how to best defend against advanced threats, IBM Security partnered with the SANS Institute to better understand how organizations are addressing them. In a survey of more than 360 security practitioners from various industries and company sizes, SANS explored what threats organizations have seen in their environments, common detection blind spots and how security teams respond.

Let’s take a closer look at some of the major takeaways from the SANS survey.

What You Don’t Know Can Hurt You

One of the key tenants of advanced threat defense is organizationwide visibility. Visibility is what gives SOC teams home-field advantage over threat actors, because analysts are intimately familiar with the organization’s infrastructure and normal operating state. A lack of environmental visibility often contributes to blind spots in detection and makes it difficult to respond with incomplete or missing information. More than 48 percent of respondents said that a lack of insight into where data is being processed is the top visibility gap in advanced threat detection.

This issue is compounded further by the adoption of cloud services and the rise of the hybrid cloud. Cloud infrastructure can introduce a host of threat vectors that may not be present in on-premises environments, such as cross-cloud and cross-tenant attacks. Almost 77 percent of respondents are entirely in the cloud or have a hybrid strategy, which illustrates just how important it is for the modern SOC to monitor and analyze this attack surface.

Organizations still struggle with detecting shadow IT, particularly in the cloud, because unapproved software-as-a-service (SaaS) app use by line of business users puts corporate information at risk. Visibility into this activity is particularly important for insider threat detection; organizations need to see if users are exfiltrating data to personal cloud storage services, such as Google Drive or Dropbox.

While cloud isn’t more or less secure than deployment on-premises, 55 percent of respondents said they had blind spots in cloud environments where their current security analytics solution cannot integrate. Security teams should look for solutions that integrate across infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and SaaS solutions to enable visibility into cloud activity and risk to correlate data against existing, noncloud log sources.

Anomalous User Activity Could Indicate an Advanced Attack

Another key takeaway from the report is the lack of insight into user activity. Credentials compromise, often by phishing, is one of the most common vectors for advanced threats. When attackers steal credentials from a privileged user, they often exploit them to launch additional attacks from within and then abuse the victim’s level of access to spread their foothold to other systems. Advanced attackers often move quickly to steal and abuse legitimate account credentials, and the higher the privilege of these accounts, the more targeted they are. Some of the largest and most notable breaches in recent memory have been caused by credentials compromise, including Target and Starwood.

In the survey, respondents cited credentials hijacking (52 percent) and privileged user abuse (49 percent) as the most common threats in their environment, yet only 40 percent of organizations track user behavior anomalies as a metric for their SOC team. There is a detection gap in organizations’ ability to monitor exactly what is baselined as normal in their environment to detect anomalies, with more than 47 percent struggling to do so. Organizations should look to employ solutions that baseline normal user access and detect when a user deviates from this behavior.

To learn more, register to download the full report, “SANS Institute: Effectively Addressing Advanced Threats.”

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…