by Lawrence Pingree | March 22, 2013 | Comments Off
How great a threat does Gartner perceive state sponsored cyber espionage?
Since Gartner does not track individual threats or actors it is difficult to say for certain which attacks are state sponsored or not. The recent mandiant report highlighted China as the threat actor. Gartner does not believe that the country of origin is as important as the protection mechanisms that must be in place.
What are are the biggest threats, and from where do they originate?
Threats originate globally, and in the hacker underground the most sophisticated hackers most often originate from Russia. In general, a nation state actor (if targeting you) will likely be successful since they often are given time and resources in order to breach the security of your organization with many different capabilities beyond just cyber assets. Attribution of attacks is extremely difficult since counter intelligence can be used on the internet such as spoofing source IP’s, using proxy servers, using botnets to deliver attacks out of other locations, developers using keyboard maps of different languages, for example a Chinese American or European that understands Chinese but develops their exploits for their country of origin will result in problematic or impossible attribution.
In the recent report published by the company Mandiant titled “APT1″ hackers appear to originate in China. These threat actors were utilizing common forms of zero day exploitation, botnets and other tools readily available in the underground hacking community. Given they are using the same tools and capabilities of the underground hackers, it is most important to focus on generic security controls that protect against all of these attack capabilities. An organization should take a general approach to combat threats from any location and not focus on the country of origin. In a report published by Gartner last year titled “Network Security Monitoring Tools for ‘Lean Forward’ Security Programs” to call out technologies that can assist in advanced targeted attack detection at the network layer.
What responses are organizations making?
I have written a report titled “Best Practices for Mitigating Advanced Persistent Threats” as a guide for raising the bar for prevention and detection of advanced forms of malware and targeted attacks and these technologies and security techniques are what organizations today are focusing on refining/deploying. The two primary attack vectors of choice for today’s threat actors is malware to gather unstructured data and web-based attacks such as SQL injection to grab database stored structured data types. The malware can be handled by a number of technologies at the network layer and at the windows endpoint. Web attacks can be addressed with a combination of Intrusion Prevention System and Web application firewalls. See report titled “Best Practices for Mitigating Advanced Persistent Threats” and “Market Trends: Advanced Threat Protection Appliances, Worldwide, 2012“ for advanced Malware threats and “Competitive Landscape: Web Application Firewall Market, Worldwide, 2012” for web application firewalls.
Are organizations in a regulated environment facing a greater threat?
Nation states do not often target structured data types such as financial data, however disruption of a banking system or critical infrastructure can be akin to a nuclear attack if an entire banking system, power or water delivery system is properly disrupted. Government regulations target sensitive areas of the economy. Most attackers are financially motivated and thus regulated environments such as Financial organizations often face the largest threat from these actor groups. A nation state would likely consider disruption of critical infrastructure as an end goal during a time of war vs. data acquisition. Prior to wartime, a nation state would likely be focused on distributing “capability” for disruption as a preparatory measure for evocation at a later date. Although we don’t have direct research in this area, we do have many supporting research notes. Please see the list below as a very comprehensive way to deal with both threat actor groups.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.