Lawrence Pingree

A member of the Gartner Blog Network

Lawrence Pingree
Research Director
2 years with Gartner
16 years IT industry

Lawrence Pingree's responsibilities include coverage of security technologies and the cloud security space. His main focus is on conducting research targeted at the security aspects of products in the data center… Read Full Bio

Coverage Areas:

Threats come from everywhere, so you must deal with it as such.

by Lawrence Pingree  |  March 22, 2013  |  Comments Off

How great a threat does Gartner perceive state sponsored cyber espionage?

Since Gartner does not track individual threats or actors it is difficult to say for certain which attacks are state sponsored or not. The recent mandiant report highlighted China as the threat actor. Gartner does not believe that the country of origin is as important as the protection mechanisms that must be in place.

 

What are are the biggest threats, and from where do they originate?

Threats originate globally, and in the hacker underground the most sophisticated hackers most often originate from Russia. In general, a nation state actor (if targeting you) will likely be successful since they often are given time and resources in order to breach the security of your organization with many different capabilities beyond just cyber assets.  Attribution of attacks is extremely difficult since counter intelligence can be used on the internet such as spoofing source IP’s, using proxy servers, using botnets to deliver attacks out of other locations, developers using keyboard maps of different languages, for example a Chinese American or European that understands Chinese but develops their exploits for their country of origin will result in problematic or impossible attribution.

 

In the recent report published by the company Mandiant titled “APT1″ hackers appear to originate in China. These threat actors were utilizing common forms of zero day exploitation, botnets and other tools readily available in the underground hacking community. Given they are using the same tools and capabilities of the underground hackers, it is most important to focus on generic security controls that protect against all of these attack capabilities. An organization should take a general approach to combat threats from any location and not focus on the country of origin. In a report published by Gartner last year titled “Network Security Monitoring Tools for ‘Lean Forward’ Security Programs” to call out technologies that can assist in advanced targeted attack detection at the network layer.

 

What responses are organizations making?

I have written a report titled “Best Practices for Mitigating Advanced Persistent Threats” as a guide for raising the bar for prevention and detection of advanced forms of malware and targeted attacks and these technologies and security techniques are what organizations today are focusing on refining/deploying. The two primary attack vectors of choice for today’s  threat actors is malware to gather unstructured data and web-based attacks such as SQL injection to grab database stored structured data types. The malware can be handled by a number of technologies  at the network layer and  at the windows endpoint. Web attacks can be addressed with a combination of Intrusion Prevention System and Web application firewalls. See report titled “Best Practices for Mitigating Advanced Persistent Threats” and “Market Trends: Advanced Threat Protection Appliances, Worldwide, 2012“ for advanced Malware threats and “Competitive Landscape: Web Application Firewall Market, Worldwide, 2012” for web application firewalls.

 

Are organizations in a regulated environment facing a greater threat?

Nation states do not often target structured data types such as financial data, however disruption of a banking system or critical infrastructure can be akin to a nuclear attack if an entire banking system, power or water delivery system is properly disrupted. Government regulations target sensitive areas of the economy. Most attackers are financially motivated and thus regulated environments such as Financial organizations often face the largest threat from these actor groups. A nation state would likely consider disruption of critical infrastructure as an end goal during a time of war vs. data acquisition. Prior to wartime, a nation state would likely be focused on distributing “capability” for disruption as a preparatory measure for evocation at a later date. Although we don’t have direct research in this area, we do have many supporting research notes. Please see the list below as a very comprehensive way to deal with both threat actor groups.

 

Research:

-          Best Practices for Mitigating Advanced Persistent Threats

-          Market Trends: Advanced Threat Protection Appliances, Worldwide, 2012

-          Malware, APTs, and the Challenges of Defense

-          Decision Point for Anti-malware

-          Competitive Landscape: Web Application Firewall Market, Worldwide, 2012

Comments Off

Category: Security     Tags: