ESG Brief
Addressing APTs and Modern Malware with Security
Intelligence
Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst
Abstract: APTs first came on the scene in 2010, creating a wave of fear, hype, and activity. Many organizations
increased their spending on information security and believed they were making progress, but ESG research indicates
that nearly half of enterprise organizations are still regularly compromised by modern malware. While there is no
single solution to this problem, CISOs can improve the efficacy of their threat defenses and security operations by
integrating security intelligence into their security technologies and infrastructures. Webroot, a security intelligence
leader, is partnering with a number of security device vendors to offer a strong combination of modern malware
defenses and integrated security intelligence.
Overview
On January 12, 2010, Google announced that it had been the victim of a sophisticated cyber attack that resulted in a
compromise of Gmail account privacy. This announcement was a significant milestone in the annals of cybersecurity as it
introduced the world to the concept of advanced persistent threats (APTs). The (U.S.) National Institute of Standards and
Technology (NIST) uses the following description to define the term “APT:”
An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create
opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception).
These objectives typically include establishing and extending footholds within the information technology
infrastructure of the targeted organizations for purposes of exfiltrating (i.e., transporting it from internal
networks to external drop servers) information, undermining or impeding critical aspects of a mission, program,
or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i)
pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders' efforts to resist it; and
(iii) is determined to maintain the level of interaction needed to execute its objectives.
As if the Google incident weren’t enough, it was soon discovered that other well-known organizations—such as Adobe
Systems, Morgan Stanley, Northrop Grumman, and Yahoo—were also APT targets. This pattern of attacks sent a chill
through the cybersecurity community. Alarmed by new adversaries and tactics, enterprise organizations reacted with a
range of activities: CEOs got more involved with cybersecurity discussions, CISOs actively assessed the capabilities of
their security defenses, and IT operations teams modified processes to better address vulnerabilities. APTs also had a
direct impact on IT investment. According to ESG research, 77% of large organizations intended to increase their security
spending on security hardware, software, services, and training in order to provide better overall protection against APT
attacks (see Figure 1).1
1
Source: ESG Research Report, U.S. Advanced Persistent Threat Analysis, November 2011.
© 2013 by The Enterprise Strategy Group, Inc. All Rights Reserved.
ESG Brief: Addressing APTs and Modern Malware with Security Intelligence
2
Figure 1. Change in IT Security Spending as a Result of APTs
To what extent – if any – do you believe APTs will change your organization’s annual
spending on security hardware, software, services, and training?
(Percent of respondents, N=244)
Don't know/too soon
to tell, 7%
APTs will cause us to
increase security
spending by more than
10%, 11%
No increase, 16%
APTs will cause us to
increase security
spending by 6% to
10%, 32%
APTs will cause us to
increase security
spending by 1% to 5%,
35%
Source: Enterprise Strategy Group, 2013.
Enterprise Organizations Remain Vulnerable to APTs
In 2011, ESG published a research report titled, U.S. Advanced Persistent Threat Analysis. The data presented in this
report was consistent with the description above: Enterprises understood the risks associated with APTs and were taking
actions to mitigate this risk.
Yes, large organizations had the best of intentions, but many enterprises remain vulnerable to APTs, as well as more
pedestrian malware attacks. In fact, recent ESG research indicates that 49% of large organizations have experienced a
successful malware attack over the past two years. In this case, “successful” means that the malware compromised an IT
asset which had some type of impact on the organization (i.e., remediation activity, data theft, damage to the company
brand, etc.). The research also revealed that 22% of the affected organizations suffered more than 25 security breaches
as a result of malware.
There seems to be some type of disconnect here. If large organizations took proactive measures to address APTs over
the past few years, why are they still experiencing so many malware attacks and related security breaches? There are
several reasons:


Signature-based defenses cannot keep up with malware volume and sophistication. Malware defenses are
often based upon signature-based endpoint security software, antivirus gateways, and IDS/IPS devices
installed on the network. These defenses are still useful, but the development cycle for anti-malware
signature development (i.e., discover, analyze, develop, test) can no longer keep up with malware volume
and sophisticated malware techniques like encryption, packing, and polymorphic malware. Many security
researchers point to an alarming correlation: As malware becomes more sophisticated, many signaturebased security defenses become less effective.
Modern malware is built to exploit gaps in security defenses. As opposed to early mass-mailer virus and
Internet worms that disrupted networks and business processes, modern malware is designed to blend into
the IT background as it compromises multiple systems, performs network reconnaissance, steals user
credentials, and exfiltrates sensitive data. These activities tend to look like normal network and system
behavior to a wide variety of security prevention and detection tools. Patient adversaries are willing to let
APTs play out over months or years in order to reach their ultimate goals.
© 2013 by The Enterprise Strategy Group, Inc. All Rights Reserved.
ESG Brief: Addressing APTs and Modern Malware with Security Intelligence

3
Many security professionals don’t really understand modern malware techniques. An enterprise security
team is a busy group that is called upon to secure the network and put out security fires constantly. In many
cases, day-to-day responsibilities get in the way of additional training. As a result, many security
professionals don’t really understand today’s cybersecurity adversaries, the cybercrime market, or modern
malware techniques. Recent ESG research illustrates this issue. In spite of widespread APT publicity since the
Google Aurora attack in 2010, only 11% of enterprise security professionals are very familiar with the APT
lifecycle. Alarmingly, 44% are either not very familiar or not at all familiar with the APT lifecycle (see Figure
2).2 In spite of security professionals’ intentions, it is simply impossible to defend against malware tactics
that they don’t really understand.
Figure 2. Familiarity with Lifecycle for APTs and Targeted Attacks
Security researchers have identified a lifecycle for APTs and targeted attacks that includes the following
phases: Initial compromise, establish foothold, escalate privileges, internal reconnaissance, lateral
movement, and data exfiltration. How familiar are you with this APT/targeted attack lifecycle?
(Percent of respondents, N=315)
Not at all familiar, 5%
Very familiar, 11%
Not very familiar, 39%
Familiar, 44%
Source: Enterprise Strategy Group, 2013.
What’s Needed?
Unfortunately, no magic bullet can eliminate modern malware threats, so CISOs must assess and address weaknesses
across security personnel, processes, and technology. Furthermore, even organizations with strong security skills and
resources should be open to enhancing internal capabilities with third-party help.
Along these lines, ESG has found that many leading security organizations are supplementing homegrown security
efforts with external security intelligence for analysis and proactive remediation. According to ESG research, 29% of
security professionals believe that commercial threat intelligence is highly effective in helping their organizations
address risk, while another 66% claim that commercial threat intelligence is somewhat effective in helping their
organizations address risk (see Figure 3).3
2
3
Source: ESG Research Report, Advanced Malware Detection and Prevention Trends, September 2013.
Source: ESG Research Report, The Emerging Intersection Between Big Data and Security Analytics, November 2012.
© 2013 by The Enterprise Strategy Group, Inc. All Rights Reserved.
ESG Brief: Addressing APTs and Modern Malware with Security Intelligence
4
Figure 3. Effectiveness of Commercial Threat Intelligence to Help Organizations Address Risk
How effective is commercial threat intelligence in terms of helping your organization
address risk? (Percent of respondents, N=143)
Not very effective,
6%
Highly effective, 29%
Somewhat effective,
66%
Source: Enterprise Strategy Group, 2013.
When used in a proactive manner, security intelligence can act as a countermeasure for APTs and sophisticated
malware. This can be done by:



Blocking phishing sites used for malware proliferation and credential harvesting. Cybercriminals often rely
on phishing sites for malware distribution and for obtaining access credentials for other resources within an
organization. Leading security intelligence technology uses advanced machine learning and extensive
analysis to identify phishing sites, manipulated URLs, and malicious behaviors. This intelligence can be
integrated into endpoint security software and gateway devices to block known phishing sites and
counteract initial malware proliferation.
Detecting and blocking known malicious IP addresses. Some hackers go out of their way to disguise their
locations and may even vary attack types emanating from various servers, but it is not unusual for black hats
to use the same systems as core infrastructure for a variety of malicious activities. Strong IP reputation
intelligence can correlate these activities, identify bad actors, and create dynamic black lists. This
intelligence can be added to endpoint security and perimeter security appliances in order to prevent any
communications with these malicious servers.
Using web reputation for blocking command-and-control (C&C) communications and data exfiltration.
Cybercriminals often use compromised websites for malware distribution, C&C, or as staging areas for data
exfiltration. While it is no easy task to keep track of hundreds of millions of websites and billions of URLs,
leading security intelligence constantly reevaluates websites to identify new web threats. When integrated
with endpoint and gateway defenses, this intelligence can help protect users from accessing compromised
domains and malicious URLs.
CISOs should start with strong malware technology controls that act as a layered defense across endpoints, servers, and
networks. Security intelligence should be integrated into these controls to create dynamic defenses that automatically
adjust to a changing threat landscape. Security professionals must remain vigilant as stealthy malware will still
circumvent strong security controls and integrated security intelligence from time to time. Nevertheless, integrated
security intelligence can certainly help CISOs decrease risk and automate remediation actions.
© 2013 by The Enterprise Strategy Group, Inc. All Rights Reserved.
ESG Brief: Addressing APTs and Modern Malware with Security Intelligence
5
Webroot Security Intelligence Partnering Program
How can security intelligence be integrated into an enterprise security infrastructure? CISOs can cobble a solution
together, but it would certainly be easier to purchase security technologies that already interoperate with leading
security intelligence feeds. Webroot, a threat intelligence leader, is pursuing this latter option by partnering with leading
security device manufacturers like Cisco, F5 Networks, and Palo Alto Networks. Webroot’s IP reputation, web
reputation, and real-time anti-phishing services provide vendors valuable intelligence for identifying and preventing APT
attacks. With more enterprises using security intelligence for risk mitigation, ESG believes that other endpoint and
network security technology vendors would be wise to knock on Webroot’s door.
The Bigger Truth
It’s time for enterprise CISOs to face facts. Cybercriminals are highly skilled, extremely organized, and well-funded. In
too many cases, cybercrime does pay. No one can hide from today’s cyber attacks; they are ubiquitous and increasingly
damaging.
Enterprises can no longer rely on manual processes, point tools, and over-worked security professionals for proper
protection. They need help and they need it now. Smart CISOs should consider:



Modern malware defenses that use heuristics, advanced machine learning, and algorithms (as well as
signatures) for malware detection.
A defense-in-depth security architecture that helps protect the network at each phase of the APT lifecycle.
Integrated security intelligence for dynamic risk management.
Large organizations will still need leading-edge security analytics and a number of highly skilled security analysts, but this
combination of defenses should certainly help lower risk and streamline security operations.
All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy
Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This
publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy
format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S.
copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client
Relations at 508.482.0188.
© 2013 by The Enterprise Strategy Group, Inc. All Rights Reserved.