1. ADVANCED THREATS SUMMIT 2012
KEY FINDINGS
November 2012
In September 2012, RSA, The Security Division of EMC, hosted its
second-annual Advanced Threats Summit, an invitation-only
meeting that brought together leading security thinkers and
practitioners from government and business to share strategies
for combating advanced threats, targeted cyber attacks conducted
by technically sophisticated adversaries.
More than 100 security and risk management executives
participated in this year’s Summit. The closed-door meeting
focused on providing actionable strategies for detecting and
profiling advanced attacks and adversaries, and defeating them
before losses occurred. Delegates at the Summit shared diverse
perspectives and guidance regarding layered defenses,
adversarial kill chain analysis, mobile risks, external threat
intelligence and big data analytics for enhancing organizations’
attack detection and incident response capabilities.
Reflecting the intensification of threat conditions over the past
year, discussion themes at this year’s Summit were deeper and
more varied than at last year’s inaugural event. A couple of
themes, however, remained consistent. First, delegates affirmed
that detecting and mitigating threats quickly is a far more realistic
and productive goal than trying to prevent all breaches. Second,
delegates said threat information-sharing and collaboration
remains an urgent and largely un-met need for the security
community.
Delegates said they valued the Summit as a forum for sharing
information about advanced threats and for stimulating new
insights into how their organizations can combat them. This
document highlights recurring themes and important observations
from Advanced Threats Summit 2012.
RSA Security Brief
2. Advanced Threats Summit 2012, Key Findings
ADVANCED ATTACKS RISE IN FREQUENCY AND SOPHISTICATION
More than 75 percent of Summit delegates polled at the event said that advanced cyber
attacks on their organizations had increased over the past year, with 31 percent of all
respondents reporting attacks had “increased dramatically.” The rise in attacks is
perhaps unsurprising, given that nation-states and other well-organized adversaries
continue to hone their tools and techniques for waging cyber attacks. As these tools and
Which of these techniques improve, advanced adversaries increasingly regard the cyber vector as a
prospective comparably convenient and cost-effective way to acquire valuable information and fulfill
their intelligence-gathering requirements.
adversaries pose Cyber adversaries are also using more sophisticated techniques to perpetrate their
the greatest cyber threat crimes, including by:
• Injecting malware to run attacks directly from memory, including decrypting data in
to your organization? memory;
• Employing new root kits to change data and logs to help mask illicit activities and
Nation states 43.5% prolong their presence in sensitive systems;
• Exploiting application logic in software platforms, possibly by gaining access to source
Organized code;
crime groups 31.0% • Attacking high-value targets by first compromising parts of their information supply
chains; and
Rogue insiders 18.0% • Using distributed denial-of-service attacks or other noisy diversionary tactics to hide
more serious illicit activity.
Hacktivists 7.5% Summit delegates from the financial services industry noted that criminal actors are
becoming more ambitious in the amounts stolen through fraudulent wire transfers.
From Advanced Threats Summit 2012 Delegates theorized that criminal groups are using stolen funds—sometimes amounting
on-site audience poll
to the millions—to underwrite other cyber attacks and criminal endeavors.
ADVERSARIES ALLY TO GET SMARTER, BETTER, FASTER
Summit delegates who see threat intelligence from broad cross-sections of organizations
have observed adversaries’ capabilities improving at suspiciously fast rates. This
prompted some to theorize that nation states and criminal groups may be sharing
technologies and training each other. Criminal groups may be farming out their cyber
skills to nation states, creating classes of cyber mercenaries. Nation states are rumored
to be buying compromised log-in credentials and intelligence on zero-day vulnerabilities
to advance their attack capabilities. Nation states and their state-owned companies may
also be working together on cyber attacks to gather competitive intelligence and
misappropriate intellectual property.
Some Summit delegates also reported discovering evidence of collaboration between
rogue insiders and criminal groups as well as insiders and hacktivists. This approach
aligns with traditional pre-Internet-era intelligence gathering methods for nation state,
criminal groups and other actors.
page 2
3. Advanced Threats Summit 2012, Key Findings
ORGANIZATIONS RATE ADVANCED THREATS A TOP SECURITY
CONCERN
Approximately 93 percent of Summit delegates have invested in countering advanced
threats, with 60 percent of all respondents describing advanced threats as a “topmost
security concern” that they’re “very focused” on combatting.
Rate your organization’s
Despite advanced threats rising as a chief concern, only 20 percent of all delegates
ability to counter responding to the Summit’s on-site poll characterized themselves as “highly effective” in
advanced threats defeating attacks from advanced adversaries. About 39 percent of respondents
characterized their organizations as vulnerable, and 37.5 percent of respondents
characterized their organizations as having shown some proficiency in defeating
advanced attacks.
Highly vulnerable 14.0%
CYBER THREATS WIDEN THEIR LEAD ON CYBER LEGISLATION
Somewhat The gap is growing between cyber threats and the legislation to address them. Summit
vulnerable 25.0% participants expressed frustration with Congress’s inaction in updating laws to reflect the
Digital Age and in lowering barriers to sharing threat information.
Not sure 3.5% Despite greater awareness of cyber threats among members of Congress and bipartisan
cooperation on the issue, cyber legislation is stalled. Congress is considering forming
bicameral committees on cyber threats. The specter of regulation, however, elicits a
Somewhat “radioactive” response among many legislators: they’re reluctant to introduce a new
effective 37.5% regulatory authority for cyber threats, preferring to implement cyber regulations through
the existing regulatory agencies (e.g., nuclear, energy, communications). Additionally, the
government is shaping security practices by including new and potentially disparate
Highly effective 20.0% cyber security requirements into Department of Defense and other federal contracts.
From Advanced Threats Summit 2012
on-site audience poll INTELLIGENCE SHARING REMAINS ELUSIVE
Challenges in exchanging threat intelligence were a recurring theme throughout the
Summit. While sharing with external parties remains challenging, some delegates said it
could also be difficult to share threat information internally with other parts of their own
organizations. Some also questioned whether the mere act of sharing devalues
intelligence by raising the risk of data leakage outside the trusted community.
Delegates repeatedly discussed the need to create and consume indicators of
compromise faster—machine to machine. Some delegates pointed out, however, that
threat intelligence is not just about sharing indicators of compromise; it’s also about
cultivating knowledge of adversaries’ techniques and trade craft. Because such
knowledge cannot be neatly expressed in machine code, delegates believe there will
always be the need for person-to-person intelligence sharing.
THREAT ANALYSTS AND DATA SCIENTISTS WANTED
Skilled security talent with experience in advanced threats is scarce. About 59 percent of
Summit delegates cited skills shortages as their organizations’ “greatest deficiency in
detecting and defeating advanced threats.” Summit delegates observed that everyone in
the room was vying for the same type of talent: people experienced in advanced threat
techniques, data science and predictive analytics.
page 3
4. Advanced Threats Summit 2012, Key Findings
SOCS PREFER CULTIVATING IN-HOUSE CAPABILITIES TO
OUTSOURCING
Despite the difficulty in finding experienced security talent, only 32 percent of those at
the Summit planned to fill their needs by partnering with external service providers and
consultants; 63 percent said they intended to fill their needs in-house. These preferences
may not represent the security community at large, however, since Summit participants
come from many of the world’s most advanced security operations centers (SOCs) and
are thus less likely to outsource security functions.
Summit delegates conceded it makes sense in some cases to work with an ecosystem of
partners to address specific deficiencies within their SOCs. Delegates saw value in using
managed security service providers (MSSPs) as “information sharing factories” that could
help enhance threat detection by analyzing incidents across a spectrum of customers.
MSSPs could also achieve economies of scale in processing external intelligence feeds or
to perform specific tasks such as malware analysis to augment internal capabilities.
Summit delegates said security concerns are impeding IT outsourcing. Chief among their
concerns is the lack of real-time visibility into the security performance of service
providers. Summit delegates decried prevailing practices for proving performance, saying
SLAs and contracts are useful after the fact only to attorneys. Delegates called for service
providers to not just report performance but show how they’re doing, perhaps through an
appliance or interface that lets organizations monitor changes in the supplier’s security
posture in real time.
EXPLOIT ADVERSARIES’ PERSISTENCE TO GAIN INTEL
Security teams can take advantage of cyber adversaries’ desire to remain within target IT
systems to study attackers’ behaviors and techniques. The more an adversary tries to
infiltrate systems, the more opportunities a SOC has to gather indicators. By analyzing
attackers’ progression through the “kill chain”—the necessary attack phases adversaries
must go through to achieve their objectives—SOCs can pick up on subtle, recurring
indicators to help detect and disrupt subsequent attacks using similar techniques.
LAYERED DEFENSES AND DETECTION REACH NEW DEPTHS
Organizations with experience successfully countering advanced threats say layered
defenses are essential to success: they make it difficult and costly for cyber adversaries
to execute their attacks. Summit delegates discussed security practices such as dynamic
segmentation with VDI and network admission control (NAC).
Summit delegates also advocated for taking a broader view of detection: catching threats
at their point of intrusion is only one of several opportunities in an attack sequence for
SOCs to uncover threats and prevent damage. SOCs can extend detection capabilities to
look for changes in their systems, hunt for command-and-control activity and examine
installations of executables.
page 4
5. Advanced Threats Summit 2012, Key Findings
BIG DATA YIELDS BIG INSIGHTS
Security leaders at the Summit showcased examples of data analytics being used to
enhance IT situational awareness. One Summit delegate said his SOC used data analytics
to help identify newly compromised systems, usually within 30 to 60 minutes. If attacks
can be detected and disrupted within that period, it’s highly unlikely adversaries would
have had sufficient time to execute their plans.
What’s your biggest
Also, applying data analytics to security can help compensate for shortcomings in
signature-based detection systems by analyzing vast volumes of data to assess risks and
deficiency in to pinpoint potential problems for further investigation. Summit delegates said the ability
to reconstruct network sessions is especially helpful in improving defenses, because it
detecting and defeating allows security analysts to study adversaries’ techniques and the progression of attacks.
Representatives from the financial services industry mentioned they were also applying
advanced threats? big data analytics to uncover illicit insider activity.
BREACH PREVENTION PROGRAMS FOCUS ON PEOPLE
Technology for early
Many of the preventative security measures discussed at the Summit focused on people,
detection and attack not systems. Delegates generally observed a trend toward treating internal employees as
containment 21% “a less-trusted space.” Some delegates said their organizations conduct phishing attacks
against employees as a way of fostering security awareness. Organizations are also
reducing administrator privileges among IT staff. They’re testing mobile security
In-house analysts technologies on senior executives rather than beginning with lower-level employees,
because executives often have the most valuable data to protect and the newest devices.
experienced in advanced
They’re limiting access to social media and proscribing the posting of job descriptions
threat techniques, data and titles on LinkedIn to make it harder for employees to be spear-phished.
science or predictive
MOBILE SECURITY MUST SCALE TO POTENTIAL RISKS
analytics 49%
Security teams tend to view mobile security as a field fraught with new, unique
challenges. Delegates found that calibrating users’ expectations was often the biggest
Deeper threat expertise – challenge in implementing mobile security practices. Users expect everything on mobile
we are turning to external devices to be fast and easy; it’s hard for them to accept that mobile security controls
must scale to potential risks.
consultants/service
To the extent possible, organizations should implement technologies that keep corporate
providers 10% data on servers rather than on devices. The goal is to control data, regardless of where it
is. VDI, applications based on HTML5 and the practice of driving mobile traffic through
centralized clouds with built-in data controls were all cited at the Summit as promising
External threat intelli-
techniques for enhancing mobile enterprise security.
gence to improve our
understanding of the LEVERAGE CORPORATE POLICIES TO WIN C-SUITE ADVOCATES FOR
threat environment 20% SECURITY
As corporate boards of directors take a greater interest in cyber security risks and their
From Advanced Threats Summit 2012 reputational and business impact, security executives are increasingly expected to report
on-site audience poll on their programs to address advanced threats. Security leaders should frame strategic
initiatives within the context of their organizations’ policies. Board of Directors and top
executives do not want to have a “how to” discussion; they want to understand “what”
the security team aspires to do and the potential results or consequences of those
actions. Execution happens in committees with the chair reporting progress to the board.
Also, to win top-level support of security initiatives, it helps to quantify hypothetical
consequences—especially public relations and reputational impact—and to include
external viewpoints and best practices.
page 5