The book "Advanced Persistent Threats: How to Manage the Risk to Your Business" is a nice overview of advanced persistent threats (APTs) that lays out a framework for addressing the risk associated with APT. The book provides enough detail to give any practitioner the starting points for additional research.

As with most ISACA publications, the book takes a risk-based approach to the APT problem so that it can be used as a guide to help information security professionals build the business case for the resources to address their APT risk.

Here is an excerpt:

APT malware is becoming increasingly sophisticated and the organizations that exploit it are becoming better resourced. Many of the attacks discovered in recent years were the results of developments conceived around a decade ago, and they were not detected for several years. Based on these precedents, we must assume that there is a new generation of sophisticated and stealthy attacks in operation.

Over the next decade we can also expect to see real cyberconflicts between nations or communities, as well as the emergence of terrorists with APT capabilities. Targets are also likely to extend farther down the supply chain to encompass smaller contractors and software suppliers. In addition, attacks will become better planned because their perpetrators build on knowledge gained from previous attacks and exploit intelligence gained from increasing use of social networks by company staff and customers.

Security technology will certainly improve, but in the absence of any major breakthroughs it is likely to be little more than enhanced versions of the tools we already have today. Network management and incident response capabilities will also improve as enterprises develop or purchase the services of security operations centers with enhanced monitoring, mining, and command and control capabilities.

Both information security senior executives and junior staff can learn something by reading the publication. Depending on one’s experience and job focus, I would expect some sections to be skimmed over while others to be deeply researched. Even though many organizations may struggle to keep up with their regulatory and compliance demands, and therefore feel that addressing APT is beyond their maturity level, the publication is still worth review to provide information security teams with additional strategies and context for addressing any current task they may be working on.

The book’s approach to APT is one of applying defense in depth strategies and using a risk-based approach to justify the defense in depth controls applied. While a theoretical model for addressing APT should be comprehensive, information security, and governance, risk and compliance (GRC) practitioners will be required to make the hard decision of what is the right amount of spend based on their appetite for risk.

(About the author: Patrick Hanrion is an analyst and expert reviewer with the ISACA. This post originally appeared on his ISACA blog, which can be viewed here)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access