For Security & Risk Professionals 2 Forrester’s Targeted-Attack Hierarchy Of Needs: Assess Your Core Capabilities Targeted Attacks Undermine Customer Trust And Company Profits The year of the breach has transitioned to the decade of the breach, as cybercriminals seemingly have the ability to compromise organizations at will. Far too many companies first learn of their breaches after security reporter Brian Krebs has written about it.1 In addition, within the reams of NSA documentation leaked by former defense contractor Edward Snowden is the revelation that state-affiliated adversaries have developed astounding cyberespionage capabilities. In fact, with adversary capabilities at an...
For Security & Risk Professionals 2 Forrester’s Targeted-Attack Hierarchy Of Needs: Assess Your Core Capabilities Targeted Attacks Undermine Customer Trust And Company Profits The year of the breach has transitioned to the decade of the breach, as cybercriminals seemingly have the ability to compromise organizations at will. Far too many companies first learn of their breaches after security reporter Brian Krebs has written about it.1 In addition, within the reams of NSA documentation leaked by former defense contractor Edward Snowden is the revelation that state-affiliated adversaries have developed astounding cyberespionage capabilities. In fact, with adversary capabilities at an all-time high, we are in a golden age of cyberespionage. Despite our significant investment in resources, we seem to be taking one step forward and two steps back. Target is yet another breach in a long line of high-profile breaches. The Target intrusion and subsequent loss of 70 million credit cards is precisely what a company doesn’t want to have happen at a time when customers have become incredibly powerful. Social media has magnified the voice and extended the reach of every customer, and technology has made it remarkably easy for every customer to buy from anyone at any time anywhere.2 To attract and retain customers, you must provide a superior customer experience at every step of their engagement, which you underpin with trust. When customers lose confidence in an enterprise’s commitment and ability to protect their privacy and personal data confidence, there is erosion of trust and of the customer relationship. The breach had a significant impact on Target and its customers. Target’s stock fell almost 14% after reports of the breach surfaced in December 2013. Year over year Q4 profits were down by 46%. Target incurred $146 million in data-breach-related expenses. Gregg Steinhafel, former chairman, president, and chief executive officer of Target, knew that to be successful in the age of the customer, Target must rebuild trust with its customers.3 On Target’s Q4 2013 earnings call he said: “We have put the welfare of our guests at the center of every decision we’ve made. . . . We continue to listen to our guests, and we know that this incident and recent security breaches at other companies have shaken their confidence in both Target and the US payment system more broadly.”4 Targeted Attacks Are The New Normal No executive from any company or agency wants to have to make a statement like this. The attack against Target was just one of many attacks focused on a specific organization. There has been a dramatic increase in targeted attacks since 2005 (see Figure 1). In 2014 alone, CyberFactors tracked 594 targeted attacks and just 45 broad attacks.5 One of the hallmarks of a state-affiliated targeted attack is the zero-day exploit. In a recent Ponemon Institute/IBM Trusteer study, 68% of the respondents indicated that zero-day attacks are their organization’s greatest threat.6 The semantics of targeted attack discussions are important, so to be clear, Forrester defines a targeted attack as one in which a threat actor is targeting a specific organization. Forrester groups threat actor groups into state actors, hacktivists, and cybercriminals.7 The intentions and capabilities of threat actor groups obviously vary, and not all targeted attacks are state-affiliated. State-affiliated © 2015, Forrester Research, Inc. Reproduction Prohibited January 7, 2015 For Security & Risk Professionals 3 Forrester’s Targeted-Attack Hierarchy Of Needs: Assess Your Core Capabilities actors have capabilities that far exceed any other threat actor group, but over time, other threat actors do adopt their techniques. There are two common attack vectors seen in targeted attacks: phishing and watering holes. Figure 1 Targeted Attacks 1000 800 600 400 200 0 ’03 0 Day Number of targeted attacks Number of broad attacks 68% of IT and IT security practitioners who have involvement in defensive efforts to prevent or detect APTs launched against their organizations say zero-day attacks are their organization’s greatest threat.† ’14 Targeted attacks outnumber and outpace broad attacks* PII IP Watering hole/ strategic web compromise 78% More than of all attacks tied to state-affiliated espionage employed phishing.‡ Compromised websites: • The Council on Foreign Relations • Thirty Nine Essex Street • US Department of Labor *Source: CyberFactors, a wholly owned subsidiary of CyberRiskPartners and sister company of CloudInsure † Source: Ponemon Institute, “The State of Advanced Persistent Threats,” Ponemon Institute Research Report, December 2013 (http://buildingtrust.trusteer.com/Ponemon_Study_December_2013). ‡ Source: “2014 Data Breach Investigations Report,” Verizon (http://www.verizonenterprise.com/DBIR/2014/). 107121 Source: Forrester Research, Inc. Unauthorized reproduction or distribution prohibited. © 2015, Forrester Research, Inc. Reproduction Prohibited January 7, 2015