Home > All, Security Issues > Targeted attacks: what they are, why they succeed, and how to stop them

Targeted attacks: what they are, why they succeed, and how to stop them

February 17, 2013 Leave a comment Go to comments

Cyber attacks on the internet fall into two basic categories: random and targeted. Random attacks are by far the most prevalent, mainly because they are easy to do and can be largely automated. They don’t seek high value targets, they just seek a high volume of targets. Spam, scam and phishing campaigns are typical examples.

Targeted attacks are aimed at a specific person, or company, or organization. The targets are high value targets. “There are numerous motives,” explains David Emm, a senior security researcher at Kaspersky Lab. “These include theft of confidential data, cyber-espionage, political or social protest, and sabotage.” Cyberwarfare, an emotive term that is nevertheless accurate, is a clear example of targeted attacks: destructive malware like Stuxnet and Wiper should not cause collateral damage, but should affect only the prime target.

(Denial of service attacks against specific companies or services are an example of automated targeted attacks that are not part of this discussion.)

A targeted attack will usually involve one or more highly skilled cybercriminals. It will frequently, although not necessarily, be an advanced, persistent threat attack, or APT. There are many definitions of ‘APT’, but it is essentially a targeted attack by a competent and determined adversary willing to take as long as necessary to achieve his purpose. It is very difficult to defend against an APT attack.

The initial breach
Key to any attack is the initial breach. A study by Trend Micro in November 2012 demonstrated that 91% of all APT attacks unfold from an initial successful email-based spear-phishing attack; and that 94% of those spear-phishing emails carried a malicious attachment. Clearly, the best way to combat a targeted APT attack is to understand and mitigate against spear-phishing before the hackers get into the network.

Email spear-phishing is the use of personalised emails sent to an individual or small group of related individuals, engineered to persuade the recipient to open an attachment or click a link. It is part of what Trend Micro terms the ‘pre-infiltration’ phase of a targeted attack.

First the attacker researches, or profiles, the target. This is relatively simple: Facebook, LinkedIn, Twitter and a simple Google search – reinforced by the personal data scattered on the targets’ website – will combine to provide a detailed personal picture. From this the spear-phishing email is constructed. The content might be fashioned around an individual’s personal interests or a subject that will appeal to all of the target group (an internal salary review, perhaps), the source will be forged and malware disguised and attached. The hackers will have tested the malware against as many anti-virus products as possible, and selected something with the greatest chance of remaining undetected.

High profile APT breaches
The result is surprisingly successful, with Google and RSA among the highest profile victims. “In the attack against RSA,” explains Scott Gréaux, a vice president at the PhishMe company, “the spear-phishers sent two different phishing emails to a group of employees over the course of several days. The subject line read ‘2011 Recruitment Plan’. One person’s curiosity duped him into opening the message and…” the rest is history.

In May the Élysée Palace was breached, and in October it emerged that the South Carolina Department of Revenue had been breached with millions of social security details and hundreds of thousands of bank card details stolen. All of these victims were initially breached by targeted spear-phishing.

Evolution of the attack
Once a malicious attachment is clicked, malware will enter the system and the post-infiltration phase begins. It is likely to start with the installation of a remote administration trojan (commonly called a RAT) that will open a covert channel to the attacker. This allows the attacker to roam at will around the network – which he will do, but slowly and stealthily, gaining intelligence on the network infrastructure. He will learn what is stored where, and perhaps more importantly, how he can steal and exfiltrate information without being discovered.

During this process, the hacker will likely find the keys to the front door – legitimate log-on credentials. “As detailed by a report on the South Carolina hack,” explained Amichai Shulman, co-founder and CTO at Imperva, “the attackers grabbed remote access credentials to obtain a simple, standard channel of access into the organization. Using standard tools they explored the inside of the network looking for sensitive data and sent it out using standard file sharing services.” The longer the attackers can remain undetected, the more data they can steal.

Defending against targeted attacks
But all of this begs one major question: how can companies defend themselves against targeted attacks? It might appear as if traditional security is failing, but remember that we only hear about the few that get through, not the unknown number that are stopped. It’s not that companies need different security, they need additional security tailored to these new threats. One emerging technology is anomaly detection from big data analysis. The theory is that all of the organization’s data is monitored on a continuous basis. From this, a baseline of ‘normal’ activity is developed and anything subsequently anomalous to that normal activity is highlighted – it could be the activity of an intruder.

The fact remains, however, that prevention is always better than cure. With 91% of such attacks starting from a spear-phishing email, defence against spear-phishing has to be a priority. While there are security products that will help, the bottom line here is user education. “Organizations must pay attention to the human factor in security,” says Kaspersky’s Emm. “Users need to learn how to recognize phishing, and to stop over-sharing personal information online.” Above all, he says, “It’s important to remember that security is not unlike housework – it’s only meaningful if you repeat the process at regular intervals.”

See also:
Security awareness is taught, not bought
Spear-phishing is the single biggest threat to cyber security today
A new security paradigm for the zero-day advanced persistent threat

Categories: All, Security Issues
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s