Sophisticated targeting is one of the most important trends in security right now. Although most of the malware and attacks we see are still un-targeted, the biggest and most damaging ones are highly targeted.
Targeted attacks have four major advantages for the hacker:
- They are harder to detect because they impact a much smaller population.
- They tend to avoid attacking security researchers, bots and honeypots, thus making discovery and analysis more difficult and time-consuming.
- They preserve expensive zero-day exploits from being added to detection signatures.
- Attackers know exactly what they want to achieve and how they will exploit the data or access, so they can have much more impact for a given amount effort (whether cash, political impact, revenge, etc.).
A random attack like a ransomware incident should be no more than an annoyance to a reasonably prepared business. Employees can be trained to avoid clicking on links or attachments in suspicious emails.
However, the same is not true of targeted attacks. A masterfully crafted spear phishing email will fool just about anyone, even the most savvy or expert users. Attack emails will come from people the victim knows and will be written in that person’s style and be completely appropriate to their topics of discussion. Attachments and links will appear normal and expected.
Targeted watering hole attacks compromise marquee websites like Forbes and Yahoo, and then avoid detection by only launching attacks against the small handful of desired victims. Far from being in the dark back alleys of the Internet, these attacks happen in the cyber equivalent of noon in Times Square.
Because targeted attacks are harder to detect, attackers are willing to deploy their most valuable zero-day or otherwise undetectable exploits and tools. They know that they are likely to remain effective long after the attack.
These tools are also the most effective and reliable at penetrating the target company. Once the attacker is in, they can move directly to getting what they came for – that could be credit card numbers, personal information, business secrets, or just embarrassing emails.
The Sony hackers almost certainly knew what they wanted to do with their stolen emails before they started. Likewise, the OPM hackers undoubtedly had very specific plans for the detailed personal information they were able to take.
Defending against targeted attacks is also much more difficult. The low volume makes it much less likely that anomaly detection system will trigger. The use of unknown tools makes signature detection fail. And attacker research allows them to find a soft entry point to the enterprise and move strategically from there.
Businesses need to move quickly towards security that is less reliant on detection for protection. Architectures must contain attacks, minimize damage and automatically restore systems whether or not they are known to be compromised. Detection and training will always be valuable but we cannot rely on them to be effective, especially against targeted attacks.
For those interested in a deeper dive on the trend towards targeted attacks and techniques for defending against them, I will be presenting “In the Crosshairs: The Trend Towards Targeted Attacks” at BSides San Francisco on February 28th.
I will discuss several targeting case studies and lessons we can take from them to better defend ourselves.
About the Author: Lance Cottrell founded Anonymizer in 1995, which was acquired by Ntrepid (then Abraxas) in 2008. Anonymizer’s technologies form the core of Ntrepid’s Internet misattribution and security products. As Chief Scientist, Lance continues to push the envelope with the new technologies and capabilities required to stay ahead of rapidly evolving threats. Lance is a well-known expert on security, privacy, anonymity, misattribution and cryptography. He speaks frequently at conferences and in interviews. Lance is the principle author on multiple Internet anonymity and security technology patents. He started developing Internet anonymity tools in 1992 while pursuing a PhD. in physics, eventually leaving to work on those technologies full time.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock