In our efforts around addressing targeted attacks, we often work with IT administrators from different companies in dealing with threats against their network. During these collaborations, we’ve recognized certain misconceptions that IT administrators — or perhaps enterprises in general — have in terms of targeted attacks. I will cover some of them in this entry, and hope that it will enlighten IT administrators on how they should strategize against targeted attacks, also known as APTs.
A targeted attack is a one-time effort
Some IT administrators tend to think that targeted attacks are a one-time effort — that being able to detect and stop one run means the end of the attack itself. The truth, however, is that targeted attacks are also known as APTs because the term describes the attack well: advanced and persistent. The attacks are often well-planned and dynamic enough to adapt to changes within the target network. Being able to trace and block an attempt will mean that elimination of the threat. If anything, it can mean that there might be several other attempts not being detected, elevating the need for constant monitoring.
There is a one-size-fits-all solution against targeted attacks
The demand for a complete and effective solution against targeted attacks is quite high, but a solution simply can not exist considering the nature of targeted attacks. Attackers spend much time during reconnaissance to understand the target company — its IT environment, and its security defenses — and IT admins need to adapt this mentality in terms of their security strategy. All networks are different, and this means that each one will need to be configured differently. IT admins need to fully understand the network and implement the necessary defense measures to fit their environment.
Your company is not important enough to be attacked
Another big assumption that companies have when it comes to targeted attacks is that they are unlikely to be a target because they do not have important data in their systems. Unfortunately, the importance of certain data may be relative to the intention of whoever is trying to get hold of it. For example, an HR personnel in a company may not find much importance in records of the employment history of past applicants, but an attacker might find use for it as a reference for social engineering. As Raimund said in one of his videos earlier this year, enterprises need to identify their core data and protect them sufficiently.
Targeted attacks always involve zero-day vulnerabilities
It goes without saying that zero-day vulnerabilities pose a great risk to enterprises, and users in general. However, based on analysis of targeted attacks seen in the past, older vulnerabilities are used more frequently. In our Targeted Attack Trends report from the second half of 2013, the most exploited vulnerability was not only one that was discovered in 2012, but was also patched in the same year. This trend raises the importance of applying security updates to all systems within a network – a missed update for one system may be all it takes to compromise an entire network.
Targeted attacks are a malware problem
The last misconception I’ll discuss is quite tricky because it is partly true. IT admins are mostly concerned about having a solution that will prevent malware from getting into their network. Although it is a valid concern, focusing on malware will only solve part of the problem. Targeted attacks involve not only the endpoints, but the entire IT environment. For example, many tools involved in lateral movement are legitimate administration tools. If the solution is focused only on detecting malware, it will not be able to detect the malicious activity. IT admins need to consider solutions that cover all aspects of the network.
For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.