In recent years, there has been a considerable increase in targeted attacks. This style of infection can be a considerably dangerous threat, as it is nearly impossible to tell who the victim will be until an infiltration has taken place.
What is a targeted attack?
According to Trend Micro's definition, a targeted attack refers to an instance where an attack or group of cybercriminals specifically go after a certain organization's systems and infrastructure. The goal of the attack is to infiltrate the victim's network and remain anonymous for a long period of time. Motivations can differ depending on the attack, but can include stealing sensitive information, making a profit or attaining some sort of political gain.
Oftentimes, hackers carrying out targeted attacks will chose victims operating in a specific industry. Some of the most popular among cybercriminals include the enterprise, government or other political sectors.
Many attacks include elements from traditional infections, including emails with malicious attachments, legitimate, yet compromised websites, exploit kits and typical malware. However, these instances often take place as part of a campaign and encompass not only a single attempt at infection, but several over a long period of time that enable hackers to get as deep into the network as they can.
Attacks often take place in phases, including intelligence gathering, the point of entry, command-and-control communication, lateral movement, asset or data discovery and data exfiltration.
"[T]he growing aspirations of cybercriminals to seek greater profits and the rise of hacktivism have led to more targeted attacks," Trend Micro stated.
Thankfully, there are a few key strategies businesses can use to harden their defenses against a targeted attack. As these instances are occurring at increasing rates, it is more important than ever to incorporate these approaches into the company's security.
Let's take a look at some of the best ways to protect against a targeted attack:
According to Trend Micro's white paper, "Suggestions to Help Companies with the Fight Against Targeted Attacks," threat analyst Jim Gogolinski advises using segmentation to create silos within the network. Overall, the network should be divided into as many segments as possible without creating added complexities.
Segments can include specific groups of workstations, servers, printers or other devices that are able to access other endpoints within that silo. The sections can be organized according to function or department – i.e., the devices used by the human resources department can reside in one segment and the endpoints utilized by the finance department would be contained in a separate segment. Businesses can also categorize segments according to physical location, security level or other characteristics. Each segment should have and individual firewall in place to manage and direct traffic across the various segments.
Gogolinski noted that it is helpful to think of these segments as secure rooms inside of a single, large structure.
"The absence of segments can allow anyone who can enter the building access to everything inside it," Gogolinski wrote. "Adding secure rooms makes the task of getting full access to the complete network much harder for anyone who can breach the perimeter."
Segments can also include data as well as devices. Encryption and user privileges can be utilized to limit who has access to particularly sensitive information. It might also be helpful to leave certain, less sensitive or unnecessary data on user machines – this data can be considered sacrificial information, Gogolinski suggested.
"The amount of time it may take an adversary to realize the data is not very useful may be the amount of time required to detect and start eradicating a network threat," Gogolinski wrote.
Logging and log analysis
Experts also suggest keeping a close eye on information and access with data logging and log analysis. Not only do these valuable resources help managers have a full understanding of the sensitive information the business's users work with, but analysis can also reveal network traffic patterns. These can be especially beneficial, as a network administrator that fully understands typical traffic patterns will be better equipped to spot any suspicious activity that could be associated with an attack.
However, it's not enough to simply create and analyze the logs. These assets should also be actively monitored so that key stakeholders can be aware of activities in real time.
Logs should be maintained in a secure, central location within the business and kept for as long as possible. Gogolinski advises storing one year's worth of logs on a rolling basis, at minimum.
It it also helpful to limit access to higher level, more sensitive information among users. Not all employees will need to view or work with this data, and it makes sense for security purposes to put user privileges in place. In this way, even if a hacker is able to target a lower-level employee's authentication credentials, the attacker will not have full access to the organization's assets.
It is also beneficial to put as much authentication in place as possible. Strong passwords are a must, and two-factor authentication should be utilized whenever plausible. Experts also recommend changing passwords on a regular basis and auditing these credentials for their strength and security.
TechTarget contributor Mike Chapple noted the importance of user education in the fight against targeted attacks. Many infiltrations hinge upon the use of phishing strategies, social engineering or other similar approaches.Therefore, it is imperative that workers know what signals to look for in order to identify a malicious message, website or link.
However, education should extend beyond the symptoms of infections. Staff members should also be trained on their responsibilities when using corporate devices or accessing sensitive information. Chapple pointed out that one targeted attack at an Iranian nuclear facility was successful because an employee unknowingly brought an infection into the network on a flash drive.
"Make sure users understand their role in protecting the security of the organization and that the organization has set clear expectations for user behavior," Chapple wrote.
In addition to these best practices, a Custom Defense solution from Trend Micro can also be an important defense against targeted attacks.