What can enterprise CIOs and their teams do against targeted attacks? The stakes for having a strong cyber security strategy that takes these threats into account are higher than ever, especially in the wake of 2014 incidents involving Sony Pictures, JPMorgan Chase and many other prominent firms.
Why targeted attacks are on the horizon
Moreover, an entry on the Trend Micro TrendLabs Security Intelligence Blog, published late last year, predicted that in 2015 such targeted attacks would become as prevalent as cyber crime. The authors cited several key trends driving the uptick in targeted attacks:
- Targeted attacks are highly effective means of gathering intelligence, as shown by the terabytes of sensitive data harvested in the Sony Pictures breach.
- More specifically, target organizations may have a variety of vulnerable financial information, government data and/or intellectual property that attackers could profit off of.
- Social media provides increasingly facile channels for initiating targeted attacks, i.e., through “can’t miss/must read” posts that lure targets.
Historically, targeted attacks have been somewhat rare and limited to highly capable actors, in some cases backed by nation-states, although hacktivists and organized cyber criminals have both followed similar strategies to get what they want. A 2014 InformationWeek survey of 536 business and technology professionals, at companies with 100 more employees, found that 18 percent of respondents confirmed that they had suffered a targeted attack, while 26 percent stated that they weren’t sure and 56 percent had not.
Looking ahead, enterprises will increasingly require deep discovery tools and other cyber security solutions that do more than simply address run-of-the-mill malware and automated, nondiscriminate cyber crime campaigns. Targeted attacks are particular, requiring a custom defense so that organizations can know for sure if and when they are in harm’s way.
Understanding targeted attacks: How and why do they work?
If someone were to look through his or her spam email folder, there would probably be no shortage of messages inciting the recipient to click a dubious link or visit an obscure (possibly compromised) website. But these threats, like the malware packaged in fake versions of mobile games such as “Flappy Bird,” are built to scale rather than go after a specific target.
As such, they have limited effectiveness. Spam messages, for instance, have abysmal click-through rates that could amount to a single click among millions of messages, according to a 2008 study from researchers at the University of San Diego and University of California, Berkeley. In addition to being generic, spam and mass-market malware are also contained by cyber security solutions that for sure have been optimized for these types of threats.
Targeted attacks, on the other hand, aren’t designed to scale but to bypass the defenses of a chosen organization. Rather than the easy-to-ignore offers of spam or the often obvious giveaways of fake apps, these attacks may utilize carefully crafted emails and/or social media campaigns to deceive an employee at the targeted firm into letting the company’s guard down.
Some possible attack vectors could include:
- Spear-phishing emails: A 2012 Trend Micro report found that 91 percent of targeted attacks involved spear-phishing. Although it is a relatively old technique, spear-phishing works because it is so convincing – a seemingly innocuous email is supplemented by an attachment in a commonly used file extension. If interacted with, the attachment can expose the targeted organization to malware delivery via command-and-control servers.
- Facebook scams: With more than 1 billion users worldwide, Facebook’s size makes it an attractive asset for targeted attacks. Click-bait posts, rogue applications (like some games) and chat messages that direct users to malicious sites are all possible risks on the social network. “Likejacking” can also occur if a script causes an account to begin liking pages and reposting content without the user’s consent.
- Twitter traps: Twitter has millions of bots that post spurious links and other content. Despite the character-limited nature of the platform, some posts can still lure Twitter users in and get them to click a link that redirects to a typical, compromised survey site or malware delivery channel.
Targeted attacks have also succeeded in other ways, without having to rely on email or social media. The Sony Pictures attack was only possible due to years of cyber security lapses within the organization, while the JPMorgan break-in last summer may have been facilitated by the lack of two-factor authentication on a single bank server. As these examples illustrate, no stone can be left unturned when it comes to defending against targeted attacks.
What enterprises can do to minimize the risk from targeted attacks
Spotting and removing targeted attacks is often difficult because traditional tools aren’t a good fit for the job. Signature-based antivirus, for instance, can create an unacceptable signal-to-noise ratio that overwhelms analysts and lets real threats slip past, undetected.
What is needed is a comprehensive approach to network security, one that accounts for both internal and external risks. Technology must be put into the hands of experienced teams that can single-out unusual activity.
“You’re going to assume that the adversary has evaded all your technology, and you’re going to try to fully instrument your network to look for anomalous activities, and look for signs of compromise that may already exist,” Dmitri Alperovitch, co-founder and CTO of CrowdStrike, told Dark Reading. “You need to understand everything that’s going on from an execution perspective in your corporation so that you can analyze for both external threat actors and potential insiders looking to do damage to your network.”
Network design should also be reconsidered. For example, enterprises can make life harder on the perpetrators of targeted attacks by architecting their networks so that infrastructure is segmented, much like a ship. In this way, damage to one section can be contained and won’t spill over to another.
Targeted attacks are still rare compared with automated and generic campaigns. But in light of how much damage they can cause, it makes sense for companies to get out ahead of the threat and upgrade their defenses.