Malware dominates headlines about cybersecurity, but it is just a sliver of what enterprise IT departments deal with today. Certainly, desktop threats such as CryptoLocker have upped the ante by combining asset theft with strong encryption, putting a premium on data backup and recovery. Likewise, there's been enough growth in the number and variety of Android malware samples to justify renewed focus on bring your own device security. Still, there are risks beyond malware.
Take targeted attacks, the term for carefully planned intrusion, surveillance and general exploitation of a specific organization's network. Usually carried out against civilian government agencies, militaries and large enterprises, these campaigns – also sometimes dubbed advanced persistent threats – are often subtle and slow-paced in contrast to the rapid, obvious damage associated with headline-making malware.
For example, a few months ago, eBay revealed a breach that affected 145 million users; the company advised them to change their account passwords. While the incident was reported this May, it had been in progress since a time between late February and early March, following the compromise of legitimate eBay employee accounts that were used for accessing sensitive information.
Why are we hearing more about targeted attacks recently?
The delayed discovery of data loss and the harvesting of credentials via social engineering were textbook APT. While the APT/targeted attack category can seem vague and newfangled, it actually refers to what is happening now that several long-term, sometimes ignored trends have bubbled to the surface:
- More opportunities for effective social engineering: Social media sites such as Facebook and Twitter have joined email as popular channels for deceiving individuals via too-good-to-be-true offers and seasonal stories. The Trend Micro TrendLabs e-guide "How Social Engineering Works" explained how cybercriminals capitalized upon events such as the 2011 Japan tsunami to spread malware through fake news sites.
- Weak password security and authentication: This is what got eBay. Stolen and resold credentials are always a liability for enterprises, but in 2014 having a username and/or password by itself shouldn't be sufficient for being granted access to the network, especially from unfamiliar machines. Two-factor authentication – requiring SMS, biometric or a different means of verification – exists yet is underutilized, putting all security eggs in the (weak) password basket. The most popular password of 2013 was "123456," followed by "password."
- Easy access to network and cloud resources: Attackers aren't strapped for computing horsepower these days. Many of the largest distributed denial-of-service attacks ever have been executed just this year thanks to for-hire services and access to affordable cloud infrastructure. A team at the 2014 Black Hat conference proved that it was possible to build a highly capable botnet – one that could do password cracking, cryptocurrency mining or DDoS – by pooling the free-tier cloud resources associated with numerous email accounts.
- Insiders who may not uphold security policies: Significant risk can reside within an enterprise's walls. A recent survey of 355 IT professionals conducted by SpectorSoft found that almost 60 percent couldn't detect an insider threat, which can include accidental as well as deliberate misuse of privilege along with exposure and theft of key data. Cybersecurity has to address employee education in addition to defense against external forces.
- Zero-days, old platforms and unpatched vulnerabilities: The end of official support for Microsoft Windows XP came and went a few months ago, but the aging operating system is still popular, especially in parts of Asia. Its persistence and obvious vulnerability to attack are indicative of broader issues with the slowness of network security upgrades. For context, Trend Micro's Targeted Attack Trends report for the second half of 2013 found that the most common exploit was one from 2012 that had in fact been patched that same year. It's easy to see why enterprises struggle with zero-days (which by definition have no solutions), but long-since patched holes are another matter.
Taken together, these trends – none of which primarily concern malware – illustrate why APTs have come to the fore in recent years. In particular, the wave of retail breaches last spring and winter brought home how planned attacks can successfully beat security and extract massive amounts of protected data. What can companies do to adjust to the new threat landscape?
Dealing with misconceptions about targeted attacks
In a recent blog post, Trend Micro threat researcher Spencer Hsieh tried to clear up some confusion around targeted attacks. We won't recount them all here, but it's important to note that he pointed out that they don't have to involve malware and that they can affect companies of any size.
Sure, large public and private sectors are more natural targets of APTs since they usually sit upon enormous amounts of valuable information. At the same time, a smaller but more lightly protected outfit may be targeted for resources such as employee details or email addresses, which can be turned into powerful tools for social engineering, identity theft and DDoS that perpetuate the APT cycle.
On the subject of malware, it's easy to get caught up in the latest reports about advanced viruses and ransomware, despite many of these threats being limited in scope and unproven at scale. Although antivirus is important for guarding against a wide range of strains, organizations should notice that numerous breaches weren't precipitated by cutting-edge malware but instead by exploitation of vulnerabilities in widely used software such as Java, Adobe Flash and Microsoft Word. Fixating on malware while ignoring these risks is equivalent to locking the front door while leaving the nearby window wide open.
"IT admins are mostly concerned about having a solution that will prevent malware from getting into their network. Although it is a valid concern, focusing on malware will only solve part of the problem," wrote Hsieh. "Targeted attacks involve not only the endpoints, but the entire IT environment."
APT security requires network monitoring in tandem with email security, education and antivirus. Sound defense is a combination of old and new solutions to match the shape of today's threats.