Most of the things our industry has learned about targeted attacks were realized the hard way: through analysis of successful attacks. Our realizations have so far revealed just how unfamiliar we are with the “battle ground” we are currently in, and how that unfamiliarity has caused the industry to be unable to understand what is needed to deal with such attacks. But why is this so? Do the attackers really have the upper hand? The answer, unfortunately, is yes.
To put it simply, attackers have a greater level of control and a wider range of resources. They get to decide on the very nature of the threat — how and when the attack will play out. They can employ the use of the numerous tools available on the Internet, including legitimate services. More importantly, they can get intelligence on what they are up against – they can do research on the target and find information that can make infiltration easy and almost undetectable.
And while attackers are able to utilize such flexibility, targets, on the other hand, are faced with multiple limitations that even by themselves are already difficult to manage. With the dawn of consumerization and rise of mobile computing, it is already a big struggle for companies to identify their own network, even more so to protect it. They can only do so within the limitations of available strategies, whatever control they have over the network, and the awareness of their people.
False Sense of Control
That said, as the ones assigned to defend the targets, one of the most dangerous assumptions we can have is that we have knowledge of how an attacker will conduct their attack. The truth of it really is that we cannot know exactly how an attack will take place. Especially at a time such as now when sharing information is rampant, it is almost impossible to gauge just how much information an attacker can get on a specific target and how much of that information can be used for an attack.
It annoys me when I hear sweeping statements that targeted attacks always come via email. This is very misleading, and does security defenders a disservice. There have been cases wherein bad actors used email to get into the victim’s environment (with the help of social engineering tricks), but email is not the only vector. Like I said before, attackers decide the very nature of the attack, and their strategy will be most likely driven by the result of their reconnaissance. It is the familiarity with the target that ultimately makes an attack effective, since it plays on the target’s behavior and vulnerabilities, both digital and physical. An attack can involve physically going to a target’s home and it would yield the same results as a digital attack, or even more.
What Can Be Done?
Given this task, is defending against targeted attacks a lost battle for us? I like to think that it’s not. Attackers have a great level of control, and that is a very scary thought, but being aware of it is the first big step. We need to fully understand what we are up against and just how much control they have to be able to take it away from them. But how can we do that, you say? I will discuss more in the future about this, so stay tuned.