Published on July 7th, 2015 | by admin
The Evolution of Targeted Attacks
Once upon a time, the life of a hacker was a simple one. They’d create a virus and push it out to whoever was unlucky enough to pick it up. The Brain boot sector virus, for example – created back in 1986 and considered to be the first IBM compatible PC based virus – propagated through infected 5.25-inch floppy discs. This type of attack was a scattergun approach, opportunistic, hitting anyone and everyone who came into contact with it; everyone was a target.
Fast forward to today: hackers are now focusing their efforts on highly scrutinized targets – they have a well thought out criminal plan that they are working to and they implement that plan by determining who or what is the weakest link.
The past scattergun approach to infecting computer systems with malware wasn’t without its rewards. Virus infections, en masse, can reap great rewards for hackers. Malware, which acts as a key logger, capturing keystroke events, can be used to steal login credentials for banks, and so on sending them back to the hackers command center.
The brothers who developed the Brain boot sector virus did it as a development project, a hobby. But then criminal minds started to recognize the value of this malware to get at data and steal credentials and so it moved out of the hobby hacker’s domain and into the criminal world of modern hacking.
Spam based malware was also very popular back in the early 2000s. Email accounts were hijacked and used to send out massive numbers of spam emails selling ‘cheap Viagra’; again an example of opportunistic style attacks.
Once the criminal world became involved in cybersecurity attacks, they looked for more sophisticated and targeted ways of getting at the right person. They didn’t want to rely on low level, uncontrolled, opportunistic attacks, but instead they wanted to go for gold.
The infamous Stuxnet was one of the first truly targeted malware based crimes. Stuxnet was worm attack against 14 industrial sites in Iran to commit cyber espionage and to cause damage to the infrastructure and machinery. This attack was most likely (the truth is still not out there) initiated by a nation state. These cyber war type threats continue today, but the basis of the attack, i.e. the targeted nature of the attack has been taken on by a more general, criminal community, looking for financial gains, rather than upsetting a nation state.
The How and Why of Targeted Attacks
Gartner has shown that security spending in 2104 reached almost $71 billion, an increase on 2013 of around 8%, and they expect the spending on information security to increase in 2015 by a further 8% – much of which is being spent in the area of data loss. As security spending increases, cybercriminals need to find more innovative methods of getting their malware inserted. They’ve seen how clever and successful attacks like Stuxnet have been and have decided to emulate these, this time for financial gain.
Hackers are looking for the weakest chain in the link. This may be an individual, or it may be a vendor within a supply chain, perhaps a SMB who hasn’t the same security resources in place as their larger corporate cousins. They are after data: intellectual property, Personally Identifying Information (PII), credit and debit card data and sensitive information. Data is big bucks to cyber criminals and it doesn’t even have to be direct payout they’re looking for. Much of the stolen data from recent attacks, such as the Anthem breach of 2014, has been used in secondary attacks.
In the case of the individual, they are often targeted using social engineering coupled with spear phishing emails. Spear phishing emails are very successful. APWG, ‘Global Phishing Survey’, found 756 targeted institutions in 2014 – the most ever found. They also found that the range of companies being targeted was diverse showing the cybercriminals were looking for new opportunities. Whilst security firm FireEye found in their 2014 report on Spear Phishing Attacks, that spear phishing emails had an open rate of 70%, of which 50% clicked on the enclosed links (aka malicious website URLs). The success of spear phishing is owed to the manipulation of human behavior by the hacker. The emails really do look genuine and it takes a very keen eye to spot them, even with training.
Watering hole attacks are another vector used to infect enterprise systems with malware. These attacks are stealth attacks, hackers watching which websites the targeted organization uses commonly and infecting those sites – these may be internal supplier sites or external sites. Again, hackers using the human need for trust, humans building up trust and not expecting regularly used sites to contain malware.
Supply chain threats are being used by cybercriminals to attack up the chain into the larger enterprise. The hacker will use the chain’s weakest link, inserting malware into a smaller chain vendor who will go on to infect their chain members.
Advanced Persistent Threats or APTs are rapidly becoming the hack tactic of choice by cybercriminals. These slow burning attacks sit in wait, building up intelligence on a company, using this to steal more sensitive data. APTs are a great case in point of a movement from government use to being used by more general cybercriminals within a commercial context.
And not to be forgotten, insider attacks are a form of targeted attack. Disgruntled employees may have been co-opted into the attack by outside forces, or may just be targeting the employer for personal reasons.
Examples of Targeted Attacks
In recent years the number of highly targeted attacks has risen and it’s not just large corporations being attacked. In 2014, 60% of the targeted attacks were against SMBs according to Symantec in their Internet Security Threat Report 2015.
- The Carbanak APT which targeted financial institutions ended up costing around $1 billion.
- The earlier mentioned Anthem attack was a highly targeted attack going after access to the parent company’s IT system, resulting in the loss of PII from over 60 million personal records.
- One of the latest and most sophisticated targeted attacks is Duqu 2.0 which used social engineering to insert itself into a number of targets including security firm Kaspersky and a number of telecoms companies.
How to Manage a Targeted Attack
Getting to grips with such persistent and targeted attacks takes more than anti-virus software. We are now into the realm of analytics, behavioral analysis and intelligence. We can no longer rely on security tools 1.0, we need to move to a new generation of security analysis which gives us the foresight to recognize security event patterns and spot unusual behavior before we get an infection, or at least to let us know we are infected and where to look. Visualization of the attack footprint is our goal, we must keep ahead of the cybercriminal, and beat them at their own game by using their stealth tactics against them.