Targeted attacks and advanced threats – including Advanced Persistent Threats (APTs) – are some of the most dangerous risks to enterprise systems. However, while the threats and techniques that cybercriminals use are constantly evolving, too many organizations are relying on yesterday’s security technologies and an outmoded mindset to protect against today’s and tomorrow’s threats.
Advanced, specially targeted threats can go undetected for weeks, months, or even years, while their actors slowly and silently gather information and work incrementally to exploit the unique vulnerabilities in their chosen targets’ systems. Unlike regular malware, advanced, targeted threats are actively controlled and managed by the perpetrators. The goal isn’t limited to malware delivery: the objective is to persist inside the enterprise perimeter. These attacks are the result of patient, often painstaking research by actors who are prepared to play a waiting game in the quest for their prize.
200% growth of the recovery initiated on the same day and after a week of discovering a security breach for Enterprises. 15% of enterprises have experienced a targeted attack, more than 53% losing sensitive data as a result. Every corporation big enough to occupy a significant place in its market is a potential target. This doesn’t mean smaller businesses are immune – in many cases, criminals view them as an easy-to-breach stepping stone from which to reach the bigger target. But when it comes to market leaders, the odds in favor of becoming a victim of such an attack increase substantially. It’s not a case of ‘if’ but ‘when’…
INTERNAL AND EXTERNAL FACTORS WHICH LEADS TO SUCCESSFUL BREACH
Key factors contributing to the successful development of targeted attacks on IT infrastructures include:
• Hidden and Shadow IT
• Uncontrolled connectivity of IoT devices
• Critical reliance on Digitization
• Lack of preventive capabilities and an over-optimistic view of current perimeter security
• Low employees awareness of information security risks
• Lack of visibility over the IT environment and particularly network routing
• Proprietary and outdated software and operating systems
• Lack of security team qualification regarding malware research, digital forensics, incident response, and threat intelligence
WHO’S DOING THE ATTACKING?
Cybercriminals – who sell data to the highest bidder or simply steal money. They usually develop their cyber tools themselves or buy them on the dark web. Competitor businesses – looking for confidential data or even committing sabotage. They will usually ‘buy in’ the services of cyber-mercenaries.
Cyber-mercenaries – masters of cyberespionage, they develop their own tools and sell their ‘services’ to the highest bidder.
Hacktivists – claim to be working for a ‘greater good’, they’re inventive, use complex toolsets and present a serious problem for any organization that attracts their attention
Official agencies – they may deny it, but it’s generally accepted that the world over, offices routinely track individuals, groups, and businesses. Their tool sets can be extremely sophisticated, expensive, and hard to detect.
Targeted Attacks – Cybercrime as a Business Profession
Most targeted attacks are overseen by highly experienced cyber-criminals and hackers who know how to adapt each phase of their attack to slip past traditional defenses, exploit weaknesses and maximize the number of valuables they can steal, including money, confidential data, and more. The security geek attackers of the past have metamorphosed into professionals for whom cybercrime is a business. Their sole motivation in targeting and attacking any enterprise is optimum profit – calculated even before launching the attack, on the basis of the associated costs and potential rewards. The objective is, of course, to minimize up-front costs by attacking as cheaply as possible, with maximum financial outcomes. Most targeted attacks use a combination of social engineering and a customized toolset. The cost of launching an effective targeted attack has fallen significantly, with a commensurate increase in the total number of attacks globally. So what’s at stake when an organization like yours falls victim to a targeted attack?
Direct financial losses. Attackers may try to commit cyber-fraud by stealing banking credentials in order to access corporate accounts and conduct fraudulent transactions.
Disruption of key business processes. While some attacks may – merely as a by-product – impair or slow down critical business processes, others may deliberately set out to sabotage them. Even if an attack is discovered, there’s likely to be a further period of disruption while the targeted business conducts investigations and recovers its operations, during which further business opportunities may be lost.
Clean-up costs. After an attack, you can be faced with having to cover a whole host of expenses that haven’t been budgeted for. Recovering systems and processes are likely to involve both capital expenditure and operational expenses – like hiring security and systems consultants.
WHAT’S THE RISK?
• Unauthorized transactions
• Critical data theft or corruption
• Stealth process manipulation
• Undermining by Competitors
• Blackmail extortion
• Identity theft
RISKS TO KEY INDUSTRY SECTORS
• Unauthorized transactions
• ATM attacks with physical cash theft
• Identity theft
• Data manipulation
• Restricted availability of online services
• Identity theft
• Hacktivism acts
Manufacturing and High Technology
• Espionage (know-how)
• Compromised critical technological processes
• Attack on corporate clients using telecoms infrastructure
• Manipulation of mail servers for social engineering
• Billing control
• Manipulation of web resources for phishing purposes
• Using compromised infrastructure (devices/IoTs) for DDoS attacks
Energy and Utilities
• Manipulating with calculations data
• Attacks on technological networks with physical damage
• Compromised web site (deface, phishing) and spreading attacks on mass audience Healthcare
• Theft of patient information
• Attacks on telemedicine equipment
ANATOMY OF A TARGETED ATTACK
In theory, the targeted attack kill chain seems pretty straightforward: Reconnaissance & Testing, Penetration, Propagation, Execution, Outcome. This might suggest that by automatically blocking the first steps of a multi-stage attack, the attack itself can be thwarted. But in reality, targeted attacks are highly sophisticated and nonlinear in terms of their progression and execution. So automated detection capabilities, continuous monitoring, and threat hunting should all be in place as part of a multi-stage defense strategy.
A targeted attack is a lengthy process that violates security and allows a cybercriminal to bypass authorization procedures and interact with the IT infrastructure, so avoiding detection by traditional means. So first of all, it is a process – an ongoing activity, a project, rather than a one-off malicious action. According to our experience in monitoring global attacks, such operations tend to last at least 100 days, and for government agencies, large market players, and critical infrastructures, the time can be calculated in years. Secondly, the process is aimed at a specific infrastructure, designed to overcome specific security mechanisms, and may well initially involve targeting named employees through email or social media. This is a very different approach from the mass mailings of standard malicious software-based attackers, who are pursuing completely different goals. In the case of a targeted attack, the methodology and kill chain stages are built around the specific victim. Thirdly, this operation is usually managed by an organized group or team of professionals, sometimes international, armed with sophisticated technical tools. Their activities could be said to be not just a project: more of a multi-combat operation. For example, attackers might typically compile a list of employees who can potentially become the ‘gateway’ to the target organization, networks, and study their online profiles and social media activity. After that, the task of gaining control over the victim’s working computer is virtually solved. On the employees, the computer is infected, and intruders go on to seize control of the network from where they can direct their criminal activities.
Targeted attacks are long-term processes that compromise security and give the attacker unauthorized control over the victim’s IT – helping the attacker to avoid detection by traditional security technologies. Although some attacks may use Advanced Persistent Threats (APTs) – which can be very effective, expensive to implement – others may use a single technique, such as advanced malware or a zero-day exploit.
ENTERPRISE SECURITY CHALLENGES
With the risk of sophisticated threats growing exponentially, many enterprises already implement technologies and services in the hope of achieving the next level of visibility and protection against current threats. But without a multi-faceted approach and strategic planning, these efforts can fall short of expectations. Disappointing outcomes of ‘patchy’ or unstructured security investment can include:
- Major investment in a sandbox, in standalone technologies, or in the construction of a SOC, any of which then fail to generate commensurate improvements in security outcome. Perimeter security techniques like firewalls and anti-malware software can hold their own against some of the more opportunistic attacks. But targeted attacks are a different matter. Some vendors have sought to address APTs using a variety of standalone, discrete products: sandboxes, network anomaly analysis or even endpoint-focused monitoring. While these individual elements all can – and do – offer some protection and blocking of the cybercriminal’s toolset, they’re not enough in themselves to uncover a targeted, coordinated attack. To achieve this requires the detection of multiple events occurring across all levels of the enterprise infrastructure. The information gained can then be processed using a multi- layered analysis system, followed by interpretation applying real-time security intelligence from a trusted source. In other words, your best investment is an approach that integrates the best of many technologies, including sandboxing with network anomalies analysis and endpoint events analysis into an overall, end-to-end process.
- Current solutions generate too many security events for your SOC team to process, analyze, triage, and respond to within a reasonable timeframe.
- Lack of security skills appropriate to current levels of threat sophistication. Security experts may be skilled in incident detection and fast remediation (golden image, blacklisting URLs/files, building some rules) but not fully qualified to implement a full circle response process (qualifying risk levels, performing initial analyses, investigation, containment, forensics)
- Lack of operational visibility. During a targeted attack, cybercriminals can easily evade traditional security solutions by using stolen credentials and legitimate software, so that they are not apparently creating any systems violations. Because attackers do their utmost to hide their malicious activities, it can be very difficult for an in-house IT security team to spot an attack – and that means the attackers can continue to cause damage over an extended period. The reality is that malware is responsible for only 40% of breaches – threat actors use a variety of techniques to access company systems. Even when malware is used, 70-90% of it is is unique to the organization it’s found in (Verizon: Data Breach Investigation Report).
- Difficulty in knowing what expertise to employ and grow in-house, what security tasks to outsource, and what can safely be left to automated systems. With the growing severity of security incidents and their potential impact on overall business effectiveness, one of the main security department challenges is that of fielding a sufficient number and range of appropriately qualified experts.
A fully effective security strategy requires not just continuous monitoring and detection capabilities but a fast response and qualified remediation, with appropriate forensic processes in place. Conventional SOC teams tend to focus on only part of this task – detection, and response. The implementation of automated solutions helps free up experts to undertake the next steps in the incident management process, but few enterprises are ready to perform every high-level task in-house. So the challenge is in identifying which elements of the overall process (management, qualifying the risk, prioritization, fast recovery) should be undertaken by the in-house team and which (malware research, digital forensic, incident response, threat hunting) may be more effectively outsourced to specialists.
A WORD ON SANDBOXES
Many ‘targeted attack detection solutions’ on the market simply comprise a standalone sandbox. Even vendors with no track record in new, advanced threat discovery claim to offer sandboxes that are often little more than an extension of their anti-malware engines – and have no significant threat intelligence behind them.
Advanced sandbox is just another part of our integrated detection capabilities. It’s been developed directly out of the in-lab sandbox complex, the technology has been used for more than a decade. Its capabilities have been honed on statistics gathered from ten years of threat analysis, making it more mature and more focused on targeted threats than the silver bullet’ sandbox solutions currently on offer.