There is an old joke about two men being chased by a leopard: one stops to put his training shoes on, the other says; "there's no time for that, you will never be able to run faster than the leopard", the first man replies, "it is only you I need to run faster than!"
Doing better than your competitor used to be a sound enough principle for most IT security. When many attacks were random and any old weakness in a given organisation's defences was sought out, just being better protected than the next businesses was enough to confer an advantage. But this principle breaks down if an attacker is determined that it is your organisation's defences that they want to breach. If the leopard thinks you look meatier, then it may bypass the slow man and put in the effort to catch the tastier target.
This is the essence of targeted attacks in cyber-space. Online thieves have not just become more sophisticated in the techniques they use, they have also become more discriminating in who they go after, seeking out organisations that are most likely to be rich in the assets they want to steal (mainly payment card details). They have had help in honing their techniques from hacktivists whose activities only really make sense if they are targeted at specific organisations that some group disapproves of for some reason.
Cybercriminals and hacktivists are joined by a third force; nation states. As cyber-space becomes the fifth theatre for warfare (along with land, sea, air and space) the defence forces of national governments have been getting involved in the development of malware. Many think nation states were behind both the Stuxnet and Flame malware. Whilst the average bank and pharmaceutical company may feel it is not a direct target of a national government, the development of sophisticated techniques that are funded by nation states will over time enter the arsenals of cybercriminals and hacktivists, just as guns and explosives do in the physical world.
Some use the term advanced persistent threat (APT) as a general terms to describe such attacks. Others reserve it for the work of nation states. Either way, Quocirca prefers the term targeted attack, it is shorter, more descriptive and plain English (hopefully the Plain English Society would agree). In research conducted for a recent Quocirca report, sponsored by Trend Micro, the participants were equally comfortable with both terms.
The report titled "The trouble heading for your business" is freely available here. At a high level the research presented in the report shows that European organisations (or at least those from Germany, France and the UK) are aware of what targeted attacks are and are rightly concerned about them. This awareness will in part be driven by a lot of high profile reporting in both the IT and general press.
However, it is also because the majority of organisations feel they have at some level been the victim of a targeted attack, with about a third reporting a significant business impact as a result. Most commonly this was the loss of regulated financial data (hello cybercriminals), second was lost business, which could be the result of the disruption caused by the clean-up that inevitably follows any attack or that business disruption was the primary aim of hacktivists.
Most organisations know, or believe, that there is malware running on their servers, PCs and mobile devices that has not been detected by their existing IT security defences. In other words, they accept that traditional IT security technology such as anti-virus, email filtering, firewalls and intrusion prevention systems are not enough anymore; these need to be supplemented by more advanced techniques.
The report looks at available technology for protecting against targeted attacks and the degree to which it has been deployed. As first sight the data looks encouraging, many say they have deployed or are experimenting with better network traffic inspection, file integrity monitoring, behavioural analysis, advanced correlation etc. However, a closer look at the responses suggests that, in many cases it may be that the capabilities of traditional IT security defences are being overestimated.
Nevertheless, there is also evidence presented that these technologies are having an important impact. Those that have deployed them are more likely to have blocked targeted attacks. In other words these organisations are out pacing the laggards and are less likely to fall victim. That said, it does not make them less likely to be a target, if a cybercriminal or hacktivist decides it is your organisation they want to penetrate they will keep looking until they find a weakness. Put on those metaphorical training shoes by all means, but don't then become complacent.
Quocirca's free research report, "The trouble heading for your business", can be viewed and/or downloaded here
Bob Tarzey is a director at user-facing analyst house Quocirca. As part of the Quocirca team, which focuses on technology and its business implications, Tarzey specialises in route to market for vendors, IT security, network computing, systems management and managed services.