Viruses, worms, and rootkits are old news. We all protect ourselves and our organizations from common blanketed attacks that haphazardly flow through the Web looking for targets of opportunity. General phishing attacks are easily detected today, and even our users smell a rat occasionally. However, our efforts are affecting the bottom line of cybercrime business enterprises. So they are making it easier for themselves and harder for us by targeting user populations of higher value.
Attacks against specific organizations or individuals within those organizations are known as targeted attacks. Rather than throw malware at the Internet and wait for reports from random vulnerable, compromised systems, targeted attacks use some of the elements associated with social networking. In other words, they present themselves in a form that convinces a targeted user that an email or other electronic object is legitimate. Email filtering solutions allow these messages to pass since they fail to violate filtering rules.
Targeted attacks don't have to be complicated. An example of a simple approach is shown in a YouTube video posted by F-Secure. In this example, a PDF file masquerades as a research report. Opening the file caused malware to install, which collected information from the user's machine. The takeaway from this example is the approach; similar to Trojans, targeted attacks look real and relevant.
Relevance is very important when targeting senior management or other key employees. Attackers might investigate a company for months to identify:
- individuals in the target organization who have access to desired information;
- major projects in process;
- common business partners, vendors, etc.; and
- names and email addresses of individuals who regularly send mail to target users.
Using this information, an attacker can create emails relevant to a business deal, project, etc. He or she will probably spoof the source addresses, making the messages look like they came from a business or individual with whom the target users already regularly communicate.
The goal of an attacker using these methods is stealth. To be able to collect as much information as possible from the target user, the malware must be hidden (as in a rootkit) and the transfer of information must look like normal network traffic. Because of these requirements, and because each attack might be unique in appearance, it is difficult for security teams to identify them using anti-malware or IPS/IDS solutions. But it isn't impossible.
The first line of defense is not a piece of software or a network appliance. Rather, it is understanding that the laptops and desktops of key employees are valued targets for cybercriminals. Compromising these devices provides the opportunity to collect information used or created by the target user. Consequently, users in the organization with the broadest access, or access to the most sensitive information, are at the top of an attacker's list.
So who are these users? The best choice for an attack in most organizations is senior management. Senior management includes C-level executives and department heads. And unfortunately, the computers used by these individuals are often the least protected.
In many organizations, there is a double-standard applied when implementing security controls. Many executives believe they are smart enough, and responsible enough, to avoid malware infestation. Even if they don't believe this, they still prefer not to have to deal with the restrictions imposed on the rest of the workforce. When this double-standard exists, it presents a large attack surface to an attacker using a targeted approach.
It isn't just senior managers, however, who are targets. Many users who process the most sensitive information in an organization still have the level of access on their local workstations needed to deploy data-collecting malware.
To help meet the challenges of targeted attack defense, I recommend the following:
- Eliminate any double-standard used when applying security controls. Senior managers should understand that they are increasingly at higher risk as attackers shift from broad- to narrow-scope attempts to compromise internal systems.
- Under no circumstances should a business user who processes sensitive information have local administrator access to his or her computer. Even if a user opens an infected attachment, there is a good chance it can't install. This is the best way to throw up a wall between the target and the attacker.
- Aggressively enforce the principle of least privilege. This limits the amount of information breached if a compromise occurs. Least privilege must also apply to IT staff. Compromising a network or server administrator's system is an attacker jackpot. IT staff should only use administrator accounts when necessary to perform specific tasks. Further, just because an administrator can create business user accounts doesn't mean he or she should have access to router and switch configuration privileges.
- Ensure all systems are patched, including applications.
- In addition to intrusion prevention, configure your IPS devices to prevent or detect unwanted or unusual outgoing connections between internal systems and external destinations. Extrusion detection/prevention is an important element of a targeted attack defense.
- User awareness of the threat is necessary. This begins with training users about how targeted attacks work and how to react to a possible threat. Training is followed by including targeted threat awareness information in the existing security awareness material.
- And finally, common controls must remain in place. These include anti-malware software, intrusion detection/prevention solutions for both host and network, email filtering, etc.
Nothing in this post falls outside the realm of common sense. However, we tend to apply less restrictive controls to individuals as we move higher in the organizational chart. This is a mistake when defending against targeted attacks. It is also a mistake to apply only basic security controls to all systems without considering that there may be one or two user systems that need a little more care. No, this isn't always easy. But it is increasingly necessary.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.