Security

What you need to know to survive targeted malware attacks

Targeted attacks require a more granular approach to applying security controls. Tom Olzak looks at ways to survive when your organization becomes a cybercriminal's next target.

Viruses, worms, and rootkits are old news. We all protect ourselves and our organizations from common blanketed attacks that haphazardly flow through the Web looking for targets of opportunity. General phishing attacks are easily detected today, and even our users smell a rat occasionally. However, our efforts are affecting the bottom line of cybercrime business enterprises.  So they are making it easier for themselves and harder for us by targeting user populations of higher value.

Targeted attacks

Attacks against specific organizations or individuals within those organizations are known as targeted attacks. Rather than throw malware at the Internet and wait for reports from random vulnerable, compromised systems, targeted attacks use some of the elements associated with social networking.  In other words, they present themselves in a form that convinces a targeted user that an email or other electronic object is legitimate. Email filtering solutions allow these messages to pass since they fail to violate filtering rules.

Targeted attacks don’t have to be complicated.  An example of a simple approach is shown in a YouTube video posted by F-Secure.  In this example, a PDF file masquerades as a research report. Opening the file caused malware to install, which collected information from the user’s machine. The takeaway from this example is the approach; similar to Trojans, targeted attacks look real and relevant.

Relevance is very important when targeting senior management or other key employees. Attackers might investigate a company for months to identify:

  • individuals in the target organization who have access to desired information;
  • major projects in process;
  • common business partners, vendors, etc.; and
  • names and email addresses of individuals who regularly send mail to target users.

Using this information, an attacker can create emails relevant to a business deal, project, etc.  He or she will probably spoof the source addresses, making the messages look like they came from  a business or individual with whom the target users already regularly communicate.

The goal of an attacker using these methods is stealth. To be able to collect as much information as possible from the target user, the malware must be hidden (as in a rootkit) and the transfer of information must look like normal network traffic. Because of these requirements, and because each attack might be unique in appearance, it is difficult for security teams to identify them using anti-malware or IPS/IDS solutions.  But it isn’t impossible.

Defense

The first line of defense is not a piece of software or a network appliance. Rather, it is understanding that the laptops and desktops of key employees are valued targets for cybercriminals. Compromising these devices provides the opportunity to collect information used or created by the target user. Consequently, users in the organization with the broadest access, or access to the most sensitive information, are at the top of an attacker’s list.

So who are these users? The best choice for an attack in most organizations is senior management. Senior management includes C-level executives and department heads. And unfortunately, the computers used by these individuals are often the least protected.

In many organizations, there is a double-standard applied when implementing security controls. Many executives believe they are smart enough, and responsible enough, to avoid malware infestation. Even if they don’t believe this, they still prefer not to have to deal with the restrictions imposed on the rest of the workforce.  When this double-standard exists, it presents a large attack surface to an attacker using a targeted approach.

It isn’t just senior managers, however, who are targets. Many users who process the most sensitive information in an organization still have the level of access on their local workstations needed to deploy data-collecting malware.

To help meet the challenges of targeted attack defense, I recommend the following:

  1. Eliminate any double-standard used when applying security controls. Senior managers should understand that they are increasingly at higher risk as attackers shift from broad- to narrow-scope attempts to compromise internal systems.
  2. Under no circumstances should a business user who processes sensitive information have local administrator access to his or her computer. Even if a user opens an infected attachment, there is a good chance it can’t install. This is the best way to throw up a wall between the target and the attacker.
  3. Aggressively enforce the principle of least privilege. This limits the amount of information breached if a compromise occurs. Least privilege must also apply to IT staff. Compromising a network or server administrator’s system is an attacker jackpot. IT staff should only use administrator accounts when necessary to perform specific tasks. Further, just because an administrator can create business user accounts doesn’t mean he or she should have access to router and switch configuration privileges.
  4. Ensure all systems are patched, including applications.
  5. In addition to intrusion prevention, configure your IPS devices to prevent or detect unwanted or unusual outgoing connections between internal systems and external destinations.  Extrusion detection/prevention is an important element of a targeted attack defense.
  6. User awareness of the threat is necessary. This begins with training users about how targeted attacks work and how to react to a possible threat. Training is followed by including targeted threat awareness information in the existing security awareness material.
  7. And finally, common controls must remain in place. These include anti-malware software, intrusion detection/prevention solutions for both host and network, email filtering, etc.

The final word

Nothing in this post falls outside the realm of common sense.  However, we tend to apply less restrictive controls to individuals as we move higher in the organizational chart. This is a mistake when defending against targeted attacks. It is also a mistake to apply only basic security controls to all systems without considering that there may be one or two user systems that need a little more care. No, this isn’t always easy.  But it is increasingly necessary.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

21 comments
john barker
john barker

ms security essentials hacker have patter the way they work they use chat now facebook had one last night from norway he try to hack me could not so he used john1 i hope they got him i kept his page and adress thanks to yahoo i got the info out use your sense when brosing no cross link files adon if afile wont on make sure who it from i have got 6 hacker so far it the way they work that tip you off i could say more but that for now john barker at msandjohn

JandNL
JandNL

John, some of your posting is unclear: 1. "he try to hack me could not so he used john1" What is john1? 2. "when broWsing no cross link files adon if a_file wont on make sure who it's from" What do these two thoughts mean? Thanks in advance.

seanferd
seanferd

They are all unpunctuated, loosely strung together steams of just enough knowledge to be dangerous. Seems like a nice enough fellow, though. Was John Baker one of the aliens in Buckaroo Bonzai?

AnsuGisalas
AnsuGisalas

Some interfaces aren't so good at the layout end of things. I haven't seen any signs of ill will either.

Jaqui
Jaqui

since for 2, any unix or unix-like system makes that a given. the only time admin rights are needed is to perform admin tasks, by default. for 3, it's not hard to set different levels of admin access through user groups on unix and unix-likes. and any organization using the same password for networking appliances as for system admin needs to change their practices, they are asking for trouble. edit for typos

QAonCall
QAonCall

But I think the point was not to have people logged as admin (account) and working. Deal with UAC in Windows/Linux/unix as you should, by elevating a single privilege, not elevate at login and then work.

JandNL
JandNL

As with anything one was not expecting, recipients should verify that an email and/or attachment was sent from someone who SHOULD be emailing them. If there is anything questionable, forward the email--with headers--to the FTC and the "originating" server.

Neon Samurai
Neon Samurai

This is frightfully timely. Get out of my head! Now, the question is, how do we measure the unknown threats to the business and convince upper management that they are real? "why would someone want my information, it's not important" followed by "how do we know anyone is trying?"

licensedpenetrationtester
licensedpenetrationtester

Hello, How to identify threats is a simple but again complex task. No one wants to invest in security again as IT expenses are increasing drastically. Periodical risk assessment of IT infrastructure would give you the threats to the IT infrastructure. Check whether your organization has a BCP in place or not, if yes then see whether it has been tested or not.

Neon Samurai
Neon Samurai

We can contract third party pentesters to identify points of weakness. I can perform internal audit and point at sensitive information and points of weakness. It still comes down to the intelligence part of answering "who is actively targeting us right now?". As a security professional, I can say that it's better to use strong and frequently changed passwords but how do I show that there is an active threat which would make use of weak or infrequently changed password? I guess the missing component for security intelligence is the honeynet clearly demonstrating breakin attempts and backtracing to provide some basis of "who".

Neon Samurai
Neon Samurai

One may not be able to point at specific attacking groups but one can still point at all the ways someone would get at information. That, and I've always been a "if you don't know how to break it, how can you know how to fix it?" type of person.

AnsuGisalas
AnsuGisalas

Have you asked around? FEMA and others? Insurance companies would know, if they've had to pay for it. Same for banks. Well... anyway, if you can show that there is a business plan for crime that can profit from the info on the system, then it should become clear to management that those profits will be realized unless precautions are taken. It's the thermodynamics of business.

Neon Samurai
Neon Samurai

If only it was as established as fire or physical theft where the Firemen and Police already have prepackaged statistics and talks ready to go.

AnsuGisalas
AnsuGisalas

might be showcasing how criminals profit from the info. Business peeps should be able to do the math if it's based on $$$. Police or Insurance might be happy to come do a talk or otherwise provide info.

Neon Samurai
Neon Samurai

True, inside threats can be more detrimental but they are also easier to qualify. True that a comprehensive policy accounts for both. The trick is convincing upper management that there is some nebulous threat that justifies applying policy to everybody including them. Something more qualifying than "there might be someone somewhere who might take interest in your mobile computer while outside the office".. how do you qualify policy based on bogeymen? I'm not really talking identifying down to an individual's name like "burth the criminal in West Erindale is trying to get our data". I guess it's more "here are ways someone would get in and what information they can get" then hoping they decide that the threat is real.

AnsuGisalas
AnsuGisalas

Like, the police's? I think wondering about the identity of a culprit (while tempting) is largely a red herring. If it's not Sanjee McColloughan, it's Natalia Dostrojovich, or the Whiled Bunch Cru... it's all a bunch of bums anyway. What's important is that; 1) no-one gets in. Failing that; 2) no-one gets in undetected. Failing that; 3) nothing gets out. Failing that; 4) nothing gets out undetected. Not that finding the culprit isn't a good thing. It just isn't the primary objective on the security end. But all this is just focused on outside threats. Inside threats are worse. Everybody working for the company is an inside threat, even when syngruntled and behaving prudently under prudent guidelines. Additionally, every inside threat carries a greater potential for harm than any outside threat. They know more - odds are in fact, that they already know what the outside threat is trying to figure out. Passwords should be strong. And I think they should changed *infrequently* enough that noone needs to write them down. That's something that needs to be optimized I think. Changing them is a luxury that isn't any good if it means you start bleeding post-its.

AnsuGisalas
AnsuGisalas

Camandago. The eye-on-the-man approach to security has definitely got a full plate in front of it. And imagine that some companies affect employee surveillance through logging into their accounts. All these kinds of unprofessional murphy-accelerators, combined with a well-guided attack, and people can be out of business in an hour and not even know it. Scary.

AnsuGisalas
AnsuGisalas

And I don't feel like compromising my email in answering, sorry. So here is the Q, and the A followed in an edit: [i]I read your post, but I don't fully understand. I'm not a network security professional, but your points seem to be important, and I want to make sure I understand. A few questions if you don't mind: What is an "eye-on-the-man" approach to security mean? "some companies affect employee surveillance through logging into their accounts" Is this not a good practice for companies to follow? Why? Alternatives? What are "unprofessional murphy-accelerators" and what do they do? [/i] First of all; I refer to a blog and a thread: The blog http://blogs.techrepublic.com.com/security/?p=3561&tag=content;leftCol The thread spying in IT http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=332725&start=0&tag=content;leftCol So; eye-on-the-man means focusing on what your users are doing, what they need, how they're endangering security, how they are at risk. This is different than the "eye-on-the-wall" mindset that thinks of "threats" and "defenses". Firewalls are on this side. Both are useful, but for different things. A murphy-accelerator (my own definition) is a way to maximize the potential for a royal fluckup. Like, having managers log into employee accounts. Look at the spying in IT thread for many reasons not to do this. It's not difficult to see what programs people are running, nor is it difficult to see what emails people are sending/receiving. There are ways to do that which aren't guaranteed to screw you over. Did that answer your question?

AnsuGisalas
AnsuGisalas

it just did. EDIT:read the above in a not p'ed off way, please.. :p

Editor's Picks