What you need to know to defend against targeted attacks.
The threat of a targeted attack for any business is real and substantial. It’s vital to ensure that your organization can identify constantly evolving threats, find abnormal and suspicious activity, and take effective action to keep your data safe.
Consider that, on average, attackers are in a network for more than 140 days before they’re detected, and 60% of network intrusions are eventually traced back to credentials, according to according to Microsoft.
Most successful targeted attacks follow six steps or stages, though it’s important to remember that these steps often run in parallel. Multifaceted attacks are common, so a robust threat response plan should address all six steps and avoid jumping to conclusions.
It’s not just about implementing the latest safeguards and software tools; awareness is paramount if you want to keep your data safe. After all, cybersecurity is only as strong as your weakest link — your employees.
Every attack begins with a reconnaissance mission where attackers gather data about their target, but this step continues throughout the life cycle of a targeted attack. The more data attackers can find about how your network operates or where the weak spots are, the more likely it is that they’ll pull off a successful attack. A lot of that data can only be accessed within company networks, so intelligence gathering continues well beyond the initial penetration.
Finding or creating entry points
Spear phishing emails are still disturbingly effective. Amazingly, 30% of them still get opened, according to Verizon research. A range of different employees may be targeted to help attackers create a complete picture of the network.
Watering hole attacks, where a frequently visited website for the target organization is compromised to gain entry to the target network, are also growing in popularity. Once in, attackers add backdoors to systems wherever they can, creating more and more possible entry points in case older routes are discovered and closed off.
Command and control
For a targeted attack to be effective, the attackers need to be able to take control of compromised computers and other devices and make them speak to each other. This communication creates a certain amount of noise.
Attackers go to great lengths to hide C&C traffic, often creating internal servers that can be exploited through backdoors and then used to compromise and control other machines on the target network.
Too many security systems focus on building a wall designed to keep attackers out. It may be difficult to gain access to a specific system, but once inside one system, it is often a much simpler prospect for attackers to spread laterally and gain access to more.
Sometimes they can even use legitimate system administration tools to hide their activity, grant more privileges to compromised accounts and devices, and gather more intelligence on how to perpetuate and spread the attack.
Maintaining the attack
Targeted attacks are not about smashing and grabbing. They are often sustained infiltrations designed to remain in place undetected for months or even years.
As long as there is valuable data to be exfiltrated, it’s in the interests of the attacker to keep the attack operational. That means spreading control, identifying and creating new points of entry, and possibly even patching vulnerabilities to ensure that other attackers can no longer gain entry the same way they did.
At the end of the day it’s all about data exfiltration. This is usually the entire point of the attack, but it’s also one of the riskiest steps. Extracting data is virtually impossible to do without creating noticeable network traffic that could expose the attack. Stolen data may be hidden elsewhere in the target network for later extraction, as attackers build a big enough stash to make the risk of discovery worthwhile, or they find a way to hide the network traffic.
It’s sensible and worthwhile to build secure defenses from the wider internet, but organizations must also scrutinize internal traffic and systems. It is only by continually monitoring, analyzing and testing your security that you have any chance of uncovering and foiling targeted attacks. Understanding how attackers think can help you plan a solid defense and create a response plan that will work.