Security Art's Iftach Ian Amit discusses targeted attacks and how you should go beyond just technology to defend against them.
Some people might be surprised to hear that most targeted attacks aren't directed at a specific individual or item of equipment. Although some strive to reach such victims, normally they focus on a small group of individuals or systems in order to carry out their task.
Targeted attacks are also tasked with greater goals than a traditional attack. For instance, they may intend to steal specific documentation, access custom systems, control or modify information, etc.), but they're not actually that technologically different from "traditional" attacks.
In my experience of the clients we have helped at Security Art, some attacks do utilize some of the most ingenious technologies and techniques. But at the end of the day, when you scrape off the "cool cloak" (custom hiding techniques to make the code bypass security technologies), you realize that we are still dealing with the same vulnerabilities, and the same rootkit and Trojan techniques.
Furthermore, we often see "common" (either commercial or private) tools being used to deploy limited scope attacks with only minor customizations that yield highly successful targeted attacks.
For example, in one of the recent jobs we had which involved tracking down a "generic" detection that kept popping up on a few networks we managed to find that:
* One of the websites that were on a specific person's "favorites" list has been compromised.
* The person in question had his Gmail account stolen (probably phished).
* The person in question had his Google web history turned on (which makes figuring out which sites are most likely to be visited by him/her a very easy task. Just check out your Google web history)
* The website that carried the infection hosted a packed and modified version of SpyEye - a Trojan kit that has proven itself pretty effective and customizable.
* The malicious piece of software was only eventually detected by the local anti-virus software as "generic" after some updates were added to the malware by the attacker. Chances are that they forget to include some of the earlier hiding techniques that they had used.
This dizzying array of events and links, from the specific person that was targeted, to the means of getting his work machine infected by infecting one of the sites that she frequents, to the use of a "commercial" Trojan kit to take over the work PC, is just one small example of the level of ingenuity that can be used in a targeted attack.
So how should we defend against a targeted attack?
As any good consultant will tell you it's not just a technological battlefield.
Just as the attacks usually include a social engineering element, the defense should focus on the weak link: people. Most organizations, however, are still looking for a technical panacea to help them save the day and protect them from attacks.
It's true that a solid layered security approach is an important element in the defense. It should be maintained properly, and most importantly monitored and constantly challenge in order to build a good defensive strategy.
But from my perspective, just as you invest in all the technology and resources to monitor your organization, you should also invest in the business of making your business secure.
This means a true assessment of your business processes, coupled with the right controls, and a bit of proactive intelligence.
Just as we always say to "know your enemy" in terms of the technological aspects that are being deployed against you (ask any competent anti-virus lab), we also preach to know what your enemy is up to before they actually launch their attack (ask any incompetent politician/diplomat).
To sum up, the answer is never technological defenses. After all, the attack is never limited to the purely technical factors.
Targeted attacks are still going to be one of the toughest issues that any somewhat successful organization will deal with. Nothing will beat a good strategy that makes attack surfaces less obvious and more controlled.
Of course, this defense-in-depth strategy should not stop at preemptive intelligence and deterrence, but also take into account minimizing the detection and incident handling cycles in order to minimize the impact of successful attacks (because there's no such thing as 100% security).