Targeted attack refers to a type of attack where adversaries seek to actively, quietly, but not necessarily quickly, compromise the security, confidentiality and integrity of the target's information. Attackers performing this type of actions are usually experts - they've got the necessary knowledge, experience and finance to keep going - until they completely counter defences and achieve their goals.
Campaign-oriented
Targeted attacks are usually ongoing campaigns - many of them will be unsuccessful but attackers would keep going until they find a method that will guarantee point of entry.
Ever-improving
Over time, adversaries would improve their tools, tactics and techniques. In most of the scenarios, users (or employees) are the ones attacked - not devices.
Entire industries are under the radar
Usually it is not just one business or a company - it is entire industry that is being targeted. Attackers have long-term goals and are typically financially or politically driven.
1. Intelligence gathering (research)
Also known as the reconnaissance phase. Attackers would study the IT environment (software used), organisational structure and management. In some cases they may monitor employee's interests on social media. Oversharing frequently allows threat actors to gain knowledge of hot topics, recent events, work-related issues and concerns and more. This information is useful to customise the attacks.
The initial compromise varies but will usually include spear phishing, zero-day exploits and other forms of social engineering where employees will be tricked into executing malicious code. It is this code that will allow attackers to move forward to the other stages. Usually a RAT (Remote Access Tool) is most useful for stage 3 described next and it can be combined with kernel-level privileges because this will allow malicious actors to completely kill defences.
Attackers will proceed to establish a permanent communication to the tools they've managed to plant and will do their best to hide this communication. They will conduct an in-depth research of the compromised host and this information will be useful for stage 4 described next.
Using various techniques for credentials discovery and dumping, attackers would compromise more hosts. Malicious routines described in previous stages repeat for every host. This will allow them to proceed to stage 5 described next.
This is usually done through exploring files and folders. Attackers pinpoint machines containing information that could be valuable - this is usually customers and internal projects intelligence.
Information is downloaded onto the attackers machines and business is now totally compromised, left at the mercy of the attackers.
Train, train, train again
Make sure employees are trained to recognise phishing and other forms of social engineering.
Guard the doors
Invest in security that guards the doors (web and email. Usually, it is best to use solutions from one provider, seamlessly integrated and easy to manage.
Invest in comprehensive network security
Comprehensive network security that covers C&C blocking and intrusion prevention greatly limits the risk of succesfull attack.
More best practices
To understand attacks in depth, it is always recommended to visit the Mitre website. The ATT&CK framework, if not the ABC, certainly is the D of cybersecurity. It describes the different tactics and techniques as well as APT (Advanced Persistent Threat) groups.
EDR Experts Limited
VAT Number:
About
Contact
Privacy Policy
Terms of Service
hello@edr-experts.co.uk
About Check Point
Harmony Products
Technologies