Targeted Attacks
Targeted attack refers to a type of attack where adversaries seek to actively, quietly, but not necessarily quickly, compromise the security, confidentiality and integrity of the target's information. Attackers performing this type of actions are usually experts - they've got the necessary knowledge, experience and finance to keep going - until they completely counter defences and achieve their goals.
Campaign-oriented
Targeted attacks are usually ongoing campaigns - many of them will be unsuccessful but attackers would keep going until they find a method that will guarantee point of entry.
Ever-improving
Over time, adversaries would improve their tools, tactics and techniques. In most of the scenarios, users (or employees) are the ones attacked - not devices.
Entire industries are under the radar
Usually it is not just one business or a company - it is entire industry that is being targeted. Attackers have long-term goals and are typically financially or politically driven.
The stages
-
1. Intelligence gathering (research)
List Item 1Also known as the reconnaissance phase. Attackers would study the IT environment (software used), organisational structure and management. In some cases they may monitor employee's interests on social media. Oversharing frequently allows threat actors to gain knowledge of hot topics, recent events, work-related issues and concerns and more. This information is useful to customise the attacks.
-
2. Initial AccessList Item 2
The initial compromise varies but will usually include spear phishing, zero-day exploits and other forms of social engineering where employees will be tricked into executing malicious code. It is this code that will allow attackers to move forward to the other stages. Usually a RAT (Remote Access Tool) is most useful for stage 3 described next and it can be combined with kernel-level privileges because this will allow malicious actors to completely kill defences.
-
3. Command and Control (c&c)List Item 3
Attackers will proceed to establish a permanent communication to the tools they've managed to plant and will do their best to hide this communication. They will conduct an in-depth research of the compromised host and this information will be useful for stage 4 described next.
-
4. Lateral movementList Item 4
Using various techniques for credentials discovery and dumping, attackers would compromise more hosts. Malicious routines described in previous stages repeat for every host. This will allow them to proceed to stage 5 described next.
-
5. Asset discovery & Exfiltration
This is usually done through exploring files and folders. Attackers pinpoint machines containing information that could be valuable - this is usually customers and internal projects intelligence.
Information is downloaded onto the attackers machines and business is now totally compromised, left at the mercy of the attackers.
What can business owners do to ensure that their information remains safe from targeted attacks?
Train, train, train again
Make sure employees are trained to recognise phishing and other forms of social engineering.
Guard the doors
Invest in security that guards the doors (web and email. Usually, it is best to use solutions from one provider, seamlessly integrated and easy to manage.
Invest in comprehensive network security
Comprehensive network security that covers C&C blocking and intrusion prevention greatly limits the risk of succesfull attack.
More best practices
- Keep operating system and software up-to-date.
- Make sure employees are not given more privileges than they need to work
- Avoid corporate password reuse
- Always use strong passwords and 2-factor authentication
- Make sure employes do not engage in non-work-related activities on company devices
- Make sure you have an attack recovery plan in place, in case all defences have failed
Additional resources
To understand attacks in depth, it is always recommended to visit the Mitre website. The ATT&CK framework, if not the ABC, certainly is the D of cybersecurity. It describes the different tactics and techniques as well as APT (Advanced Persistent Threat) groups.