At the recent BSides security conference in San Francisco (just before the RSA conference) I had the opportunity to give a talk about targeted attacks and how they are changing the game of cyber defense. The talk was recorded so you can listen to the whole thing, or read a brief summery below.
Sophisticated targeting is one of the most important trends in security right now. Although most of the malware and attacks we see are still un-targeted the biggest and most damaging ones are highly targeted.
- Targeted attacks are harder to detect because they impact a much smaller population.
- Targeted attacks avoid attacking security researchers, bots, and honeypots making discovery and analysis more difficult and time consuming.
- Targeted attacks preserve expensive zero-day exploits from being added to detection signatures.
- Attackers know exactly what they want and what they want to do with it so they can get much more impact for a given effort (whether cash, political impact, revenge, or whatever).
A random attack like a ransomware incident should be no more than an annoyance to a reasonably prepared business. Employees can be trained to avoid clicking on links or attachments in suspicious emails. The same is not true of targeted attacks. A masterfully crafted spear phishing email will fool just about anyone, even the most savvy or expert users. Attack emails will come from people the victim knows and will be written in that person’s style and be completely appropriate to their topics of discussion. Attachments and links will appear normal and expected. Targeted watering hole attacks compromise marquee websites like Forbes and Yahoo, and then avoid detection by only launching attacks against the small handful of desired victims. Far from being in the dark back alleys of the Internet, these attacks happen in the cyber equivalent of noon in Times Square. Because targeted attacks are harder to detect, attackers are willing to deploy their most valuable zero-day or otherwise undetectable exploits and tools. They know that they are likely to remain effective long after the attack. These tools are also the most effective and reliable at penetrating the target company.
Once the attacker is in, they can move directly to getting what they came for. That could be credit card numbers, personal information, business secrets, or just embarrassing emails. The Sony hackers almost certainly knew what they wanted to do with their stolen emails before they started. Likewise the OPM hackers doubtless had very specific plans for the detailed personal information they were able to take. Defending against targeted attacks is also much more difficult. The low volume makes it much less likely that anomaly detection system will trigger. The use unknown tools makes signature detection fail. And attacker research allows them to find a soft entry point to the enterprise and move strategically from there. Businesses need to move quickly towards security that is less reliant on detection for protection. Architectures must contain attacks, minimize damage, and automatically restore systems whether or not they are known to be compromised. Detection and training will always be valuable but we can not rely on them to be effective, especially against targeted attacks.