Trend Micro's Spencer Hsieh published a blog recently that caught my attention. It's focused on misconceptions surrounding targeted attacks. It's an interesting read, which I thought was worth sharing on Salted Hash.
In his post, Hsieh said that Trend commonly comes up against these mindsets while working with organizations of all shapes and sizes. I don't agree with everything he wrote, but that's because I'm not a fan of the term APT, or Advanced Persistent Threat. To me, it's a marketing term that can be leveraged to spread FUD.
Still, marketing aside, I've picked out two of the misconceptions and covered them below.
Targeted attacks are a one-time effort:
"Some IT administrators tend to think that targeted attacks are a one-time effort — that being able to detect and stop one run means the end of the attack itself. The truth, however, is that targeted attacks are also known as APTs because the term describes the attack well: advanced and persistent. The attacks are often well-planned and dynamic enough to adapt to changes within the target network. Being able to trace and block an attempt will mean that elimination of the threat..."
This isn't wrong, but if you look at the high-profile attacks that have emerged in the last year or so, the easiest thing to remember is that if an attacker wants your assets, they're going to get them. If it takes 100 or 1,000 attempts, then that's exactly what an attacker will do.
The problem is, most attackers rarely need to do anything all that advanced to accomplish their goals. Often, all they'll do is send a few Phishing emails, exploit a known vulnerability in Word or Adobe (maybe even Java), or compromise an account using weakened or default credentials.
That's hardly advanced. In fact, attackers have a wide range of tools available to automate the process. Interestingly enough, defenders can use the same tools to strengthen their defenses. Two tools that spring to mind are Metasploit with the Social Engineer Toolkit.
At the same time, it's only right that security teams do everything they can to make an attacker's goals nearly impossible attain. Yet, the best bet is to have a plan in place to detect incidents quickly and mitigate them, or recovery plans need to be put into action. But remember, plans need to be monitored, adjusted, and tested regularly - because DR plans that address imaging NT4 systems on a network pushing Windows 8.1 are useless.
Target attacks are a malware problem:
"The last misconception I’ll discuss is quite tricky because it is partly true. IT admins are mostly concerned about having a solution that will prevent malware from getting into their network. Although it is a valid concern, focusing on malware will only solve part of the problem. Targeted attacks involve not only the endpoints, but the entire IT environment. For example, many tools involved in lateral movement are legitimate administration tools. If the solution is focused only on detecting malware, it will not be able to detect the malicious activity. IT admins need to consider solutions that cover all aspects of the network."
This is true.
Malware is just a single stage in an attacker's campaign. Sometimes, they don't even need malware, because the target has enabled them to reach their goals via other means. Direct access such as this can be gained via Phishing or guessing default credentials.
Malware usually plays a part in a given attack because it's a tool. During the Target breach, after the attackers leveraged a third-party vendor's access to the network for themselves, malware was used to siphon credit card details.
When attackers wanted to spy on journalists, they exploited flaws on a series of servers, before downloading and cracking a list of employee passwords from a domain controller. After that, they used the compromised accounts to install malware on workstations. The goal was to obtain information related to a series of stories surrounding a high-profile politician in China.
Hsieh has other points to make on the Trend blog. I won't copy them all here, but the post is worth a read when you get time.
Bottom line, attackers will eventually target your organization, if they're not already doing so. You can do plenty in order to prepare for them, and you can even stop the more common attacks. But there is always that one time, and at that stage in the game the key is in how you deal with the situation and recover from it.