Today’s most damaging attacks are targeted specifically at an organisation’s people, systems, vulnerabilities and data. Advanced targeted attacks are more sophisticated than traditional approaches, using social engineering techniques to quietly penetrate an organisation to deploy customised malware.
The incredibly damaging security breach that Target suffered last year was the most elaborate retail heist in the history of cyber crime, with the prize being of financial and personal information for nearly one in three Americans. Ultimately, the attackers exercised what appears to be a two-phased approach to compromising the 40 million credit and debit cards.
The greatest worry is that the US Senate report on the attack, released this week, found that Target missed multiple opportunities to stop the attackers and prevent the data breach. The report suggested that there was no indication that Target responded to warnings that malware was being installed on its system, and ignored automated warnings revealing how the attackers planned to carry data out of Target's network.
Target may be a high profile retail giant but Trend Micro’s 2013 security roundup report showed that no company, regardless of size, is safe from cyber attacks. 2013 saw varied targeted attack campaigns, each with a unique technique. Australia also saw the number of botnet C&C (Command and Control) servers increase by around 65 per cent from Q1 to Q4 2013.
In 2014, cyber criminals will increasingly use targeted attack methodologies like open source research and highly customised spear phishing. The allure of targeted attack techniques goes beyond campaigns’ success rate; they will be adopted because of ease of use and effectiveness in terms of evading detection. We will increasingly see new and more creative ways to monetise stolen data, which will lead to a more competitive cyber criminal market.
Moving beyond the standard
Most Australian CSOs are aware that their networks and systems require defences against targeted attacks carried out by well-equipped, knowledgeable attackers. But as the Target attack, along with so many recent data breaches at home and overseas have shown us, existing security strategies with a one-size-fits-all approach are no longer enough to deal with the custom nature of targeted attacks and their dedicated perpetrators.
To combat these targeted attacks organisations must look at a custom defence strategy, a new strategy that recognises the need for a specific approach and relevant intelligence that is uniquely adapted to each organisation and its attackers.
That may be an easy statement to make, but how do organisations develop a strategy to help defend against these attacks?
An effective strategy considers more than purely technical concerns: it is the work of malware analysts, security operations centre (SOC) operators, researchers, forensics, penetration testers, operations managers, and crisis managers. A multidisciplinary approach ensures that all aspects of a potential attack can be recognised and the appropriate countermeasures and defences put in place.
Building a custom defence strategy against targeted attacks
An ideal solution and strategy weaves an organisation’s entire security infrastructure into a custom and adaptable defence that is tuned to its particular environment and threat landscape. Custom defence strategies should employ a comprehensive lifecycle that detects, analyses, adapts and responds uniquely to your particular organisation and the threats against it.
When building a custom defence solution, I would recommend incorporating these important elements for the most effective protection:
Understanding. Understanding the threat environment is crucial. Look at the attackers, their methods and the clear goals they have in mind – i.e., to infiltrate the networks of the target and acquire information. By understanding their goals and their psychology, it becomes easier to understand the tactics of attackers. This makes it easier to defend or detect their attacks, as well as force attackers to make mistakes.
Visibility. Visibility into an organisation’s network is part of effective custom defence, and traffic monitoring is the foundation of the proactive risk management strategies proposed by most security analysts and experts.
Advanced monitoring and analysis of inbound/outbound and local traffic provides insight into what is really happening on the network. In addition to detecting advanced threats, it can also reveal any risky applications in use, mobile device access and activities, and unusual traffic and data transfer patterns.
Detection. Advanced threat detection at the network can discover the malicious content, malware, communications and attacker activities that are typically invisible to standard defences. But key to detecting target attacks is to employ sandbox simulation and threat detection rules that are customised to reflect an organisation’s particular host configurations and IT environment and risk concerns.
Additionally, by using an open detection and analysis platform, organisations can increase the detection and blocking capabilities of standard protection points such as email and web gateways and endpoint security, offering increased protection against spear phishing and other early phase attack events.
Risk assessment. An ideal custom defence solution augments automated local threat analysis with relevant global intelligence. With the right information, even zero-day malware and previously unknown communication channels can often be linked to related samples or activities seen elsewhere, providing a strong set of indicators of the attack nature, objectives and source.
A threat profile based on this custom intelligence allows organisations to respond with the appropriate actions and urgency.
Prevention. For a true custom defence solution, use custom detection, analysis and intelligence to enhance protection from further attack and optionally block current attack activity such as C&C communications.
This may include direct blocking at the detection point but should include custom security updates (IP/URL blacklists, antivirus or other signatures) sent from the detection/analysis platform to all pertinent protection points. In this way, the entire security infrastructure adapts to defend against this new attacker.
Remediation. Detailed threat profile information will help guide containment and remediation actions and enable the optimum use of specialised tools and SIEM or other log analysis methods to determine the full extent of the attack and perform a detailed forensic analysis of the attack.
Let’s all treat the Target attack as a major wake-up call. Let’s all recognise and appreciate the level of professionalism and sophistication in which this truly enormous data breach was carried out. If we can learn from Target’s mistakes, we should investigate the new technologies, strategies and innovation that exist to thwart these types of targeted attacks. The time is now to build a custom defence solution and avoid being the next Target.
Sanjay Mehta is managing director of Trend Micro Australia and New Zealand.