In 2009, The New York Times revealed the existence of a cyber-espionage network that had compromised computers in 103 countries. This group is one of thousands that have compromised Fortune 500 countries, government agencies and foreign embassies. The methods used by these attackers to gain access to sensitive information vary; however, they are typically known as advanced targeted attacks. These attacks present a serious threat to organizations of all sizes. Understanding the stages of advanced targeted attacks, and how you can stop them, is critical to prevention.
Each advanced targeted attack is unique in its approach. One of the defining characteristics of these attacks is the persistence of the attacker — if one approach doesn’t work, he will likely try another. Generally, these attacks can be classified into six stages. The stages of advanced targeted attacks are widely defined as the following:
- Intelligence Gathering: The initial stage consists of researching the target with public sources, such as social networks and social engineering attempts. The attacker will tailor a unique strategy for his target.
- Point of Entry: Whether it’s by email, instant messaging or social networks, this stage is when the attacker injects malware into the corporate infrastructure. This then creates an entry point, also known as a back door, which allows the attacker to enter the system at will.
- Command and Control: Now that the attacker has access, he can begin to control the compromised systems. The attacker can prepare for the upcoming phases by strengthening his hold on the system.
- Lateral Movement: Once inside the infrastructure, the attacker is able to move within the network to compromise even more machines. With each movement, he gains new levels of access, advanced privileges and becomes closer to his goal.
- Asset Discovery: Throughout the course of his lateral movement, the attacker discovers important servers and identifies valuable information. Once he has gained access to these servers, the mission is almost completed.
- Data Extraction: Now that valuable data has been located, an attacker’s last step is to extract it. This is done by funneling the data to a staging server within the infrastructure. Then, it is compressed, chunked and encrypted. The attack is completed by transferring the data to an external location.
What Can You Do?
Understanding the stages of advanced targeted attacks can make any form of defense seem impossible. However, as with other hacking attempts, prevention is possible. A three-pronged defensive approach is recommended against advanced targeted attacks:
- Increased Visibility: Endpoints, network monitors and servers produce logs that are largely underused by IT security specialists. However, this data can be tabulated to provide a precise view of activity within the infrastructure. It will highlight any data intrusion as well as abnormal activity.
- Integrity Checks: Monitoring modifications to the file registry will help detect malware in the early stages of an advanced targeted attack. There is software available that assists with performing regular registry checks.
- Employee Training: The first and most preventable stage of these attacks is intelligence gathering. According to BusinessWeek, social engineering attempts have become sophisticated in recent years as social networks and consumer technology have become integrated with the workplace. Training employees how to spot and report potential attempts will greatly reduce the potential of a successful attempt.
You Don’t Have to Be Susceptible
While advanced targeted attacks are highly sophisticated, they are also preventable. Train your IT security team to perform regular registry checks and regular reviews of various logs. Additionally, teach every member of your organization the importance of preventing social engineering attempts. With time, effort and advanced software, you can provide your organization with advanced security.
About the Author:Bruce Henderson is a contributing writer and network security specialist. He advises that company-wide education and using top-of-the-line security programs, like Trend Micro, are the best ways to stop advanced targeted attacks.