What is a Targeted Attack and how to prevent it?

Targeted attacks are an Advanced Persistent Threat (APT), a type of cyberattack aimed at a specific company or organization. This is different from a standard mass attack, which strikes a large number of people simultaneously, and hopes to catch the least prepared and protected victims. An APT continues for an extended period of time, so the preparation to deploy such an attack could take months, or even years.

Initially, the term APT primarily referred to attacked allegedly carried out by the intelligence services of foreign countries, aimed at government and military facilities. The term has evolved to now include complex, multi-stage attacks aimed at any specific organization.

Detecting an APT is a difficult and complex task – the breach into the system can go unnoticed for a very long time. Due to this fact, it is nearly impossible to estimate the number of targeted attacks truly perpetrated in the world.

However, according to available data, in 2019, targeted attacks have become more pervasive than traditional mass attacks. The most frequently attacked sectors were government agencies, manufacturing, medicine, education, and the financial sector.

What is a targeted attack?

Due to the very specific nature of targeted attacks, there are no well-defined criteria to determine whether or not a targeted attack has been carried out. Still, here are a few points about APT attacks that most experts agree on:

  1. Attacks are carried out on specific organizations in banking, manufacturing, public sector or any target industry. Typically, ordinary users are not targeted, unless they are employees of the target organization
  2. A lot of time is spent planning and preparing the attack
  3. The software used for the attack is developed specifically to make it nearly impossible to detect through normal anti-viruses and security
  4. The same methods may be used for penetration is are common for mass attacks, such as phishing. With targeted attacks, there is significant risk that employees can fall victim to social engineering methods, increasing the chances of successful penetration into the organization
  5. Even temporary vulnerabilities can be exploited
  6. Once an attack has been detected and identified as targeted, it becomes a “mass” attack (meaning that attackers continue to use the breach, but in larger scale). The attack will need to be handled and the system protected with the release of appropriate updates

The goal of the attack can be any information that is valuable to criminals, which can be sold or used to compromise the organization.

Alternatively, the information can be used to gain an advantage against a geopolitical adversary. Accordingly, most targeted attacks are carried out to obtain industry secrets, personal and payment data, or other important information.

Government organizations and diplomats, financial, energy, space-exploration, telecommunications and IT companies, health and education institutions, military suppliers, and social and political activists can face the greatest risks.

How does this happen?

We’ve sorted out which attacks can be classified as targeted. Now, lets move on to a look at that way that these attacks are carried out. Public information and incident investigation data show that the only things limiting these attacks are the imagination and skills of the cybercriminals. Any action might be taken, as a criminal does not care what it takes to reach their ultimate goal of capturing the necessary data.

We have already discussed that APT attacks are carried out in several stages. It all begins with exploration and penetration into the system through some loophole. Once successfully infiltrated, the attackers are firmly planted within the victim’s infrastructure and have access to all the information inside. They do this, remaining undetected, taking their time to go through all the data, finding the most valuable to steal. They are in no hurry, they know you won’t be finding them anytime soon.

Initial penetration can be accomplished in a variety of way.

  • There could be direct physical access, through a phishing attack on an employee or related system, impersonating a vendor, sponsor, or even a customer.
  • Trusted relationships can be used against the company, making it even harder to protect against a threat like this. That’s why its important to check the levels of access to data and distribute this access correctly to make it more difficult to hack the system through collaborating teams.
  • Attacks such as Remote File Inclusion (RFI), running SQL, or Cross Site Scripting (XSS) are often used by attackers to anchor the target networks. After this, trojans and backdoor shells are then used to expand the entry point and create a permanent presence within the target environment.
How to prevent it?

Avoiding an APT attack when your company is the target is mot likely not possible. This is made more difficult as attack attempts can be made many times over a long period of time until the attacker finally succeeds.

The malware used by attackers has likely already been checked by the hackers using antivirus and other protection methods, allowing them to make changes as needed to modify and improve their planned attack. In addition, criminals examine the tools and applications used by the target company, looking for loopholes and vulnerabilities that may be used for the attack.

Unlike traditional attacks, targeted attacks require more resources. This means that the attacks usually have sponsors. Sometimes, these attacks are even publicly funded and used as weapons against international adversaries.

If you have information worth $100 million, be prepared that someone will be willing to spend $50 million just to steal it. The only thing you can do is to set up protection on all fronts of your organization, being prepared for the worst and having the tools to quickly detect and neutralize an attack, while minimizing damage.

What about protection?

Correctly detecting and protecting against APT attacks requires a multifaceted approach, involving the network administrator, security service providers, and, very importantly, individual users.

Just as attackers have been consistently improving their stealing software, security vendors are not far behind, upgrading their tools to counter various attacks. Special products are being developed, not just to search for unknown or unexpected code samples, but also to detect any suspicious activity. This is done because malware is not always the method used for the attack. Hackers sometimes will use legitimate programs, skillfully adapting their capabilities to exploit vulnerabilities.

Parts of the security software analyze files downloaded from the internet, as well as all sorts of network activity and user behavior. Some modules even expose attackers to fake data, as a means of protecting real data.

However, the best option is always comprehensive protection.

Hup two, hup four!
  1. Monitoring incoming and outgoing traffic is considered the best way to prevent backdoors from being installed, as well as blocking the extraction of stolen data.
  2. Checking traffic within the perimeter of the network can also help alert security personnel to any unusual behavior that may indicate malicious activity (e.g. irregular login, or transmission of unusually large amounts of data).
  3. Another part is adding trusted apps and domains to the whitelist

    Whitelisting is a way to manage the domains accessible from your network, as well as the apps your users can install. This is a useful method to reduce the likelihood of success of APT attacks, by minimizing the available points of attack.

    However, this security measure is far from reliable, as even the most secure domains can be compromised. It is also known that malicious files can usually come under the guise of legitimate software. In addition, older versions of software products are at higher risk of hacking and exploitation. To effectively use the whitelist, you also need to apply strict update policies so that your users always use the latest version of any app on the list.
  4. Control access levels. For cybercriminals, your employees are usually the largest and most vulnerable location in a secured network. This is why hackers often see users of your network as an easy accomplice to their crime.

    Here are some examples of the ignorance or irresponsible attitude of employees:
  • Reckless users who ignore network security policies and unknowingly provide access to potential attackers
  • Compromised users whose network access rights are used by attackers
  • Employees who intentionally abuse their credentials to give attackers the access they want

Developing effective controls requires a comprehensive analysis of your organization’s employees, especially including a review of the information they have access to. For example, a service-based data classification helps prevent an attacker from intercepting credentials to access sensitive content from a low-level employee.

Key access-points to the network should always be protected by two-factor authentication. This prevents unauthorized persons disguised as employees from moving around your network.

In addition to the above, when protecting your network, you should address network and OS vulnerabilities as soon as possible, encrypt remote connections, filter incoming emails to prevent phishing attacks and spam, and keep a detailed log of security events to improve security policies.

Who attacked me?

Determining who initiated the targeted attack is an extremely difficult task. To accomplish this, you need to gather a lot of evidence and factors that suggest the involvement of a hacker group of a particular nationality, or from a particular organization. This requires a lot of time, effort, and organization between the victim, information security teams, law enforcement agencies, and maybe even officials from other countries.

Even after endless researching, its is still not guaranteed that you will figure out who the criminal really is. Most often, the culprits are identified only because of gross errors, or “hints”, left in the code. These may be words that directly or indirectly indicate the language of the attackers. For example, if you see Russian words, you might have cause for concern. Be mindful though – some attackers are smart enough to leave traps like this just to confuse you during your investigation.

Around the world, more than 100 groups of bad-actors target organizations and businesses. This number grows every day. The rapid development suggests that attackers are gradually optimizing their techniques and tools. It is now cheaper to organize a targeted attack, making it harder than ever to deal with APT attacks.