I have came across a couple of companies that tend to focus most of their security strategy in trying to mitigate targeted attacks on their network and given little attention in protecting their businesses from malware (automated attacks) other than a futile reliance on an updated antivirus. It is true that the impact of targeted attacks on a company is far more greater than existence of automated or commercially spread malware, for an example some computer got infected with a Zlob trojan. However, if your security vendor's management console reported a single existance of a malware file in any computer in your network, then sadly, the fact is, your business is an easy target of a potential targetted attack regardless of all the security measures or security software/hardware at your business has put in place. With exception to viruses, the existence of malware in the form of a worm, bot, trojan, exploit, rootkit, keylogger, backdoor, spyware, adware, etc. are all indicators that your business is unprotected against spear attacks.
The reason for this is that targeted attacks use the same techniques as malware to compromise a system but at a more complex level. If it's the purpose of information theft, financial theft, espionage or whatever reason, a professional hacker would attempt to gain access of a business resource either through a vulnerability or by social engineering. Since both techniques are also used by malware, we can compare by examples how targeted attacks and malware utilize these techniques as a vector for accessibility.
1. Social Engineering:
- malware would send a generic email that would try to influence any user with no particular target. The email may entice the user to download the malicious file by promising them to see the dancing monkeys, celebrities, clothless people, fake news, etc. At worst case, the email may try to add a little genuinity by saying 'from the IT department'. The Storm worm bot and Waledac emails are excellent examples of a typical malware type social engineering.
- In contrast, in a targeted attack, the social engineering tactic is a lot more sophisticated. The bad guys will try to collect as much information about their targets, for example through social-networking sites.
The socially-engineered email may likely indicate a target name, such as "Dear Alice", indicate a spoofed source, such as "Bob, IT Manager". In fact, the recent attack on Google from Chine was mainly accomplished by social engineering:
McAfee’s Chief Technology Officer George Kurtz announced that the hackers used complex social engineering techniques and advanced reconnaissance techniques to specifically target those individuals which had access to sensitive company information.
Explaining the tactic used, Kurtz mentioned “Speaking generically, we're seeing a lot more targeted attacks where people focus on [employees with] the highest set of privileges, and then work backwards, gaining access to secondary parties to get to the primary source.”
2. Vulnerabilities:
- malware would usually exploit operating system or browser vulnerabilities after patch's are released. For example, the conficker worm tries to spread from one computer to another using an OS vulnerability. Another example, is a variant of the storm worm exploits a vulnerability in internet explorer for drive-by downloads. At some cases malware may sometimes exploit vulnerabilities in flash, java and adobe reader.
- In a targeted attack, the bad guys would try to exploit vulnerabilities that has been publicly disclosed in virtually every type of software you may have, including winzip, quick time, real player, silverlight, etc.. That is why it is important to have a software such as Secunia PSI to ensure that all your software is up to date. At some cases, the bad guys would exploit a vulnerability before a patch is released or at rare cases, not known of before. This has happened in the recent hydraq attack as reported here:
http://www.computerworld.com/s/article/9144938/Microsoft_confirms_IE_zero_day_behind_Google_attack
In conclusion, as a testbench to assess the security of your network, check if there is any reported malware in any computer in your business. Understand how the malware infected the machine such as email, drive-by downloads, vulnerability, social engineering, etc. and then implement counter measures in order to prevent such malware to re-exist in your business. If your business cannot protect all of your computers from malware infections then definitely your network is vulnerable to an unsophisticated targeted attack. Perhaps your business could be or have been compromised and you may not even know it.
Posts
No comments:
Post a Comment