Other issues in this category (39)
About targeted attacks and where they occur
Tuesday, July 27, 2021
In the IT world, it is difficult to find a more ominous and, at the same time, more mythicised term than targeted attacks. Every APT attack that becomes public immediately turns into an occasion to inform and is actively discussed both in the professional environment and beyond its borders. But what actually is this? Let's figure it out together! In today's issue, we will talk in detail about targeted attacks and analyse where they start and how you can protect your systems from them.
Initially, the term "APT" (Advanced persistent threat) was applied to cyber threats of a military-political nature. Critical infrastructure objects and public and military authorities became the targets of these threats. Nowadays, in the media and in popular literature, this concept is interpreted more broadly, and it is applied to all attacks having a targeted impact on the information systems of a specific organisation.
This creates some confusion because, if with classical APT attacks, the main motive for an attack was to steal valuable information or make some infrastructure object non-operational, experts are now increasingly talking about cyberattacks whose motive is material gain. This can involve stealing money and trade secrets or infecting a company’s computers with encryption ransomware in order to demand a ransom. And indeed, the recent ransomware attacks are already comparable to APT in terms of methods and tooling (just like the case with the recent attack on Colonial Pipeline—a US pipeline operator).
But let's get back to targeted attacks in their traditional sense. Their main danger lies in the fact that an attacker does not act blindly—they build an individual attack strategy, looking for security breaches with the help of prior "intelligence", which may include not only information about the technical aspects of a company’s functioning but also information about the activity of its employees—for example, about when they take their lunch breaks. To carry out targeted attacks, perpetrators create unique software tools that include features of the infrastructure and the means of protection in use. It can take years to prepare for and implement an attack. During this time, attackers will move step by step deeper into the targeted system, studying its structure and working mechanisms.
The operating principle of the majority of known APT-attack counter systems is based on monitoring the situation within an organisation's protected environment and identifying possible signs of a targeted attack. These signs may be various abnormalities that users experience during their work and network infrastructure aberrations. Such solutions can supplement the arsenal of tools that help ensure information security—but only if a company has a clear layered and multi-component defence system that includes security features for computers and servers, file analysers that analyse files coming from outside, email and network traffic monitoring, and also carefully configured security policies. And, of course, do not think for one moment that a specialised system will make an organisation invulnerable to attackers—like it or not, there is no "silver bullet" in information security.
Where does an attack start? From an ordinary user’s computer!
Incident analysis shows that most attacks don’t begin with "holes" being detected in a corporate server’s protection but with a computer of one of the employees getting compromised. There can be a great many reasons for such a compromise: zero-day vulnerabilities that haven't been closed or user permissions that haven't been configured correctly; an email containing a malicious program or a link to a phishing site; a flash drive inserted into an office computer, or a piece of paper with a login and password that accidentally got into a photo that was posted on social networks by an employee.
A compromised computer provides attackers with an entry point to the inner environment of an organisation. It should be understood that a targeted attack doesn’t necessarily involve capturing the entire corporate environment; often its key goal is only one server or even one computer that contains information the attackers need or provides control over production processes. In this case, actions made from the compromised computer may not cause the special systems that counter APT attacks to suspect anything if the actions fit into the standard patterns of user behaviour.
From this, the following thesis emerges: a company’s security depends on the security of the end device of each employee. This statement is even more relevant if an employee works remotely, outside the secure perimeter, and uses a VPN connection to access the company infrastructure.
Protection for each workplace
And here we move away from specialised protection systems that thwart targeted attacks to the tools that ensure the security of end users, the main one of which is an anti-virus. It is the first line of defence in the way of attackers.
The key requirement for using an anti-virus to protect against targeted attacks is the presence of broad capabilities with regards to the non-signature detection of malicious activity. In common terms, an anti-virus should be able to detect unknown malware species and builds by monitoring abnormal activity on a targeted computer and immediately neutralising it.
Dr.Web is a pioneer in the implementation of non-signature malware detection methods and in practice has repeatedly demonstrated their effectiveness. Just recall the much-talked-about WannaCry epidemic during which Dr.Web profiled itself—it prevented new, unknown, and extremely dangerous malware from infecting thousands of computers.
Dr.Web Enterprise Security Suite—an anti-virus solution for business—provides comprehensive protection for all corporate network hosts and end-user devices, including personal computers and mobile devices used for work; it allows you to build centralised security policy management system and informs you of identified incidents. You can integrate Dr.Web Enterprise Security Suite into your existing infrastructure, or you can make it the core of a security system that will monitor malicious activity by detecting and blocking the possible channels through which your IT infrastructure could be compromised.
In some cases, this will make it possible to completely stop an attack, in others—you’ll gain the time required to analyse the attack and develop a protection strategy. The main thing is that, if your end users’ computers are unprotected, your entire defence can instantly fold like a house of cards, regardless of whether you are using specialised solutions to protect against attacks.
The Anti-virus Times recommends
- Do not neglect to protect end-user devices: a single unprotected computer can put the security of an entire company at risk.
- Do not allow users to control computer security settings themselves—all changes should be carried out centrally and in accordance with security policies. And of course, a user must not have the opportunity to disable the anti-virus software.
- Ensure that incidents on employee computers are monitored. In Dr.Web Enterprise Security Suite, information about all abnormal situations and detected malware go to the Control Center. Any detected incident should be thoroughly investigated and analysed.
Read issues of the Anti-virus Times and improve your information literacy together with us!