Cyber crime has evolved from mass attacks intended to wreck havoc and steal as much data as possible to highly targeted attacks looking for specific information from an organization. Custom malware, designed to bypass legacy endpoint security, forms the foundation of these attacks. As a result, these calculated attacks are becoming more dangerous for the businesses and government entities hackers are targeting.
Further evidence of these targeted attacks surfaced last week when three websites belonging to the U.S. Department of the Treasury were hacked and serving malicious software. The malicious code redirected site visitors to a website in Ukraine that launched a variety of Web-based attacks.
In the article, “Modern hack attacks are developing a laser focus,” it highlights that cyber criminals have shifted to more information-centric attacks to obtain data with the highest possible value. The article broke down the four stages of a modern day targeted attack:
Stage 1: Incursion — Today, hackers leverage social engineering techniques to get the malware onto the endpoint. This approach is very targeted, often with a cyber thief using social media such as Facebook to gather information about a prospective target. The attack is designed to lure the victim to trust the email message or attachment with a unique malware-infected payload. Often these attacks and the malware are unique to the specific person and their organization, allowing the thief to find and steal important information that can be monetized, such as intellectual property or payment card data.
Stage 2: Discovery — This phase often uses unique malware that is spawned by the initial entry malware to scan and discover the desired information within the network. The incursion and discovery phases are very discrete. The malware hides inside the network inspecting and searching looking for specific targeted information. Once the hackers find what they want, the data extraction happens very quickly.
Stage 3: Capture and Stage 4: Exfiltration — Once the hacker finds what they are looking for, the data capture and exfiltration stages are fast and noisy. This is typically the first time most organizations realize they’ve been breached. By the time the organization detects the breach, analyzes the situation, develops a solution and takes action, the data is long gone and the damage is already done.
As the article points out, the way most enterprises protect their private data today leaves many openings for hackers to exploit and hide their malware.
1. Compliance — Most organizations have difficulty consistently enforcing the IT policies. Over time, configurations and changes to the same servers and endpoints — combined with patches not being applied in a timely fashion — allows malware to burrow and gather information without being detected by antivirus and traditional security tools.
2. Protecting information — While most organizations know where their critical information is primarily stored, sensitive data is often copied by employees and stored in places that may not be secure. Cyber criminals know this, which is why their malware spends so much time in the discovery stage. In many cases, breach investigation teams learn that data that was compromised was simply a copy of production data stored in unsecure locations.
3. Systems management — Organizations simply don’t know everything that lives on the network. Many times there are unknown systems attached to the network, and if an IT team doesn’t know about them, they can’t manage them. Gaps in patch management are a big contributor in breaches when malware exploits known vulnerabilities that have not been patched in a timely manner.
4. Infrastructure security — While most organizations have security in place, their growing and diverse infrastructure creates a lack of visibility across their entire environment. It becomes impossible to understand what is going on at any point in time.
What this all comes down to is modern day targeted attacks don’t lend themselves to today’s security solutions. Attacks and the malware they utilize are often unique to the targeted organization and will not be prevented by any traditional blacklisting endpoint security solutions such as antivirus. As cyber crime evolves, so should the tactics used to stop them. On Thursday, I’ll explore strategies for combating these modern threats and how organizations can regain control over their sensitive data.