Tech Insight: What You Should Know About Detecting A Targeted Attack

With recent targeted attacks like that against HBGary, we've seen firsthand how no one is safe from a data breach -- not even a well-known security company. What's fascinating about targeted attacks is that the details are rarely made public, and when they are, the lessons learned typically cover the vulnerabilities and prevention, with little to no focus on detection.

On nearly every breach case I've worked, there has been evidence in the Windows Event logs, Apache logs, or the intrusion detection system (IDS) that, had someone been monitoring them, would have alerted staff to an attack. Verizon's 2010 Data Breach Investigation Report parallels my experience: It states that 87 percent of victims "had evidence of the breach in their log files, yet missed it."

Incredible statistic, right? Now step back and ask yourself if your company would be part of that 87 percent if an attack took place this weekend. Are you prepared to survive a targeted attack, or better yet, ready to detect it as it happens?

The challenge of detecting a targeted attack is that it can come from anywhere. The first attempt may be a probe of your Internet-facing servers to see what vulnerabilities affect your Web and mail servers.

If that doesn't turn up anything interesting, then the next attempt might be a spear-phishing attack against the soft, chewy center of your company -- its people. Detecting attacks attempting to exploit human assets is often nearly impossible without regular training and awareness. You can't install Snort on your CEO and CFO.

To detect a socially engineered attack requires both technical controls and user awareness and training, backed by policies. The external probes would go unnoticed by users, but an IDS, a Web application firewall, and possibly rules monitoring the Web server logs would flag the activity as malicious. On the other hand, mail security solutions would likely miss a well-crafted spear phish while trained users could identify the message and forward it onto the security team for analysis.

On the technical side, logging needs to be enabled, and monitoring of those logs needs to take place so that early detection can occur. Open-source log monitoring and commercial SIEM solutions can help by identifying patterns indicative of an attack that an analyst can then investigate further.

Say that the external probe includes a brief brute-force attack against a website's form-based authentication, or SQL injection attempts. A log monitoring system should be able to alert the security team where an entry-level analyst will investigate and pass it along if it needs attention of a senior team member. Analysis will confirm whether the attack was successful and if a rule needs to be placed on the firewall to block the attack source.

The key is to have logging enabled before an attack occurs. However, even if monitoring isn't performed in real time, it's important to have logs because they provide a forensic trail if an attack is discovered later. And with the ever-decreasing cost of drive storage, that shouldn't be a complaint anymore.

Good communication among the security team and an incident tracking system are also crucial in large environments to help spot trends. An attack against a server or two at one location may seem insignificant until you find that the same attack occurred at two other locations. Or the source of the attack was identified sending malware though the mail server.

And, of course, there's the people side, where detection gets infinitely more difficult. Many security professionals will tell you that user awareness and training is simply useless. My advice to the security professionals is to stop trying to do the training themselves and hire someone who specializes in training and awareness.

There are many professionals out there whose specialty is developing effective awareness programs and training personnel on complex topics like computer security. Work with those professionals to create information fliers, posters, e-mails, etc., that communicate to the users in your organization the threats they will face through e-mail, online, and on the phone. Users rarely realize that attackers can pick up the phone and use it for a social engineering attack. Instead, they're stuck in the mindset that attacks will always be computer-based.

A key area of focus for awareness and training is the detection of the different threats and how they should be communicated to the security team. Users are often the first line of detection with spear-phishing and client-side attacks -- they just have to know what to look for. And when they do identify something suspicious, it should be put into the incident tracking system to help correlate it with other potentially related issues.

Logging everything or buying a SIEM certainly isn't a panacea, but both of these approaches do help. Just don't forget that the detection of targeted attacks takes more than technical controls.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.