Dark Reading

The most determined cybercriminals don't necessarily work fast when they breach a network, and their infiltration is often silent and undetectable. But it's this brand of "low and slow" targeted attack that can also be the most deadly, security experts say.

This is a methodical attack, where the attacker covers his tracks as he penetrates the network, sometimes ceasing the attack for days at a time to avoid raising suspicion. It's typically a nearly invisible hack that isn't discovered until it's too late, after the bad guys have made off with valuable data and done serious damage. Security experts say IT and security managers need to be at the ready for these highly targeted attacks, which may be more common than once thought.

"It used to be a 'smash and grab,' where criminals would see what they could get," says Mike Rothman, senior vice president of strategy at eIQnetworks. "Now the criminals we're seeing are a lot more savvy than that and are using time to their advantage. They're not leaving broken windows, broken couches...If they start shuffling through one drawer, they are careful to put everything back."

No one knows for sure just how widespread these attacks are today, but some basic characteristics are present as to how they are executed. The attacker typically initially gains access through a Web application vulnerability, or via a successful spear-phishing attack on an employee. After he gets inside, he may wait a few days or so after this first stage of the attack.

"The path of least resistance is still through the application. Once there, they can compromise" the system, Rothman says. "And then they can turn off logging" to evade detection, he says.

Instead of brute-force attacking a Web server or database with malformed URL requests that could easily be detected, the attacker may send only one or two a week, for example. Once inside, the attacker can create his own account, install Trojans or other malware to steal sensitive data, or do other nefarious things. But he takes each step slowly and quietly, rather than in one fell swoop.

Some recent high-profile attacks were staged similarly, in methodical, multiple steps -- aimed at the attacker gaining a foothold in the network without raising suspicion or sounding any network alarms.

Take the TJX hack. "The TJX incident is a good example of a multistage, low, and slow attack," says Amit Klein, CTO of Trusteer. "The attackers first compromised the wireless LAN, which was poorly encrypted, then eavesdropped on TJX employee logins to collect credentials, then logged in to the main system and created their own accounts, and then tapped into the TJX transactions/databases."

The first clue that TJX's breach wasn't a smash-and-grab job were configuration changes on some of its servers. "Someone compromised it and had been in there for years before people realized it," eIQnetworks' Rothman says.

Rothman says his firm is hearing a lot of stories "from the field" about organizations discovering that they've been victims of these longer-term, stealthy attacks. "We are starting to see these data points add up," he says.

The first phase of the CheckFree hack had the earmarks of a "low and slow" spear-phishing attack on one of its systems administrators, according to Trusteer's Klein. Attackers reportedly stole the credentials of one of CheckFree's system administrators in order to redirect traffic from the MyCheckFree page to their own malicious one. But the subsequent stages of the attack weren't so stealthy, and the bad page was discovered quickly due to the fact that the bad guys didn't bother to mimic the MyCheckFree Web page when they redirected victims to their phony site.

"They weren't very subtle about [the malicious Web page]. It could have been more [powerful] if it had been presented as identical with the CheckFree page," notes Trusteer's Klein. Still, the attackers successfully compromised CheckFree customers.

"The multistage attack compromises the network and finally compromises the customers of the [targeted organization]. And doing so requires not being detected in the first steps of the attack" as the CheckFree attackers successfully did, Klein says.

The next level of these attacks is actually modifying the victim's application to monetize it in some way, notes John Pescatore, vice president and research fellow at Gartner. "So far, it's all been cybercrime for obtaining information and reselling it for identity theft, versus breaking into Amazon.com and adding a dollar to each transaction that's billed and gets sent to [the attacker]," he says. "These kinds of things are where the attacker really becomes a long-time resident and modifies an application. We haven't seen that yet."

Defending against these types of attacks isn't easy -- you can't fight what you can't see. Correlating events requires keeping longer-term logs and data than most organizations typically do. Whitelisting can help flag unauthorized or unusual application activity, experts say, and securing user credentials can protect you from the dangers of spear-phishing attacks.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message