Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:29 PM
Connect Directly

Slow And Silent Targeted Attacks On The Rise

Targeted, methodical attacks difficult to detect

The most determined cybercriminals don't necessarily work fast when they breach a network, and their infiltration is often silent and undetectable. But it's this brand of "low and slow" targeted attack that can also be the most deadly, security experts say.

This is a methodical attack, where the attacker covers his tracks as he penetrates the network, sometimes ceasing the attack for days at a time to avoid raising suspicion. It's typically a nearly invisible hack that isn't discovered until it's too late, after the bad guys have made off with valuable data and done serious damage. Security experts say IT and security managers need to be at the ready for these highly targeted attacks, which may be more common than once thought.

"It used to be a 'smash and grab,' where criminals would see what they could get," says Mike Rothman, senior vice president of strategy at eIQnetworks. "Now the criminals we're seeing are a lot more savvy than that and are using time to their advantage. They're not leaving broken windows, broken couches...If they start shuffling through one drawer, they are careful to put everything back."

No one knows for sure just how widespread these attacks are today, but some basic characteristics are present as to how they are executed. The attacker typically initially gains access through a Web application vulnerability, or via a successful spear-phishing attack on an employee. After he gets inside, he may wait a few days or so after this first stage of the attack.

"The path of least resistance is still through the application. Once there, they can compromise" the system, Rothman says. "And then they can turn off logging" to evade detection, he says.

Instead of brute-force attacking a Web server or database with malformed URL requests that could easily be detected, the attacker may send only one or two a week, for example. Once inside, the attacker can create his own account, install Trojans or other malware to steal sensitive data, or do other nefarious things. But he takes each step slowly and quietly, rather than in one fell swoop.

Some recent high-profile attacks were staged similarly, in methodical, multiple steps -- aimed at the attacker gaining a foothold in the network without raising suspicion or sounding any network alarms.

Take the TJX hack. "The TJX incident is a good example of a multistage, low, and slow attack," says Amit Klein, CTO of Trusteer. "The attackers first compromised the wireless LAN, which was poorly encrypted, then eavesdropped on TJX employee logins to collect credentials, then logged in to the main system and created their own accounts, and then tapped into the TJX transactions/databases."

The first clue that TJX's breach wasn't a smash-and-grab job were configuration changes on some of its servers. "Someone compromised it and had been in there for years before people realized it," eIQnetworks' Rothman says.

Rothman says his firm is hearing a lot of stories "from the field" about organizations discovering that they've been victims of these longer-term, stealthy attacks. "We are starting to see these data points add up," he says.

The first phase of the CheckFree hack had the earmarks of a "low and slow" spear-phishing attack on one of its systems administrators, according to Trusteer's Klein. Attackers reportedly stole the credentials of one of CheckFree's system administrators in order to redirect traffic from the MyCheckFree page to their own malicious one. But the subsequent stages of the attack weren't so stealthy, and the bad page was discovered quickly due to the fact that the bad guys didn't bother to mimic the MyCheckFree Web page when they redirected victims to their phony site.

"They weren't very subtle about [the malicious Web page]. It could have been more [powerful] if it had been presented as identical with the CheckFree page," notes Trusteer's Klein. Still, the attackers successfully compromised CheckFree customers.

"The multistage attack compromises the network and finally compromises the customers of the [targeted organization]. And doing so requires not being detected in the first steps of the attack" as the CheckFree attackers successfully did, Klein says.

The next level of these attacks is actually modifying the victim's application to monetize it in some way, notes John Pescatore, vice president and research fellow at Gartner. "So far, it's all been cybercrime for obtaining information and reselling it for identity theft, versus breaking into Amazon.com and adding a dollar to each transaction that's billed and gets sent to [the attacker]," he says. "These kinds of things are where the attacker really becomes a long-time resident and modifies an application. We haven't seen that yet."

Defending against these types of attacks isn't easy -- you can't fight what you can't see. Correlating events requires keeping longer-term logs and data than most organizations typically do. Whitelisting can help flag unauthorized or unusual application activity, experts say, and securing user credentials can protect you from the dangers of spear-phishing attacks.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-, 14.0.0-, 13.0.0-, 12.1.0-, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.
PUBLISHED: 2019-09-20
F5 BIG-IP ASM 15.0.0, 14.1.0-, 14.0.0-, 13.0.0-, 12.1.0-, 11.6.0-11.6.4, and 11.5.1-11.5.9 may expose sensitive information and allow the system configuration to be modified when using non-default settings.
PUBLISHED: 2019-09-20
The epic theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to includes/download.php.