Five Signs That You're Under a Targeted Attack
Clues that your organization is in the bull's eye might be right under your nose
September 20, 2007
The trouble with most targeted attacks is that by the time you realize your organization is under siege by hackers, you're toast: The attackers are either already well entrenched in your network or have already taken off with your data.
Unlike random attacks, the targeted attack is all about stealing (or sabotaging) documents, data, or intellectual property from a specific organization.
The good news is these attacks aren't as prevalent as random ones. The bad news is that they are on the rise: MessageLabs says there are about five to 10 targeted attack attempts daily on its clients, up from one to two a day 12 months ago, and one to two a week two years ago. And it's not just the big boys that are in the bull's eye anymore, according to MessageLabs -- even a small company with some hot intellectual property is at risk.
"The nature of a targeted attack is the person constructing the attack knows something about the organization it's targeting… He has some information about what information he wants to get access to… and has done some preliminary work preparing for the attack," says Paul Wood, senior analyst at MessageLabs.
These attacks often come in multiple stages, often starting with a zero-day attack that evades detection by signature-based tools. Sometimes an attacker just scans for a system that's missing patches and uses those holes to get inside, typically using a little social engineering to dupe an unsuspecting user into clicking on a link that executes a Trojan or other malware that sets in motion the real attack.
Traditional security tools are usually no match for a determined attacker. "It's very much the case now that, if you are targeted, traditional forms of defense won't offer you any protection," Wood says.
Plus it's not always easy to distinguish between a random attack and a targeted one -- it takes a trained and alert eye -- since many of the signs are similar, such as an IDS signature being triggered at a high rate, for instance.
"In any corporate IDS log, you'll see dozens or more attacks a day, but, fortunately, most are pretty unsuccessful. They're not trying to get into a specific company, but instead are looking for new machines [on which] to install spam relays or some kind of botnet tool," says Jeremy Rauch, a principal with Matasano Security. "A targeted attack is much more difficult to detect. Depending on the level of sophistication of the attacker, you might not see anything."
So is it "game over" if a determined attacker has set its sights on your organization? Not necessarily. Here are a few red flags that maybe, just maybe, will give you the opportunity to minimize the damage -- or, if you're lucky, stop an attacker in his tracks.
Contents:
Next Page: 1) Something's fishy about that otherwise authentic-looking email
Email that appears to be from someone inside the organization or someone who would normally be communicating with it -- a.k.a. spear phishing -- is a popular tool for targeted attacks.
Most targeted attacks start with a little reconnaissance -- the attacker deciphers your corporate email naming conventions and directs a message to someone in the company who'd be most likely to click on a link, like that eager temp in HR.
"This is getting emails that seem authentic, but when you look at them closely, they are really not," says Greg Shannon, chief scientist for CounterStorm. " 'I know that person, but I didn't expect to get that email from them with that attachment.' "
These messages can contain Microsoft Office or PDF documents -- purportedly from a "known" and trusted source, except that something's a little off: "But they have a different format from the sender's name that you normally see," for instance, says H.D. Moore, director of security research for BreakingPoint Systems and creator of the popular Metasploit hacking tool.
The HR assistant whose job it is to help people in the company would be an obvious "mark" for a sender posing as an employee looking for access to their personal record files, for instance -- basically social-engineering a user without using malware at all. (See Hacking Without Exploits)
Even CXOs are attractive targets, according to MessageLabs, which earlier this month intercepted around 1,100 messages during a 16-hour period -- all addressed to high-ranking executives at various companies. (See New Attacks Target Top Executives.)
CounterStorm's Shannon says spear-phishing messages usually harbor links infected with Trojan-based executable files or URLs to infected Websites.
Next Page: 2) Odd emails from unknown recipients
If you're getting messages with very little content, or just containing URLs, beware -- even if it's not obviously spam.
These are emails that get sent directly to someone in the organization.
"Or email messages with the Message Disposition Notification feature from an unknown sender," BreakingPoint's Moore says. (That's a feature where messages come with a "read receipt," where the recipient sends an auto-reply that he or she has read or received it.)
Just like the spoofed sender messages, these malicious emails are all about the attacker trying to identify an internal user and duping him or her into accessing a malicious Web page or document, Moore says.
Next Page: 3) Anonymous, or unusually high volumes of, data transfers
One of the most frustrating things about a targeted attack is that by the time you figure it out, you can't always tell when it started or even how far it's gone.
"There's no definitive moment I can tell you [that a] person knows he is under a targeted attack," Matasano's Rauch says. "If someone is poking at your Web app, and your logs show repeated attempts, the app isn’t letting them in, and you're able to identify that it's taking place" and prevent it.
Another telltale sign of a targeted attack is if you see data transfers going out of the organization anonymously, or in unusually high volumes "from unexpected people, times, and channels," CounterStorm's Shannon says.
Hint: That's probably the giant sucking sound of the bad guys robbing you blind.
That means your security was bypassed, big-time: "The biggest sign is that your current signature and policy-based security infrastructure doesn't see the [malicious] behavior. That's almost a pre-condition for a successful targeted attack," Shannon says.
But it's not just the outsiders you need to worry about. "It's just as likely that if you want to be successful at stealing proprietary information or credit-card information, you'd get yourself hired into a company as a temporary worker, a consultant, or a security guard and then getting on the network that way," Matasano's Rauch says.
"You can't blindly trust your employees," he says. "It's easier to secure against deliberate or indeliberate insider attacks if you give users only access to the things they need access to."
Next Page: 4) Suspicious requests to your company Website
Another sign that an attacker is digging for information is if you see suspicious searches in your Website logs. If there are a large number of Google searches for corporate email addresses, for instance, something may be awry, notes BreakingPoint's Moore.
"It's a fine line between targeted attacks and social engineering, but a great way to find users within an organization is to email the 'all,' 'everyone,' and team aliases, and just see who is out of the office," he says.
And if you notice any traffic trends at your public Web server, such as multiple attempts to send bad inputs (think SQL injection), Matasano's Rauch says, that could also indicate a targeted attack.
"A more targeted attack will be looking for flaws in your application," he says.
Next Page: 5) A denial-of-service attack on your Website or network
OK, so this a pretty obvious clue you can't miss -- a DOS attack isn't exactly stealthy. But a DOS attack alone isn't very effective if the attacker wants your trade secrets, so there's probably more going on here.
More likely is the DOS would serve as a cover or distraction for the real targeted attack going on in the background, such as running a known exploit on a vulnerable machine to gain access.
"DOS [alone] isn't very effective if your goal is to steal documents or obtain trade secrets," BreakingPoint's Moore says.
It's noticeable fairly quickly -- your Web server is down.
So how can you tell if it's a random DOS or one just for you? "If you're getting DOS'd and no one else is, it's obvious you're being targeted," CounterStorm's Shannon says. "But denial-of-service is what I worry least about... At least I can do something about it."
And this strong-arm technique is typically short-lived, anyway, he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like
A Cyber Pros' Guide to Navigating Emerging Privacy Regulation
Dec 10, 2024Identifying the Cybersecurity Metrics that Actually Matter
Dec 11, 2024The Current State of AI Adoption in Cybersecurity, Including its Opportunities
Dec 12, 2024Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024