Targeted Attacks: A Defender's Playbook

Cyberthreat actors are increasingly going after a single victim. Here are some tips to help your organization get ready.

with data, to the point that even when an alert is triggered by a targeted attacker it's ignored because it looks like all the other attacks.

"The Target breach is probably the best example of a company knowing that the breach was detected early on, but it was an alert within millions of other alerts, and it got ignored," Sutton says.

As a result, organizations need to stop waiting for alerts and start adopting a more proactive "hunting" method to look out for targeted attackers silently roaming the network, according to Dmitri Alperovitch, co-founder and CTO of CrowdStrike, a threat detection vendor focusing on advanced and targeted attacks.

"You're going to assume that the adversary has evaded all your technology, and you're going to try to fully instrument your network to look for anomalous activities, and look for signs of compromise that may already exist," Alperovitch says. "You need to understand everything that's going on from an execution perspective in your corporation so that you can analyze for both external threat actors and potential insiders looking to do damage to your network."

To make that happen, though, organizations need to overcome a skills and resource gap within security personnel.

"Technology is fantastic, but without a great team that can look at the data, prioritize it, and respond effectively to incidents, you're really not able to leverage it fully," Alperovitch says. "Upgrading the talent is probably the No. 1 challenge for organizations right now."

Jason Lewis, chief research scientist with Lookingglass, agrees, saying that many organizations get ahead of themselves when investing in threat intelligence feeds, because they don't have the people to utilize the information. These subscription services provide data about how attackers are operating. "Make sure there are people and processes to deal with the threats, then add the feeds and the intel," Lewis says.


More-resilient infrastructure
Some experts believe that companies must look beyond detection and response for targeted attacks. "We're not going to stop them getting in eventually," says Chris Morales, practice manager of architecture and infrastructure for NSS Labs, a testing and analyst firm. Morales believes that more companies need to view targeted attacks as an architectural issue. "It truly surprises me that I still find organizations with almost a flat trust model where internal systems and services connect to each other and where access from work stations can get you anywhere," Morales says. "They have all these defenses, but once you're past them, you're in and you can pivot attacks easily."

The trick, he believes, is that companies need to design their networks and application infrastructure in a way that it takes longer for attackers to find what they're looking for. For example, segmenting the network can work much like a shipbuilder designs bulkheads, so that a collision limits damage to only one section of a ship. When servers running one type of application or data are separated from those running another type, it's more difficult for attackers to find what they're looking for through the compromise of a single asset. And the longer they're on the network, the more likely they'll be exposed before they steal data.

"We need to slow down their success rate," Morales says. "So I'd advise the use of server isolation zones, or more specifically, an application-centric trust model. That way, this application can't touch this other one and, not only that, the presentation layer can't access the middleware layer or the database layer."

So even if an attacker breaches a web server, they're not able to get to application processing or to a database. Or if the attacker accesses a client, they can't get to any other clients or servers.

This model is more about cyber resilience than cyber protection, and about reducing the probability of an attack rather than just the impact. And that's huge when it comes to targeted threats, which are still rare but can cause more damage than any other type of cyber attack out there.

Get the new issue of Dark Reading on targeted threats.