Targeted attacks on companies
Stop IT!
Amid the flood of daily intruder attacks, you will find sophisticated, targeted attacks on specific companies. Adapted to a company's systems and staff, these attacks promise cybercriminals great monetary success. This article looks at watering hole and spear phishing attacks and shows how to protect yourself and your users.
A Ponemon Institute study has revealed some interesting information about cybercriminal practices. Ponemon interviewed approximately 10,000 hackers regarding how they worked. Seventy nine percent of those surveyed described themselves as involved in the cyber attacker community. All told, 69 percent of those surveyed wanted to earn money with their attacks. The annual average salary is said to be EUR26,259 (~$28,199). Thus, the majority of attackers who responded earn far less than the security experts in the companies they attack. As a result, cybercriminals are highly motivated to achieve their goals with minimal effort, and they clearly prefer low-hanging fruit.
Large numbers of automated vulnerability scans help attackers determine the extent to which a company is vulnerable to known security holes. If cybercriminals cannot access the desired target quickly enough, 72 percent of respondents completely canceled the attack. According to the survey, robust security measures in the enterprise cause approximately 69 percent to cancel the attack. If the overhead is increased by 40 hours, 60 percent of the attackers give up. At least 36 percent of attackers give up after 20 hours, 25 percent after 10 hours, and 13 percent after 5 hours.
In the case of companies with a very good IT security infrastructure, planning and executing an average attack takes 147 hours. This is more than twice the time it takes for an average security level, assuming the attacker has a good to very good level of knowledge. However, many attacks still succeed despite increasingly complicated enterprise defenses. Ponemon also studied the methods deployed by cybercriminals, and found that attackers always rely on automated or semi-automated toolkits. Sixty eight percent of the attackers stated that the use of these tools gave them a huge efficiency advantage. Fifty three percent also confirmed that the cost of attacks decreased – thanks to these tools – to an average of around EUR1,206 (~$1,295).
Watering Hole Attacks
The questions remain as to which attack methods are used, and how cyber criminals gain access to companies with a high security level. One special form of attack is the watering hole attack. This involves compromising sites that one or more target persons will very likely visit in advance, and depositing malicious code. When the victims visit this website, the probability is very high that they will end up infected by a vulnerability on the end device. The attacker's goal is to gain access to the internal network and to work their way up to the company's genuinely worthwhile targets through the infected mobile device.
The name of this method is derived from the animal world: Where animals in drier regions go to drink, predators usually await their victims. In a watering hole attack, the cybercriminal will infect websites that are popular with victims. The attacker waits for an opening to infect the site with malware, and then attacks the victims during their visit. At this point, attackers make a distinction (e.g. by IP address or user agent) between their actual targets and other visitors. When innocent victims are widely scattered, the attacks are more likely to be discovered by the site operators or a security vendor.
The attacker first needs to create a profile of the objectives and research accordingly. The victims typically include employees of large corporations and groups, as well as government employees. Once a frequently visited site is found, the hackers compromise it with malicious code. Watering hole attacks are rare, but also extremely dangerous due to the preparatory actions of the attacker, which are normally very difficult to uncover. Cybercriminals seek to intrude on companies with a high security level with this method of attack. In addition to attacks on employees and business partners, service providers with a low security level are also targeted.
To protect against this type of attack, make it as hard as possible to profile your company. This includes information disclosed by employees, as well as the software. In addition, you should keep your programs up-to-date at all times. Install application software updates on client machines in particular, especially for the browser and plugins. Also, the company should think carefully about which plug-ins are even necessary. Most attacks take place via the increasingly obsolete Adobe Flash. Removing unnecessary browser add-ons and implementing up-to-date patch management in your application software actually prevents most attacks.
Spear Phishing
Most computer users are familiar with phishing. The attacker sends spam email, seemingly from a legitimate source such as a bank or an online service, with a request to log in to a manipulated link. This, in turn, reveals their access credentials. While phishing email is widespread and relatively easy to detect, the spear phishing method takes a far more targeted approach.
Spear phishing is aimed at certain organizations and companies. Again, the attacker seeks to gain access to confidential data. The attacker needs to do careful research in advance, much like the watering hole attack. To create genuine looking email, they need to know the names of the targets, as well as their positions and their work area in the company. They can then adjust the language level and email content accordingly. Emails used for a spear phishing campaign appear to come from a trusted source, just like normal phishing campaigns. Spear phishing impersonates the sender of the email, for example, by pretending to be a fellow employee, often a superior.
These personally addressed and formulated email messages include a booby-trapped PDF or Office document as the attachment. This document is then used to transport the actual exploit code. Directly executable .exe
files are unusual in these advanced persistent threat (APT) attacks. The risk of these file types being caught by simple technical protection measures is too great. Also, sensitized users are fairly suspicious of executable files.
Carefully crafted spear phishing emails are almost undetectable for normal users. They refer to senders that actually exist, discuss the current issues in the company, and address the recipient personally. Also, attachments in the form of documents arouse no immediate suspicion – but if the users actually open the files, malicious code is installed on the computer in the background, and the attackers have gained a foothold on the network. Security here again relies on timely patching of user software, since even well-made spear phishing campaigns sometimes rely on security gaps that have already been closed – although there are also targeted attacks with zero-day exploits.
On top of this, secure settings in the user programs can help when it comes to interactive content such as macros, Visual Basic, or JavaScript. Interactive content should be prevented to whatever extent possible. Also, special sandbox systems at the gateway offer some protection by identifying potentially dangerous email attachments, regardless of signatures or heuristics simply by their behavior. And finally, it helps to talk to the alleged sender personally in case of internal emails or messages from business partners with unusual content, before triggering potentially adverse actions for the company.
Of course, these measures cannot give you full protection against professional attacks. Companies thus need to prepare to be hacked, and to detect attackers on the network. Intrusion detection systems (IDS) are typically used for this. Also, honeypots that contain seemingly interesting information are useful for luring attackers into a trap and unmasking them.
Conclusions
Watering hole and spear phishing attacks are targeted towards certain companies and even individuals. They are more complex for attackers since they have to make some preparations. However, the prospect of success is also significantly higher. These methods seem particularly fruitful for attackers targeting well-established companies with a high security level. Basic security measures help to fend off attacks, or at least detect them, but one hundred percent security is never possible. Employees are still the weakest link in the chain, and are also likely to remain one of the biggest attack vectors in the future.