Viruses and worms are old news. We all protect ourselves and our organizations from common attacks that flow through the Web looking for targets of opportunity. General phishing attacks are easily detected today, and even casual users smell a rat occasionally. But those positive efforts are affecting the bottom line of cybercrime, so they are making life easier for themselves and harder for others by aiming for some higher value targets.

Attacks against specific organizations or individuals are known as targeted attacks. Rather than throw malware at the Internet and wait for vulnerable systems, targeted attacks use elements of social networking.  In other words, they present themselves in a form that convinces a targeted user that an email or other electronic object is legitimate, thus allowing these messages to pass through filters since they fail to violate the established rules.

Relevance is very important when targeting senior management or other key employees. Attackers might investigate a company for months to identify:

* individuals in the target organization who have access to desired information;

* major projects in process;

* common business partners, vendors, etc.; and

* names and email addresses of individuals who regularly send mail to target users.

Using this information, an attacker can create emails relevant to a business deal, project, etc.  They will most likely spoof the source addresses, making the messages look like they came from a business or individual with whom the target users regularly communicate.

The goal of an attacker using these methods is stealth. To be able to collect as much information as possible from the target user, the malware must be hidden and the transfer of information must look like normal network traffic. Because of these requirements, it is difficult for security teams to identify them using anti-malware solutions, but it isn’t impossible.

The first line of defense is not a piece of software or a network appliance. Rather, it is understanding that the computers of key employees are valued targets. Compromising these devices provides an opportunity to collect information used or created by the target user. Users in the organization with the broadest access, or access to the most sensitive information, are at the top of any attacker’s list. The best choice for an attack in most organizations is senior management. This includes C-level executives and department heads. And unfortunately, the computers used by these individuals are often the least protected thanks to a double-standard in security controls. Many executives believe they are smart enough to avoid malware infestation or simply prefer not to have to deal with internet restrictions imposed on the rest of their workforce.  This double-standard presents a large attack surface to any thieves using a targeted approach.

To help meet the challenges of targeted attack defense Responza recommends the following:

1. Eliminate any double-standard used when applying security controls. Managers should understand that they are at higher risk as attackers shift from broad- to narrow-scope attempts to compromise systems.

2. Under no circumstances should a user who processes sensitive information have local administrator access to their computer. Even if a user opens an infected attachment, there is a good chance it can’t install. This is the best way to throw up a wall between the target and the attacker.

3. Ensure all systems are patched, including applications.

4. User awareness of the threat is necessary. This begins with training users about how targeted attacks work and how to react to a possible threat. Training is followed by including targeted threat awareness information in the existing security awareness material.

5. Finally, common controls must remain in place. These include anti-malware software, intrusion detection/prevention solutions for both host and network, email filtering, etc.

Guarding against targeted malware attacks isn’t always easy, but it is increasingly necessary.