Your rising sense of panic is justified. Targeted attacks on valuable data – yours, your employees’, and your company’s - are only becoming more sophisticated and diverse. Yesteryear’s defences will not save you in 2014 and beyond.
With every advance in a hacker’s arsenal, the language being used to describe threats evolves too – and if you can’t name the problem, you can’t help find the solution. Here’s how to sound like you know what you’re talking about when you discuss your business’ security concerns.
1. Advanced threats
Advanced threats - also known as Advanced Persistent Threats (APTs) refers to targeted attacks on organisations. These attacks use commercially available and/or custom-made advanced malware to steal information or perpetrate fraud.
Data is at the heart of modern businesses and is now the primary target for cyber-criminals using these new methods, but reputation damage is the most costly consequence of APT attacks.
Targeted attacks are multi-faceted and specifically designed to evade many technologies attempting to detect and block them. Once they are inside, the only way to detect this type of threat is by understanding the behaviour of all of the individual attack components.
Legacy security systems such as anti-virus software and firewalls are unable to stop advanced threats.
2. Spear phishing
Spear phishing attempts are typically initiated by determined perpetrators out for financial gain, trade secrets or military information. The attacker uses a specially crafted email message that lures users to perform an action that will result in malware infection, credential theft, or both. This is often the first step that enables highly targeted attacks on your business.
Unlike mass phishing emails, which are easily identified as false, this labour intensive and highly targeted technique can easily trick your employees into opening weaponised documents or visiting infected and dangerous websites.
3. ‘Zero-day attack’
The majority of malware infections are a direct result of exploitation of ‘zero day’ vulnerabilities (basically, undetected bugs: known as ‘zero day’ because once an attack is launched, the company has zero days to fix it). Cybercriminals continuously develop new tricks taking advantage of application vulnerabilities to introduce malware and compromise computers.
Exploitation of zero-day vulnerabilities takes place from the first day the cybercriminal become aware of the vulnerability, until a software update (also called a patch) becomes available. This window can last days, weeks or even months. Protecting against exploitation of zero-day vulnerabilities is particularly difficult, as you don’t know what they are until they’ve been exploited.
The most targeted applications were Java, Adobe Reader and popular browsers, according to a survey of more than one million banking and enterprise customers commissioned by IBM X-Force threat in December 2013. Due to the recent rash of Java zero-day vulnerabilities, many security experts recommend reviewing the use of Java and implementing controls to restrict risk.
4. Drive-by download
Drive-by downloads are silent malware that takes place in the background, without the user's knowledge. The download is executed by exploiting a vulnerability in the browser or browser plug-in.
The attacker plants hidden malicious content, called ‘exploit', on a webpage. It could be a malicious website created and hosted by the attacker, or a legitimate website that the attacker has compromised.
Drive-by downloads are stealthy in nature and very difficult to prevent. Most browsers are not properly patched, or have unknown zero-day vulnerabilities for which a patch doesn't exist, so are vulnerable to these attacks.
5. Watering hole attack
Watering holes attacks are insidious threats from patient attackers who infect trusted sites users regularly visit. These may be specific discussion forums or sites where users download applications or updates.
This type of attack, described as ‘poisoning the watering hole’, has been used to deliver malware to even the most technically savvy organisations. Banks, activist groups, government foreign policy resource sites, manufacturers, the defence industrial base and even Facebook, Twitter and Apple have been snared using this technique. Rather than sending out targeted links and hoping someone will click on one, this is like poisoning a town’s water supply. It’s only a matter of time.
Similar to watering hole attacks, malvertising is gaining traction. It occurs when attackers target advertising networks by injecting ads with malicious exploits that lead to drive-by downloads. These malicious ads can then expose vulnerable users across the many websites displaying the content arriving from the advertising networks.
- Simon Smith is a QRadar Technical Professional at IBM Security Systems