A targeted attack is a sequence of hacking actions aimed at and tailored for a specific “victim” to steal its money or data. Softline experts note that usually, intruders do it for their profit. They have several variants of monetization: unauthorized access to online banking, encryption of important data on corporate servers, and demanding a ransom for their decryption, theft of personal data for the benefit of a competitor, and many others.
Attackers use various tools for intrusion, with phishing attacks (delivering malware to workstations with the help of social engineering) topping the list. Preparation for this type of online fraud takes a significant amount of time as it involves designing malicious websites, email, or instant messages tailored to personal information of a particular user.
Despite the implementation complexity, such attacks are profitable for hacker groups, so they are a common form of cybercrime. Ilya Sachkov, CEO of the Group-IB cyber-forensics agency, says that over the last six months alone, 12 large companies suffered from data leaks with disastrous consequences. Moreover, Russian companies are on the radars of criminals too. In just a month, one group of cyber-terrorists attacked more than 600 Russian resources.
Attacks may follow a standard scenario, but Softline specialists emphasize that the probability of success increases when specific tools or zero-day vulnerabilities are used. A familiar situation: an employee receives an email with interesting content and opens it on their workstation. While they are watching the clip, a malicious program penetrates the corporate infrastructure. In most cases, antiviruses do their job and immediately detect an attempt of a system breach.
Targeted attacks have significant differences: they offer individual content and a personal approach to message delivery. The source of the link is not suspicious: hackers track the activity of an employee of the target company, find out the circle of their communication, and send the virus on behalf of a friend or colleague. The recipient opens the link without suspicion, while security systems do not recognize malware that has been tailored to the company's infrastructure. Thus, the program breaches the security perimeter and downloads additional modules that hack the system from the inside.
Of course, new generations of traditional security tools complicate the work of hackers and reduce the probability of successful attacks. As the entire digital world, the threat landscape is changing dramatically. So-called "zero-day" threats are no longer a problem today. The world's leading cybersecurity vendors recommend Next-Generation firewalls to prevent targeted attacks, which include both standard firewall functionality—network filtering, VPN and NAT management—and deep packet inspection. New technologies recognize payload by the known malware signatures, and a next-generation firewall can prevent viruses from penetrating into the network.
Due to the threats posed by complex hacker activities, cybersecurity routines such as creating a unified security policy, controlling network traffic, and analyzing applications no longer seem redundant. Global leaders of the information security market are implementing specialized tools to prevent targeted cyber-attacks. Therefore, Kaspersky Lab has developed a special platform to combat such threats—Kaspersky Anti Targeted Attack Platform. By dynamically analyzing incoming data from sensors and collecting up-to-date information about new intrusions, this platform protects the system in real-time.
Some Russian companies are successfully displacing the solutions of global vendors not only in Russia but all over the world. Kaspersky Lab is the most well-known domestic antivirus solution vendor. Another strong player in the cybersecurity market is InfoWatch, which develops software and hardware solutions for comprehensive cyber protection of enterprises from most types of threats—from targeted attacks to DDoS.
A comprehensive approach is required to identify and stop APT (Advanced Persistent Threats) successfully. Such systems must perform network activity control, application and file monitoring, and anomaly analysis.
Network segment monitoring detects abnormal network activity, such as connections from other IP addresses or large amounts of traffic that will be sent to the anomaly analysis module.
The behavior of suspicious objects is also analyzed by running the file in an isolated virtual sandbox. The activity of a suspicious object is emulated on a copy of the company's IT infrastructure; any attempts to create new files or change the system registry will be detected in this sandbox.
When the anomaly analysis component detects a deviation from standard software behavior patterns, it correlates the anomaly with other unusual signals (for example, from the network), and determines if the activity is a targeted attack.
Nevertheless, preventing targeted attacks will be difficult without taking proactive measures, which are also called cyber counterintelligence. Vendors offer easy-to-use tools for this task—for example, Group-IB positions Bot-Trek Intelligence as a subscription-based cyber-intelligence product. The system is easy to configure, and all work takes place in a web-based interface where you can track down reports and prevent all emerging threats before they are materialized—from infrastructure breach attempts to hacking activities initiated by partners or competitors. Of course, this product is that simple thanks to the experience of Group-IB employees and their daily work on attack identification, analysis, and prevention.
The examples given above show that information security companies have the necessary tools and experience to prevent targeted attacks. These systems are expensive to implement, but the potential losses from penetration into the corporate system are many times greater than the cost of security actions. However, cybersecurity experts often face difficulties related not only to technical but also mental aspects: the top managers of customer companies often do not believe in the possibility of targeted attacks and, as a result, do not consider them a business threat. Therefore, Softline offers penetration testing of the customer IT infrastructure. During the test, security experts analyze vulnerabilities and demonstrate targeted attacks. Then they show confidential information that they have found—for example, intercepted correspondence of top managers or stolen tender documents. These results usually make executives revise their cybersecurity policy and allocate resources for a set of measures to minimize such risks.