First a rogue email, then a careless click – and data theft

Cyber villains are spear-phishing with high-profile, high-value targets in their sights, warns Kevin Townsend

Internet cyber attacks can be random or targeted. Random attacks are by far the most prevalent, mainly because they are easy to do and can be largely automated. They don’t seek high value, they just go for a high volume of targets. Spam, scams and phishing campaigns are typical examples.

Targeted attacks are aimed at a specific person, company or organization – all high-value. “There are numerous motives,” explains David Emm, a senior security researcher at Kaspersky Lab. “These include theft of confidential data, cyber espionage, political or social protest and sabotage.”

Cyber warfare, an emotive term that is nevertheless accurate, is a clear example of targeted attacks: destructive malware, like Stuxnet and Wiper, designed to damage their prime target.

A targeted attack will usually involve one or more highly skilled cyber criminals. It will frequently, although not necessarily, be an advanced persistent threat attack (APT). There are many definitions of APT, but it is essentially a targeted attack by a competent and determined adversary willing to take as long as necessary to achieve their purpose. It is very difficult to defend against an APT attack.

Key to any attack is the initial breach. A study in late-November by Trend Micro has shown that 91 per cent of all APT attacks are the result of a successful email-based spear-phishing attack; and that 94 per cent of those emails carried a malicious attachment. Clearly, the best way to combat a targeted APT attack is to understand and mitigate against spear-phishing before the hackers get into the network.

Email spear-phishing is the use of personalised emails sent to an individual or small group of related individuals, engineered to persuade the recipient to open an attachment or click a link. It is part of what Trend Micro terms the pre-infiltration phase of a targeted attack.

First the attacker researches, or profiles, the target. This is relatively simple: Facebook, LinkedIn, Twitter and a simple Google search, reinforced by data scattered on the target’s website, will combine to provide a detailed personal picture. From this the spear-phishing email is constructed.

The content might be fashioned around an individual’s personal interests or a subject that will appeal to all the target group – an internal salary review, perhaps – the source will be forged, and malware disguised and attached. The hackers will have tested the malware against as many anti-virus products as possible and selected something with the greatest chance of remaining undetected.

The result is surprisingly successful, with Google and RSA (security, compliance and risk-management specialists) among the highest profile victims. “In the attack against RSA,” explains Scott Gréaux, a vice president at the PhishMe company, “the spear-phishers sent two different phishing emails to a group of employees over the course of several days. The subject line read ‘2011 Recruitment Plan’. One person’s curiosity duped him into opening the message and…” the rest is history.

In May, the Élysée Palace in Paris was breached and in October it emerged that the South Carolina Department of Revenue had been breached, with millions of social security details and hundreds of thousands of bank card details stolen. All these victims were initially breached by targeted spear-phishing.

Once a malicious attachment is clicked upon, malware will enter the system and the post-infiltration phase begins. It is likely to start with the installation of a remote control program called a remote administration Trojan, or RAT, that will open a covert channel to the attackers. This allows the attackers to roam at will around the network, which they will do, but slowly and stealthily, gaining intelligence on the network infrastructure. They will learn what is stored where, and perhaps more importantly, how to steal and extract information without being discovered.

During this process, the hackers will likely find the keys to the front door – legitimate login credentials. “As detailed by a report on the South Carolina hack,” says Amichai Shulman, co-founder and chief technology officer at Imperva, “the attackers grabbed remote access credentials to obtain a simple, standard channel of access into the organisation. Using standard tools they explored the inside of the network looking for sensitive data and sent it out using standard file sharing services.” The longer the attackers can remain undetected, the more data they can steal.

But all this begs one major question: how can companies defend themselves against targeted attacks? It might appear as if traditional security is failing, but remember that we only hear about the few that get through, not the unknown number that are stopped.

It is not that companies need different security, they need additional security tailored to these new threats. One emerging technology is anomaly detection from big data analysis. The theory is that all the organisation’s data is monitored on a continuous basis. From this, a baseline of normal activity is developed and anything subsequently anomalous to that normal activity is highlighted, which could be the activity of an intruder.

The fact remains, however, that prevention is always better than cure. With 91 per cent of such attacks starting from a spear-phishing email, defence against spear-phishing has to be a priority.

While there are security products that will help, the bottom line here is user education. “Organisations must pay attention to the human factor in security,” says Kaspersky Lab’s Mr Emm. “Users need to learn how to recognise phishing and to stop over-sharing personal information online. It’s important to remember that security is not unlike housework – it’s only meaningful if you repeat the process at regular intervals.”