The Way Business Is Moving published by
Issue Date: February 2008

Protection in corporate networks against targeted attacks

21 February 2008

Unlike typical malicious code attacks, which aim to affect as many systems as possible, targeted attacks focus on a specific user.
There is a wide range of possible motives when cyber-crooks attack large corporations; these include financial theft on a grand scale, creation of botnets, theft of critical corporate information or even industrial espionage and sabotage. These types of attacks are frequently bankrolled by organised gangs or rival companies.
Large companies are also potentially vulnerable to targeted attacks aimed at blackmailing the victim. The criminals demand money in exchange for not launching, say, a denial of service (DoS) attack or similar against the company. However, these types of incidents invariably go unreported by these corporations in order to avoid collateral problems.
Currently, the main threat behind targeted attacks is customisation of the malicious code used to perpetrate them, such as Trojans. Even phishing, which usually involves mass-mailing of spoof messages, can be targeted. This is called spear phishing or targeted phishing, and it uses customised messages sent to specific targets, such as company employees.
Companies are facing a new type of attack orchestrated by cyber-criminals: combined attacks that use two or more malware variants. Moreover, the new types of malware are capable of updating themselves, making detection even harder.
The success of malware is based on combining an extensively used means of propagation, such as e-mail, with a large number of variants of malicious code. In this scenario, proactive technologies and the capacity to generate generic detections for entire malware families are the best strategies to keep waves of aggressive malware at bay.
Customisation of malware used in targeted attacks is aimed at exploiting the limitations of traditional antivirus systems. If a traditional antivirus signature file does not include a certain malicious code, it will not be able to detect it. As a result, threats can remain operative on systems for a long time.
Targeted attacks on companies can be external or internal. External attacks are typical hacker attacks which enter the corporate network by exploiting security flaws or configuration errors. However, internal attacks are more numerous. These attacks are conducted either by the company's own employees, who gain or use their own privileges to access certain network resources, or by outsiders installing malicious code on one or several points on the network.
Before attacking a company, the attacker gets information about the targeted user's responsibilities, habits or preferences. Then, not only do they create a malware specimen according to the characteristics of their victim, but they use ingenious techniques to introduce it on the target PC or group of PCs.
Although users may think their PCs are well protected, their security solution will not be able to detect the attacks, as hackers test this kind of malware against all the security products on the market to make sure it will not be discovered. As a result, the malware installed remains on the target PCs for weeks or even months, until it achieves its objectives.
Cyber-crooks that launch targeted attacks against large corporations want to take advantage of the chance to take control of the millions of computers that those companies have, and not just for the quantity but also for the type of information they can access. In any event, they face two challenges: to infect computers on corporate networks and to take control of zombie computers on those networks.
Most large companies have security teams to keep their networks safe, and all of them have different anti-malware products across different layers. This means hackers have to use a different approach to infect a company from the one they would use to infect a home user. To attack corporations, cyber-crooks use infected web pages and vulnerability exploits so that neither users nor administrators are aware of the infection.
Malware authors can modify their creations in a matter of minutes to bypass signature detection. Unless companies have other type of solutions, such as behavioral-analysis tools, there is no way they can protect themselves, as no vendor can guarantee 100% detection.
Once attackers have managed to infect a series of computers, they can take control of these 'zombie' machines across the Internet. They change the bot's means of communication, from IRC to http. This way, they ensure an open communication channel with zombie computers.
There are other strategies used to introduce malware internally into corporate networks: directly by disgruntled employees, taking advantage of software vulnerabilities or using social engineering techniques. The latter is the fastest and most effective - techniques to trick users into running malware-infected files. It also allows attackers to remain anonymous, as they can introduce their creations into victims' computers from a web e-mail account in an Internet café for example.
How can you protect against these attacks?
Defence against targeted attacks must consist of three important aspects: an adequate security policy, training of network users, and use of the appropriate technological tools. The latter should also include computer and user network access control, management of software and hardware vulnerabilities and anti-malware solutions. Choosing the right anti-malware solution to use is fundamental, as its effectiveness against targeted attacks depends directly on the technologies it uses. Note that if an attack uses malware designed ad-hoc, or exploits software vulnerabilities that have not been detected by the corresponding vendor, the access control and security systems will not be effective.
As for anti-malware technologies, it is important to differentiate between reactive and proactive technologies. Reactive technologies can only work effectively if they have previous knowledge of the threats to detect, this is the case of traditional antiviruses; proactive technologies, meanwhile, do not need to know a threat in order to block it. There are passive and 'smart' proactive technologies. For example, firewalls are passive proactive technologies, as they control traffic that passes through the system's communication ports and block it should they find anomalies in it, always according to certain specific rules. However, firewalls cannot determine whether the data that goes through them is malicious or not.
'Smart' proactive technologies, however, can detect and block threats by themselves without the need for updates. A very important aspect about these technologies is that they can protect computers automatically. They do not ask questions to users, and they integrate seamlessly with any other security solutions on the market.
In any case, these technologies are not exclusive of one another, but are complementary. Reactive technologies are still the most effective against known malware. Proactive technologies, however, are the best against unknown specimens.
The ideal, most effective security solution model is the one that integrates several technologies in a single solution. This model has many advantages. It increases the possibilities of detecting malicious code thanks to integration of multiple technologies. It reduces the chances of having the incompatibility problems that might arise if there were a solution installed for each type of malware. Finally, it increases return on investment (ROI), as it is not necessary to buy a different solution for each type of threat.
The increase in the number of targeted attacks is accompanied by a new phenomenon that has been affecting most corporate networks over the last few years: decentralisation of the perimeter. The proliferation of 'telework', as well as external access to the network resources has caused the current definition of the perimeter to be somewhat dynamic and vague: laptops, palmtops, VPN connections, etc. However, each external connection means an opportunity for hackers to access the corporate network.
In this scenario, concentrating the network protection on some specific points should be avoided. Panda Security proposes a layered protection strategy that manages defence of the various network layers with solutions that integrate different technologies.
To prevent targeted attacks from having disastrous consequences for companies, they should guarantee implementation of adequate security measures. This way, they will not have to face the possibility that an intruder accesses their confidential information, causes financial loss, or harms their clients or reputation.
Jeremy Matthews is head of Panda Security (South Africa).

Others who read this also read these articles

Search Site


Previous Issues