OPINION: What does a targeted attack look like? A good one looks like the documents you read all day long.
You read a lot about "limited, targeted attacks" in news about
vulnerabilities. It means that attacks using the vulnerability have
been observed in the wild very, very few times, like you could count
them on one hand. These are usually very high-quality attacks, not the
usual garbage you pick right up on.
How good are they? Check out this blog from F-Secure to see how good.
It contains screen shot examples of targeted attacks it has observed in
the wild. I've seen a few over the years provided by other sources and
these seem right in line with those.
They all look like respectable business documents. In many cases,
they are customized to the company being targeted. Here, in a broad
sense, is how they go about it: Drill through the company's Website to
learn anything you can about the names of executives. Read the Wall
Street Journal and other business publications and just Google around
to learn more about them. Often you can find out, perhaps from case
studies, what products they use. Look at their help wanted ads (not as
many of those as there were a year ago, but you can find them) because
these will also often list software products the company uses. Check
support forums at major software company sites because that will also
often divulge not just products, but versions of products that they are
In fact, look at the ideas above and you might get the impression
that insiders, either at the company itself or at support
organizations, are responsible for some of these attacks. You probably
can't prove it, but it makes sense. We hear all the time about how
people will sell their password for a chocolate bar; if someone offered
$50 for the details of product versions in use at the company, perhaps
even some innocuous business documents, I'm sure lots of people would
take it. Not that there's all too much to learn; as F-Secure says,
almost all of these documents are in the old Office formats (DOC, XLS,
PPT) or PDF, meaning that even without checking at all your odds of a
hit are very high.
Even just with some vice president names pulled off the Website and
other publicly available documents you can construct documents like
those in the F-Secure blog. Armed with this and a true zero-day attack
and I imagine the odds that you can get someone to read the document on
their business PC are high, and then you're in. But as we know, lots of
companies are slow to update software, so a PDF vulnerability from a
few months ago also gives you good odds of penetration. You've
compromised the company inside the network. If the company gives
Administrator privileges to their users, too often the case, then you
have complete control over the system. You can install software,
disable security software, search for the really sensitive documents,
and begin to attack the other systems from the privileged comfort of
your victim's PC.
What's the lesson of all this? Part of the lesson is that standard
business practices are not enough and that a determined and talented
attacker can get through almost any set of defenses. It's also an
argument, in a way, for DLP (Data Loss Prevention), because (if it
works as intended) that's one way to detect a compromised PC when they
try to e-mail confidential documents out of the network.
DLP is a neat idea and I'm all for it once someone shows me that it
really works, but I think the biggest lesson of this is that you need
to do the things that you know you can: patch known vulnerabilities
quickly, adopt newer and more secure versions of programs such as
Office, and run users with least-privileged access. None of these will
guarantee that targeted attacks can't get through, but they will thwart
the large majority of them.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.