You read a lot about “limited, targeted attacks” in news about vulnerabilities. It means that attacks using the vulnerability have been observed in the wild very, very few times, like you could count them on one hand. These are usually very high-quality attacks, not the usual garbage you pick right up on.
How good are they? Check out this blog from F-Secure to see how good. It contains screen shot examples of targeted attacks it has observed in the wild. I’ve seen a few over the years provided by other sources and these seem right in line with those.
They all look like respectable business documents. In many cases, they are customized to the company being targeted. Here, in a broad sense, is how they go about it: Drill through the company’s Website to learn anything you can about the names of executives. Read the Wall Street Journal and other business publications and just Google around to learn more about them. Often you can find out, perhaps from case studies, what products they use. Look at their help wanted ads (not as many of those as there were a year ago, but you can find them) because these will also often list software products the company uses. Check support forums at major software company sites because that will also often divulge not just products, but versions of products that they are using.
In fact, look at the ideas above and you might get the impression that insiders, either at the company itself or at support organizations, are responsible for some of these attacks. You probably can’t prove it, but it makes sense. We hear all the time about how people will sell their password for a chocolate bar; if someone offered $50 for the details of product versions in use at the company, perhaps even some innocuous business documents, I’m sure lots of people would take it. Not that there’s all too much to learn; as F-Secure says, almost all of these documents are in the old Office formats (DOC, XLS, PPT) or PDF, meaning that even without checking at all your odds of a hit are very high.
Even just with some vice president names pulled off the Website and other publicly available documents you can construct documents like those in the F-Secure blog. Armed with this and a true zero-day attack and I imagine the odds that you can get someone to read the document on their business PC are high, and then you’re in. But as we know, lots of companies are slow to update software, so a PDF vulnerability from a few months ago also gives you good odds of penetration. You’ve compromised the company inside the network. If the company gives Administrator privileges to their users, too often the case, then you have complete control over the system. You can install software, disable security software, search for the really sensitive documents, and begin to attack the other systems from the privileged comfort of your victim’s PC.
What’s the lesson of all this? Part of the lesson is that standard business practices are not enough and that a determined and talented attacker can get through almost any set of defenses. It’s also an argument, in a way, for DLP (Data Loss Prevention), because (if it works as intended) that’s one way to detect a compromised PC when they try to e-mail confidential documents out of the network.
DLP is a neat idea and I’m all for it once someone shows me that it really works, but I think the biggest lesson of this is that you need to do the things that you know you can: patch known vulnerabilities quickly, adopt newer and more secure versions of programs such as Office, and run users with least-privileged access. None of these will guarantee that targeted attacks can’t get through, but they will thwart the large majority of them.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.