Moving the mark: adopting the right defences against targeted attacks

(Image credit: Image Credit: Lolloj / Shutterstock)

All too often, cybersecurity can feel like an arms race between the good guys and the bad guys; with both sides racing to leverage the latest technologies, tools and tricks to bolster or undermine the defences of our devices, networks and organisations. 

We’ve seen the kind of critical impact that a major attack like WannaCry and Petya can have on businesses, and while increased pressures and data regulation push organisations to take responsibility against today’s cyber landscape, each and every business faces an ever-changing set of threats.

But keeping protected is sometimes easier said than done. Even comprehensive and multi-layered cyber defences can be a step behind the most sharp-edged attacks out there. Firewalls, email security and endpoint protection all guard against a wealth of threats and malicious activity, but they cannot always detect a well-crafted and carefully orchestrated attack intended to slip right under the radar.

Targeted attacks

This is the challenge we face against targeted attacks: planned attacks directed at specific targets. They might be comparatively lower in volume to more widespread or indiscriminate attack campaigns, but this year’s Internet Security Threats Report (ISTR Vol. 23) from Symantec showed that the number of targeted attacks is on the rise, and their sophisticated tactics can leave organisations overmatched and underequipped. 

Broadly speaking, targeted attacks are nothing new. These complex operations are typically the work of organised groups with time, resources and dedication. Often involving state-sponsored actors or cybercrime gangs, their motivations are primarily driven by corporate espionage, financial gain or even sabotage. Combine these intentions with well-selected attack vectors, rapidly changing toolsets, strong operational security and traversing the network to avoid detection; these attacks become some of the most complex cyber threats enterprises face today.

Some of the more infamous targeted attack groups have been hitting the headlines recently. But groups like Lazarus (the group behind the 2014 Sony attacks and WannaCry ransomware) and Dragonfly (the espionage group that gained access to operational systems to energy facilities across the US and Europe) are just the tip of the iceberg. There are currently 140 targeted attack groups known to Symantec, with an average of 29 new groups being revealed every year over the past three years.

Gathering intelligence

So groups are on the rise, but what are they actually doing? The most prevalent motive is intelligence gathering, with 90 percent of groups stealing information or engaging in spying and surveillance. While we’ve seen some of the more disruptive attacks in recent years, only 11 percent of these groups are believed to intend disruption.

However, this doesn’t make targeted attacks any less concerning. There’s no single outcome for a targeted attack and each organisation faces a specific challenge in matching its security risk posture to the threats posed by attack groups. So how do you defend against a targeted attack when each one is a complex and unknown danger in itself? These groups constantly employ tactics that use social engineering, new exploits and “living off the land” techniques to bypass nearly everything the security industry has thrown at it.  

The result is a long cat-and-mouse game of intelligence and counterintelligence; requiring real commitment, knowledge and resources to uncover the threat. But the solution isn’t always more layers of security. While better protection across every vector makes sense, implementing new security measures often means an array of single control point events, creating a headache of endless and disconnected telemetry, and an abundance of monitoring and system alerts that can end up preventing a clear picture of what’s happening on the network. New solutions talk about suspicious behaviour and anomaly detection, but they don’t actually prevent the attack. Targeted attacks are precisely intended to be a needle in the haystack, and a solution that “might detect” them is not a solution to the problem. 

This leaves organisations in a difficult position: they can’t ignore the threats posed by targeted attacks, but they’re often not up to the fight, wasting time chasing false alarms while attackers covertly exfiltrate data.

AI to the rescue

Recently, artificial intelligence has proven to be an area that could help organisations step up to this challenge and change the rules of play around targeted attacks. Advanced machine learning technologies are already bolstering protection against sophisticated threats, but targeted attacks have also required a wealth of human expertise and experience to recognise and react to these complex campaigns. Responding to the threat of targeted attacks calls for a combination of the two: bringing together the power of AI and human expertise. 

At Symantec, this was the fundamentally new approach behind our Targeted Attack Analytics platform — a joint effort between our Attack Investigation Team, responsible for uncovering the likes of Stuxnet, Reign and Lazarus; and top data scientists on the leading edge of machine learning research. 

By leveraging the Integrated Cyber Defence Platform and applying advanced machine learning across all data and control points all at once, the TAA system is able to cut through the noise of system alerts and false flags to uncover real targeted activity on the network and provide real-time analysis to counter some of the craftiest tactics used by attack groups, before they do any major damage to the organisation in question.

Just last year, Symantec used the very same technology to uncover the resurgence of Dragonfly, the infamous attack I mentioned that had the ability to sabotage energy facilities. Since them, the TAA technology has already gone on to detect more than 1,600 targeted attacks. Most recently, the technology has gone on to uncover threats like the Emotet malware, representing a particularly challenging worm with the ability to spread throughout the entire organisational network.   

Targeted attacks will of course always exist in some capacity, and their ever-changing tools and tactics will always give them that leading edge. But these disruptive leaps in more responsive defences mean a new state of play: organisations will be able to save precious time to focus on higher priorities, such as improving their overall cyber hygiene or hardening their security environment, and targeted attackers won’t be able to hide any longer. 

Darren Thomson, CTO & Vice President EMEA at Symantec 

Darren Thomson

Darren Thomson is CTO & Vice President for the EMEA Region at Symantec, responsible for delivering technical strategy for customers and partners across the region. Darren heads the CTO office, driving the liaison between the global Research Labs, Symantec Ventures and the field organisation in EMEA.

He is an experienced IT professional and senior business leader with broad and well-balanced technical capability, leadership skill and business acumen as well as extensive experience in managing global teams and projects.