Does 'targeted attack' sound more threatening than 'APT'?
Malware hits the Mac but is it worth worrying about?
Earlier this year, we looked at the 'advanced persistent threat' (APT) and what it meant for those in the line of fire.
The result from that report seemed to be that the term APT was too hard to understand, and subsequent conversations that I have had seem to underline that. I began to hear the term ‘targeted attack' used much more.
This may be because the words used are more to the point. After all, a targeted attack describes an attack which is targeted – not much to be confused about there.
Speaking at the Gartner security conference last week in London, Bradley Anstis, V-P, technical strategy, at M86 Security, said APT is generally used as a marketing term, while 'targeted attack' is more meaningful.
He said there are two types of targeted attack: server side, such as those against Sony and Citibank where reputational damage is one of the biggest costs; and client side, such as the attack against RSA, where the attacker goes after the employee to create a back door into the company.
Anstis said: “A zero-day flaw is discovered and exploited before a patch is available and that is when the vector is open to attack. You can look at the web channel, but do not forget about email; the best security is to stop it at the email channel.
“The bad guys are always a step ahead and we are reactive. There is no silver bullet, but a corrective layer of technologies – do not bet on a single technology to be safe.”
He suggested looking at URL filtering and ‘reactive' signature-based anti-virus to mitigate a client-side attack. “You can start detecting all content and start blocking websites, but some of these will be legitimate sites; it will be more critical to have layered reactive and proactive technologies,” he said.
“Before it gets into the network, look at a solution to make sure you can scan 100 per cent of content that the user is accessing. Having layers of technology is the right way.”
One such provider of layered security is FireEye. Its CEO and founder Ashar Aziz said that with an APT, it is the 'actor' that does the hacking; in the past, this was often state-sponsored, but a targeted attack is not designed to trip any wires.
He said: “Our August report showed that there were hundreds of attacks per week that were not targeted, but were dynamic and there was no signature to stop them.
“The same defence that stops targeted attacks will stop a non-targeted attack that is polymorphic and highly dynamic. From the perspective of the defender, it looks the same. We have seen samples of APTs and we see the command and control centre which has been from a nation state.
“However, attacks are the needle in the haystack of modern-day malware as they are highly dynamic, you rarely see them 24 hours later and they are not always targeted.”
Recently, Palo Alto Networks' CTO and founder, Nir Zuk, said anti-virus was impractical because it cannot detect targeted attacks. I asked him if he felt that the term 'targeted attacks' was better understood than APT. He said: “I think we can call it modern malware; the targets are not widespread any more, but cannot be protected against as attacks are widespread."
The concept of the targeted attack is to be low-scale, possibly with only one target in mind and to cause an incident with the minimum amount of disruption. John Pescatore, V-P, distinguished analyst, at Gartner, said the major advance in new threats has been the level of tailoring and targeting, as these are not noisy, mass attacks that are easily handled by simple, signature-dependent security approaches.
He said: “Targeted attacks aim to achieve a specific impact against specific enterprises and have three major goals: denial of service; theft of service; and to steal, destroy or modify business-critical information.”
David Harley, CEO of Small Blue-Green World, said everyone should be taking targeted attacks seriously.
He said: “In theory, a single targeted attack might be the entry point for an attack that leads to very serious consequences. Indeed, I don't believe that a threat can be measured purely in terms of the volume of attacks or infections, and if that's what Zuk was getting at, I'm in agreement.
“It is a key threat and it's one that tends to put anti-virus at a disadvantage if it's done ‘professionally'. It's just not the only threat. There are plenty of scenarios where anti-virus remains useful as part of a defensive strategy, but I cannot envisage many scenarios where I'd say that ‘anti-virus is all you need'.
“Actually, I don't see many scenarios where I'd say that any single technology is all anyone needs. Which is why I'm in research, not marketing.”
The fact is that there is no silver bullet solution to stopping a targeted attack, though vendors would have you believe that theirs is the one to stop the most prevalent and sophisticated.
Pescatore said: “Enterprises need to focus on reducing vulnerabilities and increasing monitoring capabilities to deter, or more quickly react to, evolving threats, and not focus on what country the attacks are coming from.”
This is something to take seriously, but isn't that the case with everything out there?