88

It is often said that security tools such as firewalls, antivirus programs, etc. are only effective against random, untargeted attacks. If you are specifically targeted by an intentional, professional attacker (e.g. state sponsored, NSA, Chinese state attacker, or competitor looking to steal trade secrets) then most of these protections are useless. Is this true?

If it is true, then what tools or techniques make a targeted attack from a professional attacker different? Does the attacker have a significant advantage over me? What strategies can I employ to reduce the risk of a successful attack?

Ajedi32
  • 4,695
  • 2
  • 26
  • 61
user2174870
  • 1,378
  • 2
  • 11
  • 13
  • 21
    Yes, the real advantage is in the attacker's side. He has a larger budget and more time and people to dedicate to the attack than you have. Also, he has to win only once but you have to win every time. – dotancohen Oct 06 '14 at 09:29
  • 4
    It seems that at least a portion of this question (specifically, the part about defending against a targeted attack) is a duplicate of [How to best defend against Targeted Attacks?](http://security.stackexchange.com/questions/3681/how-to-best-defend-against-targeted-attacks) – Ajedi32 Oct 06 '14 at 13:42
  • 1
    If I were under attack by a determined attacker with a large budget, I would open negotiations. If the price is right he will get it delivered. – emory Oct 07 '14 at 00:53
  • @emory the attackers used as example in this question either are not in there for the money (so they just won't accept negotiations) or are there to steal your business (so _you_ can't negotiate with them). – o0'. Oct 07 '14 at 09:50
  • @Lohoris That statement could actually mean that they are offering to just sell them the data, rather than wasting both your and their money battling over it. – AJMansfield Oct 07 '14 at 23:15
  • 2
    I just want to add that these kinds of attacks are sometimes described as [Advanced Persistent Threat (APT)](https://en.wikipedia.org/wiki/Advanced_persistent_threat) – imgx64 Oct 08 '14 at 05:14
  • @AJMansfield there are many cases were you can't "just sell your data" to a competitor. – o0'. Oct 08 '14 at 07:33
  • @Lohoris everybody has their price. If you work for a publicly traded company and your enemy wants your stuff bad enough, they can buy your company. Security is not to keep the professional attacker out, but instead to convince them that it is cheaper to buy. – emory Oct 09 '14 at 00:07
  • 5
    When `state sponsored, NSA,` etc., are considered, there is a _potential_ for compromised embedded chips in various devices that help the attacker. That's one difference that's tough to quantify. – user2338816 Oct 09 '14 at 02:30

12 Answers12

100

Disclaimer: I work at a company developing security software to mitigate against targeted attacks.

Some of the methods we use are similar to those used by attackers (when clients want to test their systems).

For example, one client asked us to test their security by doing targeted [spear] phishing attacks. We emailed only the IT department with a combination of 2 emails. One was an apparently mis-addressed email to the board with a link to a Pdf named something like Executive bonus summary.pdf, the other purported to be a new external portal for the company to use during the Olympics ("Please check your domain credentials work correctly..."). With a quick search on social media, we could've made user-specific emails but that would be time consuming and ultimately wasn't necessary.

We registered a domain name that was visually similar to the target's, then used it to host fake pages (styled identically to the real ones) and send DKIM signed emails (to avoid spam filters).

Of the techies targeted, 43% gave us their corporate login details, 54% tried to download the bogus pdf (the pdf was just garbage bytes so it looked like a corrupt download. One guy tried 5 times using Firefox, IE and finally wget).

We were told that only one user had detected the attack and reported it to management (but only after giving us their credentials).

So... Getting into the company is not impossible. As for getting information out, our normal sales pitch includes a demo of us bypassing company firewalls/traditional DLP. I don't believe we've ever failed unless they're air-gapped or using a good data diode (although the rate of exfiltration varies. In one case, we had a restrictive white-listing firewall, so had the software encode documents into images and keep updating a profile picture on Google. Then we watched the profile externally and downloaded each chunk).

That said, we've found time and again that software can be worked around but users are consistently the weakest link.

So to answer your question, a targeted attack includes the personal touch. Custom websites designed to trick users, research into what software (and release) is being used to check for known vulnerabilities, investigations on social media, social engineering, etc, etc.

Another one worth considering although less common is bribery/blackmail. If you're talking about state actors, it's not inconceivable.

Basic
  • 1,190
  • 1
  • 6
  • 13
  • 7
    Please tell me you heavily anonymized this information. – djechlin Oct 07 '14 at 08:25
  • @djechlin We tied link clicks to users. We didn't store passwords (except for the first/last character). Once the engagement was completed, we reported on the data and deleted our copies. The percentages above are from my recollection. – Basic Oct 07 '14 at 08:36
  • I mean things like, titles of files sent, and other things that might identify this material to a client. – djechlin Oct 07 '14 at 08:42
  • 1
    I don't get the point of the PDF. If it was called .PDF.EXE then you could blame the people for trying to download it anyway, but if it was "just a PDF" I'd say it was pretty normal for them to try. (sure there also are exploits in PDFs sometimes, but that's beside the point I guess) – o0'. Oct 07 '14 at 09:56
  • 12
    The reason for the PDF is specifically because it is a pretty reliable as an attack vector for a genuine attack. – James Snell Oct 07 '14 at 10:50
  • Yes, PDFs were an exploitable attack vectors at the time (less so with more recent clients but there are _still_ many vulnerable/unpatched versions around, especially in server-side software). @djechlin Ah, yes. I fudged the wording slightly, although the original was just as sensationalistic. – Basic Oct 07 '14 at 12:26
  • 6
    I once read, that some unicode characters reverse the display order of a string. So, when I read that the filename started with "exe" I assumed that this had been done here, and the file actually ended in ".exe" somehow. I was slightly disappointed. – M.Herzkamp Oct 08 '14 at 11:47
  • 2
    @M.Herzkamp It's a trick where the filename is defined in a right-to-left language, so visually the it might be `exe.example.pdf`. See `Right to left mark` and `right to left override` in the unicode spec. – Basic Oct 08 '14 at 16:10
57

All of security can be boiled down to threat modeling, risk assessment, risk management, and risk mitigation. So no, defenses designed to protect against non-targeted attacks are not likely to do well against targeted attacks.

What makes a targeted attacker (or what you call a "professional attacker") different? Simply the intelligence and money they're willing to employ to attack you specifically.

So, yes, if someone is willing to spend the money and time and effort to attack you specifically, then they have an advantage. The strategy to defend would be to recognize that these sorts of attacks are a realistic threat scenario in your risk model, and implement controls to manage and mitigate these risks.

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185
Xander
  • 35,616
  • 27
  • 114
  • 141
  • 22
    Additionally, the usual scenario for large global corporates is to assume that these attacks will succeed (eg Lockheed Martin 2011) so plan for either detecting them before too much damage is done, or limiting the effect of the attack (ie by segregating very sensitive areas entirely) – Rory Alsop Oct 05 '14 at 18:48
  • I can't see what new information is contained in this answer that wasn't already obvious from the question. – Tomáš Zato Apr 15 '16 at 08:49
27

The difference between a random attack and a targeted attack can be summarized nicely:

  • The attacker want N number of remote nodes for DDoSing / Spamming / Phishing / etc.

or

  • The attacker wants XYZ data on user2174870's machine specifically.

If the attacker is just looking to build a botnet (>>99% of attacks) then simply being harder to crack than the next guy is usually enough. I try to shoot for two orders of magnitude harder to crack, and even then I employ IDS to know when I've been cracked. Hopefully.

However, if the attacker wants specifically your data, then the situation becomes an arms race and the only winning move is not to play (shutdown -h now). Short of turning the machine off, you must assume that the attacker has, depending on his resources, zero-day vulnerabilities for your application stack, network sniffers, malware on your other equipment that accesses the target box, and possibly $5 wrenches as well. Oh, and he's possibly staffed by 50 people smarter than you with unlimited budget. Doubly so if you have trade secrets, state secrets, or post disparaging comments about the ruler de jour.

I'll be honest, you cannot defend against the targeted attacks. You might be able to budget a significant portion of your [company|personal] budget to hire people that may stand a chance of holding out for a short period, but it won't last even then. Best to unplug the machine, and even that is no guarantee.

That said, don't "not be a target". Too many people afraid to be a target is what keeps the NSA in power. Be a smart target. If your speciality is political dissent, then don't try to win a war of technology. Recognize that your electronic communications are insecure and plan your dissent accordingly.

dotancohen
  • 3,696
  • 3
  • 25
  • 34
  • Your wikipedia link entitled 'that is no guarantee' doesn't seem to fit, and I'm not sure what it should link to. It makes no mention of hacking machines that are unplugged. – Tyzoid Oct 06 '14 at 02:31
  • 9
    Appelbaum is a well-known computer security activist who has been targeted by, amongst others, governments who have broken into his house to access his computers. – dotancohen Oct 06 '14 at 05:34
  • 1
    If your trade secret is worth $50000, could you defend it by spending < $50000? – djechlin Oct 07 '14 at 08:28
  • @djechlin: Not if your attacker thinks that the trade secret is worth $50000 * N and he is willing to spend 1/N the expected worth. I'm not sure if the details are public, but this reminds me of the Tu 144 development. It wasn't a computer breach, but it is _possible_ that the Russians spent more to steal the Concode plans than they were worth. – dotancohen Oct 07 '14 at 09:23
  • 2
    @djechlin: Actually, I addressed the attacker's cost to attack, not your cost to defend. The cost to defend is, in software as in warfare, much more expensive than the cost to attack. – dotancohen Oct 07 '14 at 09:25
20

It would be totally different if you are targeted by state sponsored actors. If you are a high value target, they can employ not just hacking resources like zero-day malware, but also video surveillance, wire-tapping, bribing your friends, email spear phishing, keylogging, breaking into your house, or even kidnapping and torturing you just to obtain some information.

Take a look at the amount of resources that CIA use to hunt down Osama Bin Laden even when he has no direct access to the Internet or telephone line. The only strategy is to not paint yourself into a target.

Question Overflow
  • 5,250
  • 6
  • 27
  • 48
13

Usually the most annoying place to try penetrating is a completely custom system on a completely custom kernel (no familiar commands, io paradigms, process management infrastructure, etc. -- these things exist in some form, of course, but only on the one system/target and you have no insight). Lucky for penetrators there are very few of those in the wild.

The inverse is also generally true: The most difficult attacks to defend against (or even detect) are the completely custom ones. Nearly all systems in common use adhere to a "default yes" policy at least somewhere in them for the sake of usability as users reject anything actually secure because "actually secure" also tends to mean "rip-your-hair-out frustrating to use". This being a given, and it also being a given that most attackers do not have time to do anything but use existing tools and frameworks, the common security tools available to us are built around the majority attack case: an attack based on commodity cracking tools.

A fully custom attack (that is well executed) will lack all of the telltale signs that commodity defensive tools look for, leaving you often with a limited window of opportunity to catch wind of an attack beginning based purely on heuristics (themselves often based merely on (y)our best understanding of what "normal" historical network or system resource patterns should be). This window closes once the system is rooted, of course, as the detection tools in use are usually the first thing to receive a malicious upgrade.

But the expense of this sort of advanced attack is immense. You have to either be enormously unlucky or enormously valuable as a target to be the subject of such attention. This cost is comparable to the cost of deploying a fully custom system (the cost of a custom system is usually higher, of course, but ameliorated by the deployment base -- the economics of an attack are exactly inverse to this). The cost of security is always balanced something along the lines of:

  • Annoyance that actual security brings
  • The fiscal/effort/time cost of developing a serious defense

VS

  • The criticality of an actual attack of type X

Considering how many system assume things like http -> https redirects, DNS, IPSec, any-of-the-bajillion-bogus-CAs-in-IE, etc. are impossible to compromise (har har!) it certainly appears that the criticality element is given very little weight. Hence late-patched commodity systems with the barest of minimal detection tools seem to generally be the order of the day. Anything you can do beyond that raises the cost in cracking you and even a government will move on to an easier target unless they have some specific reason to target you. Not very happy advice, I suppose, but its the world we live in as of now.

zxq9
  • 340
  • 2
  • 8
7

I will just answer in a quote from Jacob Appelbaum, about whom I probably don't have to talk.

During the first Congress on Privacy & Surveillance held at EPFL in Switzerland, Applebaum said (I am transcribing):

"If the NSA wants to get into any machine or system in the world, we must assume that they are in."

fgysin
  • 735
  • 1
  • 9
  • 13
5

"Hacking" is easy. There are tools out there that'll provide a beautiful GUI for you to run any one of a library of exploits, tools that'll break into WiFi, run MiTM, etc. This, along with clumsy, generalized attempts at phishing and other social engineering, makes up a large part of non-targeted attacks. In short, they're unoriginal. This means that most good AVs will protect against most general attacks - which the attackers don't mind, because they just need to find someone without AV. An individual, targeted attack is much more dangerous, because a skilled attacker will not only examine the topography of your network and try to understand your security measures, they'll also observe your employees to try to figure out how to attack the so-called "8th layer" (people). One of the most infamous examples of this was Kevin Mitnick. I'm sure he was talented in the field of computers, but he truly excelled in social engineering - so much so that he once broke into a secure facility, GOT CAUGHT, and still managed to talk the seucurity guard into letting him go.

AV companies HAVE all of the "hacking tools" out there, and they do their best to negate the risk posed to their clients. The attacks that stand a far better chance of working are the ones that someone tailors to get past YOUR firewalls, remain undetected by YOUR AV, and wipe YOUR logs when they're done.

KnightOfNi
  • 2,267
  • 3
  • 19
  • 23
5

Another angle I haven't found in the answers. http://lasec.epfl.ch/keyboard/

We found 4 different ways (including the Kuhn attack) to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls. We tested 12 different wired and wireless keyboard models bought between 2001 and 2008 (PS/2, USB and laptop). They are all vulnerable to at least one of our 4 attacks.

This is from a civilian research institute five years ago. Study the shielding standards listed http://www.wikiwand.com/en/Tempest_(codename) here.

chx
  • 615
  • 3
  • 13
  • Tempest has been around for much longer than that. I was taught about it in the 90s (back then, you could read the image on CRTs) – Basic Dec 16 '14 at 00:42
4

It is technically possible to put enough controls in place to guarantee you won't be compromised from a IT perspective.

The extreme case is to shut off and remove all computer equipment. See? No computers means no computers will be compromised. OK, so how about we allow computers, but no networks: everything air-gapped. We're not guaranteed invulnerable, but we're close. OK, so how about we allow networks, but only on machines with no sensitive content and no persistent storage of any type. No downloads or execution of unsigned code. Or maybe allow downloads be retain application whitelisting. And so on.

There's a continuum of security between "Absolutely impenetrable and completely useless" to "extremely convenient and insecure as hell" with security always at odds with convenience. If a security measure isn't at odds with convenience, then it's not considered "security" -- you just call it "standard practice."

But here's the important point: Unless your IT security is a Home Depot -grade disaster, your weakest component is your people, not your systems. Security only works when it's actually implemented, and a company's systems rarely measure up to the company's own standards.

Also, social engineering always wins. Phishing is by far the most effective attack against hardened targets, and little is being done to mitigate that threat. The attacker has always had the advantage; the attacker has to win only once, while the defender has to win every time to stay secure. And social engineering means that the attacker can take the fight out of IT and exploit human interaction to gain his victory.

Yes, you can be secure, but it means treating your technology as hostile and your employees as attackers. It means putting up barriers to interactions and interoperation. It means disallowing the little things that people take for granted. And it means that your operation will pay a great price for that security. But it is possible.

tylerl
  • 82,665
  • 26
  • 149
  • 230
4

FWs, antivirus and other defenses geared around prevention can only effectively block attacks that are proven bad. IE if a certain type of traffic or a certain file is bad 100% of the time, it can effectively be blocked. While prevention tools may not help with more advanced threats, they have a use in blocking known bad traffic. There's a lot of bad traffic/files that needs to be blocked to effectively defend your organization. That is very valuable but not against advanced threats. It’s possible to create files that appear to be good and hide bad traffic in good traffic. That requires difference defenses to detect.

When getting into state sponsored and advanced attacks, you need to approach things holistically. They may not need to target you directly to get your data if it’s housed elsewhere. If the 3rd parties you work with are easier targets, they’ll probably be the first ones attacked. This relies on you identifying the easiest way to obtain your data, and putting mitigations in place to manage that risk.

The best way to defend against advanced threats is to focus on detection. Attackers will get past preventative defenses, but their actions once on the network should be visible to you. This is where the defender’s advantage comes into play. Offense has the advantage in getting in because they only need to find one vulnerability to exploit. Defense has the advantage inside the network. This is your home field, you should know it well, there should be layers of defenses in place to slow down attackers giving you time to detect, isolate, and block them. Thinking holistically again, you should know the likely targets and weak points in your organization. They should have layers of mitigations in place around them.

Detection boils down to finding and detecting abnormal behavior. It’s possible that there was an alert for an attack that wasn’t found amongst the pile of other alerts. An attacker shouldn’t be able to erase their tracks with in your network. Their activity is somewhere in your infrastructure, you need eyes to see that activity and the knowledge of your infrastructure to know where to look. An organization should have asset inventory to know when new devices are added, baselines to know what behavior is normal so abnormal behavior stands out, configurations management/monitoring to know when system files are being tampered with, network and host based monitoring to see traffic and activities, strong access controls to slow down lateral movement within your infrastructure, I think you get the point. The more controls you have the better your visibility is. See SANS Critical Security Controls. Inside your network, any attacker will have to leave evidence of their activities. It’s up to you to have tools in place to see those activities and know where to look.

Knowing nothing else about an attacker you can assume they’ll want to establish persistence once they get in, find data, and exfiltrate data. Getting in is where your defensive tools come in. Valid traffic needs to be allowed, leaving you to focus on how to expose an attacker that’s looking for data and exfiltrating data. Watch your likely targeted data and egress points. Those will be the easiest points to find them as an advanced attacker will do everything possible to blend into valid traffic and be invisible.

Paraplastic2
  • 470
  • 2
  • 7
3

To keep it as short and sweet as possible: (though I can add detail later if the community demands)


Random attacks

Generally target a specific vulnerability in a specific version of a specific software. The goal here is to try it against every machine possible and not every machine will have the vulnerability, and IDS/IPS solutions will not let the same type of attack be executed against the rest of their clients as soon as it is detected. This kind of "Hail Mary" attack will be quickly thwarted by the good guys.

Targeted Attacks

Are about the end goal which is generally one to a handful of computers that all belong to a specific entity. An attacker who is out to get you is going to spend time and money to gather information on all your hardware and software. They will buy the same equipment that runs your factory if they have to. They will spend countless hours looking for flaws in every single part of your system. Once they have found that flaw and tested it on their replica or emulation of your system they will execute it once and act fast because they know what they are after. This will likely go unnoticed in logs because it isn't popping up on hundreds of computers around the world, there are no scans happening on big ranges of IP addresses for an ISP to detect. Essentially the attack never happened unless you keep a very close eye on your logs and notice that some critical data was uploaded from your end that should not have been.


Aside: Unless you are very worth it an attack like this is unlikely to happen, but if it does it seems like the only possible thing you can do is detect it and not prevent it. But then again there are always ways around detection as well.

zenware
  • 53
  • 6
3

The techniques are the same of random, untargeted attacks. What IMHO really differentiate these kind of attacks are:

  • available time
  • available money to buy undisclosed exploit
  • effort spent
  • attacked attack surface
  • post-exploitation works

Generally with a random, untargeted attacks:

  • its effort in terms of time will be limited mostly to a single attempt
  • it will try to exploit a single aspect of your entire attack surface
  • Once the attacks succeed the job will be mainly done
  • it will be more easy to clean the target of the attacks

Instead with a professional targeted attack:

  • its effort in terms of time will be longer and continuous over time
    • More than one person will be probably involved as attackers
  • the targeted attack surface will be the whole attack surface
    • all single weak point of the attack surface will be tested
  • Once it will be able to break-in in your perimeters the job will not be done
    • the attacks will continue internally to guarantee further easy access
  • it will be really hard to denied further access to the systems/networks as after the break-in:
    • backdoors will be placed all around
    • credentials will be stolen
    • internal weakness and further knowledge of the network/systems will be made incresing more the attack surface (i.e. WAN of business partners, etc)
boos
  • 1,066
  • 2
  • 10
  • 21