How do targeted attacks differ from common opportunistic attacks

If you're an information security professional, your main concern is protecting your company's data from unauthorized access of any sort—and if you’re a cybersecurity professional, your main concern is protecting your company’s data from unauthorized electronic access. Both groups of professionals are charged with ensuring the integrity, confidentiality and availability (otherwise known as ICA) of information and for both groups of professionals, it's the value of the data that is of utmost importance. Both groups are counted on to know what data is most critical to the organization so they can both focus on placing the right controls on that data. In some scenarios, an information security professional would help a cybersecurity professional prioritize data protection—and then the cybersecurity professional would determine the best course of action for the data protection.

In today's Internet world, it's wise and prudent to assume that your organization - whether small, medium and large - is being attacked electronically. No matter the size of an organization, all Internet-facing organizations are at risk of attack. Likely, your organization is be being attacked and or breached right now and you might not even be aware of these attacks. The majority of these cyber attacks are automated and indiscriminate, exploiting known vulnerabilities. Others, even more menacing, are targeting specific organizations.

Cyber Security professionals leverage technologies, processes and controls designed to protect systems, networks and data from cyber attacks. Effective cyber security reduces the risk of cyber attacks, and protects organizations and individuals from the unauthorized exploitation of systems, networks and technologies.

According to the Cisco 2018 Annual Cybersecurity Report, there was an 11X increase in overall malware volume last year.

Obviously, security should be top of mind across the enterprise, and come with a mandate from senior management. The fragility of the information world we now live in also demands strong cyber security controls. Management should see that all systems are built to certain security standards and that employees are properly trained.

From 2016 to 2017 the number of newly discovered vulnerabilities per year shot up by just about 31%, according to the 2017 Vulnerability Trends report from Risk Based Security. That's a marked increase after only moderate rises in discovered flaws the prior three years.

Cyber Security Begins With Awareness & Training

All companies will experience some kind of cyber attack. No way around it, even with strong controls are in place. An attacker will always exploit the weakest link, and many attacks are easily preventable by performing basic security tasks, sometimes referred to as “cyber hygiene”. The human is always the weakest element in any cyber security program. Training developers to code securely, training operations staff to prioritize a strong security posture, training end users — cyber security begins with awareness.

"A surgeon would never enter an operating room without washing their hands first. Likewise, an enterprise has a duty to perform the basic elements of cyber security care such as maintaining strong authentication practices and not storing sensitive data where it is openly accessible."

A good cyber security strategy needs to go beyond these basics, as the number of ways or “vectors” an attacker can gain entry to a system — is expanding for most companies. For example, the information criminals and nation-state spies now threaten the ICA of cyber-physical systems such as cars, power plants, medical devices, even your IoT fridge.

These constant menaces to Enterprise that fall into two categories, "opportunistic" and "targeted" attacks.

Opportunistic and Targeted Cyber Attacks

Opportunistic attacks target as many users as possible using the well known breaches of the popular technology stacks and products (eg Wordpress), in order to find as many easy targets as possible - using tried and tested methods to exploit common vulnerabilities.  The attackers' prize is to make as much money as possible. Being silent is not the aim of the attacker, as very often there is no point in trying to hide the damage done.

Targeted attacks are aimed at a specific app or system, focused on one target with a specific goal. Targeted attackers are known to be very creative - often trying new tricks and different methods outside of the common ones - like zero-day attacks.  Targeted attackers are also very patient - taking all the time necessary to study your technology stack to find an exploit to breach your system to damage or steal valuable high value data. Targeted attackers pride themselves for being "silent but deadly" aiming to leave little or no trace of entering your system.

Main Categories cyber security focus

1. Network Security

Network security guards against unauthorized intrusion as well as malicious insiders. Ensuring network security often requires trade-offs. For example, access controls such as extra logins might be necessary, but slow down productivity.

The issue with this is that tools used to monitor network security generate a lot of data — so much that valid alerts are often missed. To help better manage network security monitoring, security teams are increasingly using machine learning to flag abnormal traffic and alert to threats in real time.

2. Critical infrastructure

Critical infrastructure includes the cyber-physical systems that society relies on, including the electricity grid, water purification, traffic lights and hospitals. Plugging a power plant into the internet, for example, makes it vulnerable to cyber attacks.

The solution for organizations responsible for critical infrastructure is to perform due diligence to understand the vulnerabilities and protect against them. Everyone else should evaluate how an attack on critical infrastructure they depend on might affect them and then develop a contingency plan.

3. Cloud security

The enterprise’s move into the cloud creates new security challenges. For example, 2017 has seen almost weekly data breaches from poorly configured cloud instances. Cloud providers are creating new security tools to help enterprise users better secure their data, but the bottom line remains: Moving to the cloud is not a panacea for performing due diligence when it comes to cyber security.

4. Application security

Application security (AppSec), especially web application security, has become the weakest technical point of attack, but few organizations adequately mitigate all the OWASP Top Ten web vulnerabilities. AppSec begins with secure coding practices, and should be augmented by fuzzing and penetration testing.

5. Internet of things (IoT) security

IoT refers to a wide variety of critical and non-critical cyber physical systems, like appliances, sensors, printers and cameras. IoT devices frequently ship in an insecure state and offer little to no security patching, posing threats to not only their users, but also to others on the internet, as these devices often find themselves part of a botnet. This poses unique security challenges for both home users and society.

Common opportunistic and targeted attacks as well as the the focus of security teams fall under three general (CIA) categories:

1. Attacks on confidentiality: Stealing, or rather copying, a target's personal information is how many cyber attacks begin, including garden-variety criminal attacks like credit card fraud, identity theft, or stealing bitcoin wallets. Nation-state spies make confidentiality attacks a major portion of their work, seeking to acquire confidential information for political, military, or economic gain.

2. Attacks on integrity: Also known by its common name, sabotage, integrity attacks seek to corrupt, damage, or destroy information or systems, and the people who rely on them. Integrity attacks can be subtle — a typo here, a bit fiddled there — or a slash and burn campaign of sabotage against a target. Perpetrators can range from script kiddies to nation-state attackers.

3. Attacks on availability: Preventing a target from accessing their data is most frequently seen today in the form of ransomware and denial-of-service attacks. Ransomware encrypts a target's data and demands a ransom to decrypt it. A denial-of-service attack, floods a network resource with requests, making it unavailable.

Here are three 3 major ways these attacks are carried out: via social engineering, via social media phishing, and/or via un-patched software.

Social engineering

Socially engineered malware, often used to deliver ransomware, is the No. 1 method of attack (not a buffer overflow, misconfiguration, or advanced exploit). An end-user is 'tricked' into running a Trojan horse program, often from a website they trust and visit often.

Phishing attacks

Sometimes the best way to steal someone's password is to trick them into revealing it This accounts for the spectacular success of phishing. The best defense is two-factor authentication (2FA) — a stolen password is worthless to an attacker without a second factor, such as hardware security token, or soft token authenticator app on the user's phone. Current advances in the research and development of end-to-end encryption technologies shows promise in replacing passwords.

Unpatched software

It's hard to blame your enterprise if an attacker deploys a zero-day exploit against you, but failure to patch looks a lot like failure to perform due diligence. If months and years pass after disclosure of a vulnerability, and your enterprise has not applied that security patch, you open yourself to accusations of negligence. Patch, patch, patch.

Conclusion

For all enterprise organizations, Cyber Security should be approached as a business practice, not as a set of point solutions. Even the most resilient organizations need to be proactive and ever-vigilant. Cyber attacks can disrupt and cause considerable and even catostrophic damage your organization's financial well-being, wreak havoc to your company's brand and destroy your company long cultivated reputation. Being clear about the ways your company, large or small, are vulnerable is both wise and prudent. While 45% of small to medium enterprises believe so, do not assume that your company is not a viable target. No company is attack and "breach free".

These opportunistic and targeted attacks not not reserved only for the large enterprises but also small to the medium-sized enterprises. Because all sizes of enterprises faces the clear and present threats to the loss of assets, damage to reputation, simultaneous loss of business revenues & customer base, potential regulatory fines, costly litigation and expensive re-active remediation; it is imperative to exercise due diligence and formally approach cyber security as a core business practice that embraces a realistic appreciation of these ever-present cyber attacks and threats.

Where are your risks?

Reach out to Jack Fitzpatrick, an Information Security and Compliance Thought Leader with over 30 years experience for more information on why cyber security is critical to your organizations' success.

Along with speaking and writing, he enjoys spending time with his wife and children in Milton, Georgia. You can connect with Jack HERE

What are targeted attacks?

What is an opportunistic attack?

What are the different types of attacks and explain?

What are targeted email attacks?