by Gunter Ollmann, VP of Research at Damballa

Any organization that has suffered a network infiltration and subsequent data breach will, understandably, feel as though it has been targeted by the attacker. Somehow some intruder managed to penetrate their layers of defense, usurp control of vulnerable devices and sneak off with the electronic version of their crown jewels. It's not as if the attacker was some nitwit script-kiddie that inconveniently stumbled over a vulnerability just hours before it was about to be patched, right?

For as long as there have been people responsible for securing corporate network defenses and providing incident response to Internet intrusions, there have been "targeted attacks." Over the last half-decade, however, the term has basically become a default response to any kind of electronic breach. And more recently, designating a breach as the result of an advanced persistent threat (APT) is fast becoming synonymous with a "get out of jail free" card.

As corporations have invested substantially more money into securing their networks against Internet intrusions and refined their policies around patching and employee system use, there has been an expectation that any successful breach (if there were to be one) would only be due to an advanced attacker specifically targeting their corporate secrets. Unfortunately, this fallacy persists despite evidence to the contrary.

It is important to note that the forensic analysis of a breach, and reconstruction of the attack timeline, is not a trivial task. Depending upon the distribution (and type) of security technology employed by the victim, any post-breach reconstruction will be biased toward the events that the organization is capable of capturing internally – not necessarily the events that unfolded as part of the attack. As is too often the case, the evidence left behind a breach is effectively a catalog of the failures of the attacker – as the monitoring technologies alerted upon the threats they were capable of detecting and blocking – rather than their successful maneuverings.

With such selective event sampling, it is easy to understand why so many organizations reach a conclusion supporting a targeted attack theory. No one wants to be the victim of just another opportunistic attack; jobs (and necks) are on the line.

The execution of modern cyber-attacks and corporate breaches can effectively be divided into two distinct phases – the attackers and external events that led to the initial device compromises, and the events that occurred within the breached organization after the crimeware was updated. Much of the confusion behind the labeling of corporate intrusions as "targeted attacks" comes from assuming that these two phases of an attack are conducted by the same set of criminal operators. The label applied to an attacker generally implies an individual or singular resolve, but in reality multiple professionals contribute their expertise to making an attack a success – as and where necessary.