by Gunter Ollmann, VP of Research at Damballa
Any organization that has suffered a network infiltration and subsequent data breach will, understandably, feel as though it has been targeted by the attacker. Somehow some intruder managed to penetrate their layers of defense, usurp control of vulnerable devices and sneak off with the electronic version of their crown jewels. It's not as if the attacker was some nitwit script-kiddie that inconveniently stumbled over a vulnerability just hours before it was about to be patched, right?
For as long as there have been people responsible for securing corporate network defenses and providing incident response to Internet intrusions, there have been "targeted attacks." Over the last half-decade, however, the term has basically become a default response to any kind of electronic breach. And more recently, designating a breach as the result of an advanced persistent threat (APT) is fast becoming synonymous with a "get out of jail free" card.
As corporations have invested substantially more money into securing their networks against Internet intrusions and refined their policies around patching and employee system use, there has been an expectation that any successful breach (if there were to be one) would only be due to an advanced attacker specifically targeting their corporate secrets. Unfortunately, this fallacy persists despite evidence to the contrary.
It is important to note that the forensic analysis of a breach, and reconstruction of the attack timeline, is not a trivial task. Depending upon the distribution (and type) of security technology employed by the victim, any post-breach reconstruction will be biased toward the events that the organization is capable of capturing internally – not necessarily the events that unfolded as part of the attack. As is too often the case, the evidence left behind a breach is effectively a catalog of the failures of the attacker – as the monitoring technologies alerted upon the threats they were capable of detecting and blocking – rather than their successful maneuverings.
With such selective event sampling, it is easy to understand why so many organizations reach a conclusion supporting a targeted attack theory. No one wants to be the victim of just another opportunistic attack; jobs (and necks) are on the line.
The execution of modern cyber-attacks and corporate breaches can effectively be divided into two distinct phases – the attackers and external events that led to the initial device compromises, and the events that occurred within the breached organization after the crimeware was updated. Much of the confusion behind the labeling of corporate intrusions as "targeted attacks" comes from assuming that these two phases of an attack are conducted by the same set of criminal operators. The label applied to an attacker generally implies an individual or singular resolve, but in reality multiple professionals contribute their expertise to making an attack a success – as and where necessary.
The operators, processes, infrastructure and technologies that helped deliver the malicious payload (which initially compromised the corporate systems) are rarely orchestrated by a solitary attacker. Instead, would-be attackers can procure all the tools and expertise they need from a diverse and vibrant cyber-criminal ecosystem.
With a little web browsing and some carefully crafted search criteria, it is all too easy to uncover an increasingly broad array of tools and services designed to aid would-be attackers. The attack instigator doesn't need to be an expert, or even particularly technical, in order to launch an advanced or sophisticated attack against a list of potential victims. Every phase of an attack can be outsourced or purchased off-the-rack.
Today, the tools necessary for creating polymorphic malware designed to evade the desktop anti-virus products used within large organizations can be acquired for free. Better, more feature-packed, DIY (do-it-yourself) malware construction kits can be acquired for a few tens of dollars – while fully supported (24x7 response), money back guaranteed, DIY construction kits complete with flash management consoles and "starter pack" phishing materials can be secured for a few thousand dollars. Then there are literally hundreds of armoring tool providers – each offering easy-to-use products that, with the selection of a few optional tick-boxes, will guarantee evasion against some of the most advanced automated analysis systems being deployed by would-be victim organizations. Then to top it all off, there are online service operators which, for a nominal monthly fee, will accept newly generated malware samples from their criminal subscribers and test them against every commercial anti-virus product on the market – effectively providing QA services and a guarantee that the malware is not currently detected by future victims.
But the malicious binary is merely one component of an attack. The trick lies in getting the malware component through the corporate defenses and installed on the victim devices. Never fear though, there is an entire criminal service industry that specializes in dealing with this problem.
Armed with a solitary malware binary, a would-be attacker can subscribe to one of many pay-per-install (PPI) services and get them to distribute the binary to vulnerable victims. For a fee as low as $17, PPI service providers will install the binary upon 1,000 newly compromised victims. These criminal groups operate thousands of malicious drive-by download web sites scattered all around the Internet and seek to exploit vulnerabilities in the poorly patched systems of unwary visitors. They too have their own service industry. Specialist teams offer blackhat-SEO services designed to drive new traffic to the malicious pages or ensure that a particularly insidious page makes its way to the top of certain Google search result pages. Meanwhile groups of vulnerability researchers and engineers weaponize new exploits and distribute them within commercial drive-by download exploit packs for a few hundred dollars per month.
Even the personalized aspects of a targeted attack can be outsourced. Complete corporate personnel hierarchies can be purchased from lead provisioning companies – "leads" that may have been acquired through past successful malware intrusions and laundered through a number of grey or white marketing agencies.
Armed with a list of names, numbers and email addresses for the corporation, there are dozens of tools designed to automate phishing campaigns. Or, if the attacker doesn't want to purchase the tools themselves; it can all be out-sourced to dedicated spear phishing operators. Even the content of a spear phishing email can be outsourced. There are a number of service providers that specialize in translating scam material and social engineering content from one language to another for a few dollars per hour – with some of them even operating call center support in multiple languages – designed to maximize the probability that potential victims are engineered into opening a malicious attachment or following a link to an exploit site.
For the organizations under attack it is generally impossible to distinguish between the various criminal service providers. With relative ease an attacker can effectively outsource all the major components and phases of their attack to professional third-parties – and remain anonymous. Meanwhile for those providers that leased their services to the attack (either directly or indirectly), most will care very little about who the victim may be, and have little inclination to find out. Most successful breaches should probably be labeled as "opportunistic" rather than targeted.
With that, target selection is increasingly a reflection of search engine page-rank – as the organizers of the attack refine lists of potential targets based upon the data or systems likely present within the targeted organization and those that can be easily monetized. For example, the attackers may be commissioned or seek to secure a bounty from an external entity that wishes to acquire software signing certificates. With money already on the table, all it takes is for the attackers to run a few Google searches to identify relevant software development houses and automatically work their way through the list. The selection of possible targets for attack tends to be opportunistic because the selection criteria don't matter nearly as much as the victims would like to believe.
For the breached and vulnerable victim, event logs and forensic analysis will yield many conflicting findings. With so many criminal hands being involved in the attack delivery and multiple malicious campaigns being launched simultaneously against the target, it is all too easy for the victim organization to throw their arms up in the face of a poorly understood cybercrime ecosystem and declare they were subject to a targeted attack.
Gunter Ollmann, vice president of research at Damballa, has more than 20 years experience in the IT industry and is a well known veteran in the security space. Prior to joining Damballa, Gunter held several strategic positions at IBM Internet Security Systems (IBM ISS), with the most recent being Chief Security Strategist. In this role he was responsible for predicting the evolution of future threats and helping guide IBM's overall security research and protection strategy, as well as being the key IBM spokesperson on evolving threats and mitigation techniques. He also held the role of Director of X-Force as well as the former head of X-Force security assessment services for EMEA while at ISS (which was acquired by IBM in 2006). Prior to joining ISS, Gunter was the professional services director of Next Generation Security Software (NGS), a vulnerability research and attack-based consulting firm.