Targeted attacks are an evolution of espionage to target a specific organization in order to steal information, modify information, or destroy information or systems. On the other hand, opportunistic attacks (see previous post) target a specific technology without caring about who uses it. Targeted attacks are technology agnostic as the attackers have the resources and determination to use whatever techniques or technologies work.

Attackers who run targeted attacks are most of the time organized to have information about their target. For instance, they can have a copy of the organization chart, a list of people that click on spear-phishing emails attachments or URLs, who has access to the information they want, etc.

Typical steps of a targeted attacks

Here is what attackers will typically do:

  • Exploit a weakness to compromise a first host. For instance, the initial attack vector can be an email with a malformed attachment (such as a .pdf) or with a link to a malicious website (exploiting a Java vulnerability for instance), or it can be a USB key left on a parking lot for the victim to discover.
  • Elevate their privileges
  • Install malware to automate their tasks and for persistence (this piece of malware is of course designed and tested to not be detected by your antimalware)
  • Mine for useful credentials
  • Exfiltrate, modify or delete data

 

TOP 3 mitigations to prevent disrupt or limit the impact of targeted attacks

Based on our experience there are 3 mitigations that, if applied, would have prevented, disrupted or limited the impact of real world targeted attacks.

  • Security Updates Management of all software (operating systems and applications)
    • 0-day vulnerabilities (aka unknown vulnerabilities) are rarely used in targeted attacks. First, they are difficult to find and every time they are used there is a risk of making them known which would dramatically decrease their value. Second, most of the times, attackers are not forced to use them as they always find an existing well-known vulnerability (for which a security update does exist but was not applied)
    • The goal of Security Updates Management (also known as Patch Management) is to make sure no known vulnerability can be leveraged against you.
    • Only use supported versions of software and deploy most recent versions of software and file formats as they have improved security features.
      As an example, you should retire Windows XP before it is terminated on April 2014 as there won’t be any further security updates after this date. Windows 8 security was designed with recent threats in mind.
  • Enforce Least Privilege Principle
    • Attackers will try to steal credentials from privileged users (and use the famous Pass-the-Hash attack). It is therefore important to limit the exposure of privileged user accounts, make sure they are used by people who have be trained to use them only when necessary and from secure computers. These accounts should also have their scope limited only to what is needed.
    • You should also apply this principle to services (software that starts automatically without user interaction)
  • Whitelist applications
    • To help prevent the introduction of unwanted software, use an application whitelisting approach such as AppLocker available in Windows 8 Enterprise and Windows 7 Enterprise.

 

The 5 aspects of incident preparation

When we look at how to be prepared for an incident there are 5 aspects that you need to master.

  • Prevention: protect your assets based on the associated risks (asset value, vulnerabilities and threats.) Probably the most important of all 5 aspects. This is where the Top 3 Mitigations are useful. A simple example that goes beyond these mitigations: information protection thanks to Active Directory Rights Management Services (AD RMS). It offers a persistent and embedded protection of documents and control the usage that can be made of the document (read, print, forward, copy/paste…)   
  • Detection: as you cannot blindly rely on your prevention working perfectly, you should be monitoring anomalies. You can find many information about which security events to monitor in our documentation.
  • Response: when an incident occur, you want to react in an expedite manner. This is more a process of incident response management.
  • Containment: if an incident occur, you want to be able to isolate its impact. You need to have designed the architecture of your information system to achieve this goal. Tomorrow, if one of your machine gets compromised, will it propagate to many machines or can it be contained?
  • Recovery: finally, if things go bad, you should be able to recover in a safe way. This encompasses Disaster Recovery Planning and Business Continuity Planning. A simple real life recommendation: make sure you have a frequent backup that you will keep offsite and offline (out of reach of privileged accounts in case they became compromised).

 

[Update!] Targeted Attacks Videos

We recently published a short series of videos that introduce many of the topics covered in a series of whitepapers that are designed to help organizations understand and manage the risks posed by targeted attacks by determined adversaries. These papers include:

Find the videos from this Microsoft Security Blog post.

 

Next in the Security Series

Next I’ll talk about the security features that are available in your Microsoft software that you might not be using already and which could be very beneficial for you to implement. Later, I’ll dig into more details about the Top 3 Mitigations. Stay tuned.