Give an attacker a phish and he will steal some data. Teach an attacker to spear phish and he will steal data bases.
Among the wide diversity of threats facing the modern enterprise, targeted attacks are often the most troubling and difficult to defend against. Even companies with modern security infrastructure find it hard to detect and stop targeted attacks because hackers are taking advantage of the weakest security link: people. By crafting sophisticated and customized spear phishing e-mails or exploiting browsing behavior, attackers are finding it easier to breach networks by duping people rather than systems.
In fact, according to Symantec’s latest Internet Security Threat Report (ISTR), the number of targeted campaigns increased 91 percent in 2013. To take advantage of the human element, attackers are more patient now than ever, seeking to slowly infiltrate systems then lying in wait to attack. In 2013, the average attack lasted eight days compared to three days in 2012 and four days in 2011. These prolonged attacks indicate that hackers are becoming more focused and persistent over longer periods of time in order to better hide their activity.
Spear Phishing in 2013
The social engineering behind phishing attacks is one of the most important keys to their success. In each case, emails are specifically tailored by the attacker to pique the interest of recipients, with the hope that they will open them. For targeted attacks, social engineering has grown more refined and well-researched every year. Hence attacks may be very difficult to recognize without the right technology in place to safeguard against them.
We found, however, that not all companies are equal prey when it comes to targeted attacks. For instance, the larger the company, the greater the risk of attack. Last year, 39 percent of spear phishing emails were aimed at organizations with 2,500 employees or more. Also, public administration topped the industries targeted in 2013, comprising 16 percent of all attacks. Not a surprise, considering the use of targeted attacks by nation states for espionage against others.
Small businesses are also at an elevated risk of being targeted. The proportion of attacks aimed at businesses of 1-250 employees increased throughout the year, peaking at 53 percent in November. This isn’t a surprise either, as we know infiltrating third-party contractors, which are often small businesses, is an effective way for hackers to penetrate larger companies.
Although the number of users targeted with phishing attacks has been increasing for the past decade, last year the global average number of email attacks per day fell to 83. That’s a considerable decrease from the previous year’s average of 116, but this drop in volume isn’t a sign that attackers are slowing down. Rather, it again suggests they’re further adapting their tactics to avoid drawing attention to their campaigns.
The New Threat: Watering Holes
In response to employees’ growing awareness of phishing, attackers aren’t just adjusting their schemes, they’re devising new more complex and well-hidden tactics to disguise attacks.
In 2013, we saw increased use of “watering hole” attacks to place malware on machines. Attackers infiltrate a legitimate site visited by their target, plant malicious code and then wait for the target to visit the site. In general such attacks are set up on legitimate websites that contain specific content of interest to the individual or group being targeted.
This drive-by download tactic can be very potent because users aren’t instinctively suspicious of legitimate websites that they know and trust. As a result these types of attacks are becoming more popular, and in 2013, large enterprises were more likely to be targeted though watering-hole attacks than through spear phishing.
So how do you defend yourself and your organization against these threats? The first step is addressing your greatest vulnerability: employees and partners. This can be done by providing education and technology tools to reduce the number of attacks reaching them and ensuring that those that do reach them are not successful.
If you’re worried about your organization’s vulnerability to targeted attacks, here are three things you should begin doing tomorrow:
- Employee awareness training: Start by educating your users. Make sure employees understand the threat and damage it can cause, then focus on how a targeted attack is structured as well as behaviors that employees should adopt to minimize their risk.
- Deploy advanced e-mail security systems: An effective cloud-based messaging security system can scan email to provide defense against spam, malware, phishing and targeted attacks, while reducing the complexities of on-site technology.
- Segment access within your network: Ensure that all users only have access to the division of the network that is relevant to their work. This way if one area of your network is compromised, an attacker can’t use this as a door to infiltrate deeper into your system.