Video Screencast Help

Symantec Intelligence: November sees a four-fold increase in the number of daily targeted attacks since January

Created: 06 Dec 2011 • 1 comment
Paul Wood's picture
+1 1 Vote
Login to vote

Global spam is now at the lowest it has been since November 2008, when the rogue ISP McColo was closed-down. The effect on spam volumes back then were very dramatic and spam accounted for 68.0% of global emails. More recently the decline has been much slower, but spammers have also adapted to using more targeted approaches and exploiting social media as alternatives to email. Moreover, pharmaceutical spam is now at the lowest it has been since we started tracking it, accounting for 35.5% of spam, compared with 64.2% at the end of 2010.

With targeted attacks and advanced persistent threats being very much in the news this year, we thought it would be a good time as the end of the year draws closer to begin our review of targeted attacks and look more closely at what has been described as “advanced persistent threats” or APTs for short. Terms such as APT have been overused and sometimes misused by the media, but APTs are a real threat to some companies and industries.

In November, one in 255 emails was malicious, but approximately one in 8,300 of those were highly targeted. This means that highly targeted attacks, which may be the precursor to an APT, account for approximately one in every two million emails, still a rare incident rate. Targeted malware in general has grown in volume and complexity in recent years, but as it is designed to steal company secrets, it can be very difficult for recipients to recognize, especially when the attacker employs compelling social engineering techniques, as we highlight in this report.

A persistent threat residing inside your company’s network may be the by-product of a successful targeted attack, rather than the targeted email itself containing an APT, it is likely to contain a downloader component for the actual APT. Hence, targeted attacks of this nature can lead to an APT being deployed on your network if you don’t have the right defenses in place.

Targeted malware and advanced persistent threats (APTs) have been very prominent in the news during 2011, particularly in the wake of the Stuxnet attacks that took place in 2010, and more recently with the discovery of Duqu[1], which is was created from the same source code as Stuxnet. Although the source code for Stuxnet is not available on the Internet, this does not mean that the original authors were also the authors of Duqu; the source code may have been shared or even stolen.

Defining what is meant by targeted attacks and APT is important in order to better understand the nature of this mounting threat and to make sure that you have invested in the right kinds of defenses for your organization.

Targeted attacks have been around for a number of years now, and when they first surfaced back in 2005, Symantec.cloud would identify and block approximately one such attack in a week. Over the course of the following year, this number rose to one or two per day and over the following years it rose still further to approximately 60 per day in 2010 and 80 per day by the end of the first quarter of 2011. By November 2011, the number of attacks blocked rose to approximately 94 per day, almost four times the number in January, as shown in figure 1, below.

  

Figure 1. Average number of targeted attacks blocked overall by Symantec.cloud per day worldwide in 2011

The types of organizations being targeted tended to be large, well-known multi-national organizations, and were often within particular industries, including the public sector, defense, energy and pharmaceutical. In more recent years the scope has widened to include almost any organization, including smaller and medium-sized businesses. But what do we really mean by targeted attacks and advanced persistent threats? To find out more, the full report can be downloaded here (PDF).

I hope you enjoy reading this month’s edition of the report, and please feel free to contact me directly with any comments or feedback.

@paulowoody

[1]http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit

Comments 1 CommentJump to latest comment

mathell's picture

I have a tough time understanding how people in the security industry are differentiating targeted attacks from the phishing "noise" and resulting infections that are so commonplace right now.  Every time I hear it explained, there is almost nothing that differentiates it from daily deluge of attacks.  Phishing email, malicious URL or executable, downloader, etc, etc...the patterns are the same.  When it comes down to putting a phishing e-mail into the category of targeted versus non-targeted, what are the specific characteristics of the message that are used?

0
Login to vote