Targeted Attacks: The Game Has Changed

As targeted attacks increase in numbers and sophistication, defenders find themselves overmatched and underequipped.

Next-gen products that promised to help defenders specifically with such attacks have simply failed to deliver and added to the chaos.  That’s because these security products remain stuck in a point product world where everything that defenders see is a point-in-time at a single control point event. Next-gen detection products only see one tiny window into an attack– they see files, traffic, logins, etc. in isolation and only promise detection -- potentially alerting you only after the horse has left the barn.

These next-gen point products send alerts to a SOC team generating a whole new responsibility of threat hunting. The SOC needs to figure out how to prioritize all those alerts, coalesce them into a broader attack view, and ultimately find the needle in the haystack. It isn’t long before the system gets swamped with an insanely high number of alerts - most of which turn out to be false alarms. Because each next-gen product has a myopic view, they alert on anything that could possibly be suspicious to avoid missing anything, and they assume a SOC team is there to make sense of it all.

Bottom line – organizations we have spoken to repeatedly tell us that next-gen detection technologies have failed to deliver.

Targeted Threats

The targeted attack problem has been years in the making. Targeted attacks primarily go after intelligence or PII – anything valuable -- but increasingly we are seeing attackers manipulate, destroy, and disrupt their targets. These attacks often involve state-supported actors working at the behest of foreign governments. More recently, we’ve also seen increased organized crime gang activity. 

These are sophisticated attackers equipped with the tools and know-how to get what they want. Symantec, which tracks over 140 targeted attack groups, found that last year each group was responsible for hitting an average of 42 companies.

What’s more, targeted attackers are getting craftier than ever.  Targeted attackers have figured out ways around nearly everything the security industry has thrown at it including scanners, sandboxes, network anomaly detection, user login anomaly detection, machine learning, and EDR capabilities. They rely almost entirely on dual use tools that are already found on user machines to evade detection. In every case, they look like an administrator, not like an attacker.  

Organizations have struggled to keep up. They’re not only hampered by solutions with limited, point-in-time views but they also wind up wasting time chasing false alarms. All the while, targeted attackers are covertly exfiltrating data.

The upshot: post-breach forensics discovers the real attack – only after the damage gets done.

Changing the Rules of the Game

So far, the game has been all about detection. Next-gen vendors tout how they can spot anomalies and detect suspicious behaviors. But these technologies don’t prevent attacks – they create false alarms and they miss attacks that rely on dual use tools (no malware). At best, a SOC might find an attack if they correlate alerts from several products together (involving yet another product purchase – a SIM or threat platform). “Might detect” is not a solution to the targeted attack problem.

Last month, Symantec introduced a new capability called Targeted Attack Analytics. TAA is designed to give defenders an edge by sniffing out targeted attacks before they can inflict damage. We took a fundamentally new approach, one that doesn’t require lots of point-in-time anomaly detection scanners. We apply advanced machine learning across all local and global data, across all control points, all at once, utilizing our Integrated Cyber Defense Platform. The high precision analytics we have developed, not a SOC team you must staff, look at both suspicious and mundane data – especially anything dual-use – to find new attack activity before attackers can get a chance to exfiltrate data. No other product does this today.

Symantec began this effort about four years ago. It was a moonshot – we didn’t know if it would be possible to safely collect data and process it at such volumes – and we didn’t know if we could marry our threat detection expertise with the latest artificial intelligence capabilities. We hit many roadblocks along the way – but we persisted – and the results have been as incredible as we hoped.  Since rolling out TAA as part of our Advanced Threat Protection (ATP) product, we’ve uncovered over 1,600 targeted attacks that were previously unknown to the security community. Many were related to the groups we were already tracking, though some were new, such as Treehopper, Dragonfly, Shamoon activity, Thrip, Seedworm, and Elfin.

Our biggest discovery came last fall when we first started using TAA. Our new analytics revealed that Dragonfly was back and inside over 100 power companies in the US. The group uses several infiltration techniques — watering holes, hijacking updates, and e-mails. Symantec’s TAA system successfully located covert communications channels, spotted the enumeration of assets on local systems, and identified the use of several dual use tools.

TAA is a disruptive leap in capability for targeted attack detection. Finally we can sniff out attacks before they do their damage.

But there are also important implications here for resource-constrained companies and their SOCs. Think of the efficiency gains. Defenders won’t any longer need to spend precious time wading through seas of alerts. TAA’s ability to spot attacks will help companies save time and energy. They can now shift resources to higher priorities, whether that be improving overall cyber hygiene or hardening their organizations’ security environment.

TAA is built into our Advanced Threat Protection (ATP) product. Our cloud-based high precision artificial intelligence analytics run constantly across our enormous data lake to identify attacks in their early stages. They then generate a full report that gets pushed to our ATP product, where a high priority alert gets generated. Full details about what TAA saw are provided so that the SOC analyst can understand not only the impacted infrastructure, but also what kinds of activity took place. Often the attack activity is automatically linked to known attack groups so the SOC can learn more about the motivation of the attacker.   

The tech industry is prone to hyperbole and we often hear people talk about paradigm shifts. But suffice to say that in this case, we’ve been able to change the rules of the game and made it impossible for targeted attackers to hide any longer. By any measure, that’s a very big deal.

If you found this information useful, you may also enjoy:

• Symantec Advanced Threat Protection
• Symantec Opens the Floodgates, Makes Its Threat Detection Tool Available To Customers For First Time