Cyber-attacks have evolved from ‘spray and pray’ to tightly targeted campaigns against specific victim organisations. These campaigns have an extremely high success rate for the attacker, and correspondingly high business impact for the victim.
Why targeted threats are hard to detect
Targeted threats are difficult to detect as they use unique, customised methodologies to breach the victim, maintain access, and complete their goal. Existing threat intelligence such as lists of C&C sites and hashes of malware used are of limited value, as seasoned attackers do not re-use tools and infrastructure that has been ‘burned’ on another campaign without modifying it to avoid detection.
The attackers also learn about the victim’s existing security infrastructure and tailor-make their attacks to bypass it. For example, if a particular sandboxing system is in place, they will modify their tools to remain undetected by the sandbox, and if they know that a specific endpoint protection system is installed, they will modify their modus-operandi to stay undetected.
As the attack is completely customised, it becomes extremely difficult for the victim organisation to prevent it from succeeding. The chess board has been set up once by the defence, and the attacker is now free to make his moves in order to win. In order to prevent, detect and defeat targeted attacks, the defence has to also adopt a custom approach — implementing security that is unique to their environment, and difficult for the attacker to predict.