The number of targeted attacks continues to climb steeply, and any individual or organization can be the target. While opportunistic attacks launched en masse are still being used, targeted attacks are showing much higher growth rates, as they potentially provide much greater gains for the attackers.
Attackers go to great lengths to personalize their exploits in order to cause people to drop their guard, increasing the likelihood that their exploits will be successful. They take a great deal of effort in researching their targets—although this part of the attack life cycle is being made far easier by the targets themselves, as there is an ever greater volume of information provided by individuals about themselves available online, especially on social and professional networking sites. According to the Pew Research Center, almost three-quarters of adults in the US use such services, and nearly half use multiple services.
Such information is then used to launch spear phishing attacks, generally in the form of an email sent to the victim containing information that makes it seem relevant to them so that they are more likely to open the attachment, which will be malicious, or click on a link in the email that takes them to a site riddled with malware.
Another way of targeting victims that is a fairly recent phenomenon, but which is growing fast in popularity, is the use of watering hole attacks—so called because the attacker lies in wait for its prey in a location they are likely to visit, usually a website containing information likely to appeal to the victims. Examples could be a site offering local community information or one that offers information related to the latest pharmaceutical developments in attempt to attract the interest of individuals working in that industry. This is a method that takes less effort than the painstakingly researched phishing attacks and is likely to net a larger number of victims.
In order to reduce the likelihood of such attacks being successful, organizations need to use a combination of technology, policy, and raising employee awareness of the dangers and how to protect themselves. None of these will be successful in isolation.
In terms of technology, there are a number of security controls that should be considered, including web and email gateways and advanced anti-malware controls that provide protection against even zero-day attacks. This is essential, since as much as two-thirds of the malware variants being used in attacks are being seen just the once against one specific individual or organization. Organizations should also deploy robust identity and access management controls so that they can determine who is accessing what information in order to protect data from unauthorized access. This is especially important since the initial attack against the target is just the beginning of the attack continuum, with the attacker using it to gain a foothold in the network and to then move laterally through the network to look for more valuable information.
In order to be able to enforce policies that are set for usage of network resources, the technology should be managed through one central console to ensure that they can be universally applied. But policies can only be successful if users are made aware of them and are educated on the behavior that is expected of them.
The trend of targeting specific individuals is one that is growing fast, and it seems unlikely that there will be any let up, given the potential gains that attackers can hope for. Everyone is a target, and complacency is not an option. For organizations, it is not if, but when, they will be breached. Individuals need to be on their guard to ensure that the same is not true for them and that they are not the ticket attackers need to get into their organization.