1. darkreading.com
APRIL 2013
Targeted Attackers
Previous Next
Previous Next
DownloadDownload
RR
SubscribeSubscribe
Previous Next
Previous Next
PLUS Handling targeted attacks: Experts speak >>
STOP
All cyber-attackers aren’t equal. Focus more attention on exploits made just for you. >>
By Ericka Chickowski
DOWNLOAD PDF
2. COVER STORY
Stop Targeted Attackers
The most dangerous attacks aren’t random,
so focus on those that are created just for
your company. p4
DARK DOMINION
Handling Targeted Attacks: The Experts Speak
Security pros offer tips on preventing targeted
threats. p3
CONTACTS
Editorial and Business Contacts p11
Digital Business Leaders
Engage with Oracle presi-
dent Mark Hurd, NFL CIO
Michelle McKenna-Doyle, and other leaders of the
Digital Business movement at the InformationWeek
Conference and Elite 100 Awards Ceremony, to be
held in conjunction with Interop in LasVegas, March
31 to April 1.
IT Insights At Interop
Get insights on BYOD security, cloud and virtual-
ization, SDN, the Internet of things, Apple in the
enterprise, and more at Interop LasVegas, the tech-
nology conference and expo series designed to in-
spire and inform the world’s IT community. March
31 to April 4.
Security Smarts
Our Security Services Tech Center provides the lat-
est news, product information, analysis, and opin-
ion on security services and outsourcing to help
your organization make the right choices.
PREVIOUS ISSUE
Secure The Cloud
Cloud security needn’t be
an oxymoron. Here’s how
to get it right.
FOLLOW US ON TWITTER AND FACEBOOK
@DarkReading darkreading.com/facebook
darkreading.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
April 2014 2
CONTENTS
April 2014 Issue 015 More From Dark Reading
3. This month’s digital issue on targeted at-
tacks isn’t the first time Dark Reading has
looked at this topic. On March 6, in conjunc-
tion with our sister publication Information-
Week, we conducted a half-day conference
in Boston on targeted attacks featuring the
industry’s best-known experts. The following
are the key messages from that event.
Get to know your attacker. Most current
defenses against targeted attacks focus on
analyzing the unique malware used by the
attackers. But there is a growing base of ven-
dors that offers threat intelligence services
that make it possible for your enterprise to
not only identify the malware, but to isolate
the methods and identities of the attacking
group.
“If you understand your attacker’s meth-
ods, you can improve your defenses against
those attacks exponentially,” says George
Kurtz, CEO and co-founder of CrowdStrike,
who keynoted the Boston event.
A targeted attack isn’t necessarily a di-
rect attack. Bad guys are discovering that
the best way to gain entry into a targeted
network is by compromising the systems
of third parties that have access to that net-
work. The huge data breach at the Target
retail chain in late 2013 has been traced to a
small heating and air conditioning company
that worked with Target.
“To build an effective defense, you also
need to extend your visibility into your sup-
ply chain,”says Kurtz.
A targeted attack isn’t always a new at-
tack. While some high-profile cases of tar-
geted attacks have involved zero-day mal-
ware developed specifically for the victim,
the majority of these attacks exploit known
vulnerabilities.
“Many of these attacks involve years-old
vulnerabilities that could have been pre-
vented if the victims had just stayed up to
date with their patches,” said JD Sherry, a
security researcher from Trend Micro, in a
presentation at the Boston event.
Most targeted attacks leave fingerprints.
Like conventional criminals, targeted attack-
ers tend to develop “modus operandi” — a
unique set of tools and practices they use
over and over again. By identifying this M.O.,
enterprises can build customized defenses
designed to stop these specific attacks.
Ninety-nine percent of targeted attacks
are manually operated, which gives them an
almost human quality that is quite different
from mass-produced malware, says Harry
Sverdlove, CTO of Bit9.
If you want to frustrate a targeted at-
tacker,raisethecostofhisattack.It may not
be possible for an enterprise to “hack back”
against a cyber-criminal, but you may be able
to frustrate the bad guys by repeatedly expos-
ing and interrupting their methods.
“The bad guy has to pull off an entire pro-
cess without being detected,” says Tim “TK”
Keanini, CTO at Lancope. “Interrupting this
‘kill chain’ is the key to making it more dif-
ficult to complete the process.”
Tim Wilson is editor of DarkReading.com. Write to him at
timothy.wilson@ubm.com.
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
April 2104 3darkreading.com
DARK DOMINION
Handling Targeted Attacks: Experts Speak TIM WILSON
@darkreadingtim
Table of Contents
DOWNLOAD PDF
RegisterRegister
Previous Next
Previous Next
NextWave Of BusinessTech
Engage with Oracle president
Mark Hurd, Box founder Aaron
Levie, UPMC CIO Dan Drawbaugh,
GE Power CIO Jim Fowler, former
Netflix cloud architect Adrian
Cockcroft, and other leaders of
the Digital Business movement at
the InformationWeek Conference
and Elite 100 Awards Ceremony,
to be held in conjunction with
Interop in Las Vegas, March 31 to
April 1, 2014. Click here for full
agenda.
4. April 2014 4
Not so long ago, the main
threats in cyber-security were
random: viruses and worms that crawled
across the entire Internet, or malware buried
in spammy email blasts. Enterprises coped
with the problem with protective screens
that recognized and blocked these random
attacks, as an umbrella keeps off the rain.
Today, the most dangerous attacks are no
longer random. They are targeted specifi-
cally to steal or damage data from a specific
organization, or even from specific systems
and people in that organization. The tar-
gets aren’t always large companies or gov-
ernment agencies; targeted attacks can be
launched against government contractors,
media firms, or even small businesses. Tar-
geted attacks are the attack vector of choice
COVER STORY
Table of Contents
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
All cyber-attackers aren’t equal. Focus more attention
on exploits made just for you.
Stop Targeted Attackers
darkreading.com
By Ericka Chickowski @ErickaChick
DOWNLOAD PDF
5. April 2014 5
COVER STORYSTOP TARGETED ATTACKERS
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
darkreading.com
for sophisticated cyber-criminals, and
against certain exploits, existing enter-
prise defenses are about as effective as an
umbrella against a surprise Super Soaker
attack.
Targeted attackers sometimes spend
months, even years, scouting their targets.
They’ll probe for weaknesses and pinpoint
vulnerabilities that can be used in a tailored
attack.That first vulnerability may get them
the crown jewels right away, but typically,
targeted attacks are a multistep process.
Attackers start by gaining a foothold in the
target’s infrastructure. Once inside, they’ll
quietly scope out the network, looking for
further points of attack and ways to access
specific information.
The recent breach at retailer Target is a
prime example of a targeted attack. Attack-
ers were able to gain enough access within
the retailer’s network to install malicious
software on its point-of-sale (POS) systems
to collect the credit and debit card data of
millions of customers as the transactions
were being made.
The initial route into the network was
circuitous, according to news reports. At-
tackers got a foothold in Target’s network
through a phishing attack against the
company’s heating and air conditioning
vendor. From there, the attackers used
limited administrative connections from
the vendor into Target’s network to worm
their way further into the network of
systems. The criminals running the attack
did enough legwork to learn which ven-
dors Target did business with and found
one that would eventually give them
the keys to a side door into the Target
infrastructure.
This is just one very public example.
“We’re losing this war, to be blunt about
it,” says Dan Kaminsky, a noted security re-
searcher and chief scientist for fraud detec-
tion firm White Ops. “Five hundred of the
Fortune 500 are under targeted attack. It’s a
constant cat and mouse game.”
Targeted attacks test enterprise de-
fenses because they defeat the old “um-
“We’re losing this war, to be blunt
about it. Five hundred of the Fortune
500 are under targeted attack. It’s a
constant cat and mouse game.”
— Dan Kaminsky, White Ops
Previous Next
RegisterRegister
Previous Next
Previous Next
Education And Networking
Learn how cloud computing,
software-defined networking,
virtualization, wireless, and other
key technologies work together
to drive business at Interop Las
Vegas. It happens March 31
to April 4.
Table of Contents
6. April 2014 6
brella” defense, which was designed to stop
widespread, random attacks. Companies
can no longer treat all types of attacks the
same. They must instead prioritize defenses
against the methods that targeted attackers
are likely to levy against their businesses.
“We’re treating everything as if it were the
same level of threat, whether it’s a targeted
attack, a criminal, a teenager trying to port
scan your network. They’re all getting simi-
lar levels of attention, and that’s not a sus-
tainable model,” says Dmitri Alperovitch, co-
founder and CTO of Crowdstrike, a threat
detection vendor focusing on advanced and
targeted attacks.“You have to prioritize.”
Understand The Attacker’s Mentality
Developing a defense for targeted attacks
starts by understanding who these attackers
are and how they operate. Now, that doesn’t
necessarily mean working to identify your
attackers specifically. That’s a rabbit hole that
won’t reap enough rewards for the effort, Ka-
minsky warns.
“Even if you knew exactly who your attack-
ers were, there’s a limited number of sce-
narios in which you can do anything about
it,”he says.
You’re not seeking out a specific name or
identity. Instead, you’re identifying attack
patterns common in your industry and look-
ing to protect yourself from attacks against
the data that a targeted attacker would want
to steal. And that means understanding how
attackers operate.
For example, some opportunistic financial
attackers go after mom-and-pop point-of-
sale systems by scanning the Internet looking
for open pcAnywhere, virtual network com-
puting, or remote desktop connections, says
Lucas Zaichkowsky, enterprise defense archi-
tect for the forensics and security firm
AccessData.
Many of these merchants and their POS
vendors set these systems up and do port
forwarding so the POS vendor can help the
merchant troubleshoot remotely. Using that
as a jumping-off point, targeted attackers of-
ten have enough information to understand
common POS systems and know where
credit card data is likely stored.
“Most POS systems are encrypted these
days, but it’s all about knowing where the
keys are,” says Zaichkowsky. “Or they’ll just
drop in keystroke recorders or memory
scrapers to grab the data as it’s in transit
without even relying on it being stored any-
where, and then it’s just automatically up-
loaded or uploaded through batch to some
COVER STORY
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
darkreading.com
STOP TARGETED ATTACKERS
19%
19% of all attacks analyzed in a 2013 Verizon report
were perpetrated by state-affiliated actors — in other
words, a form of espionage.
Data: Verizon 2013 Data Breach Investigations Report
Every company needs to remember
that it has an advantage
over the targeted attacker because
the company has an insider’s
knowledge of its own environment.
Click HereClick Here
Get Smart
Our Threat Intelligence Tech
Center provides in-depth
information on collecting and
analyzing data on emerging
cyber-security threats.
Table of Contents
7. April 2014 7
FTP server somewhere. And a lot of that stuff
is done in a matter of minutes.”
Meanwhile, other extremely sophisti-
cated attackers may target specific finan-
cial organizations to “jackpot millions out
of ATM machines,” says Zaichkowsky. Nation-
state attackers may go after specific industrial
companies to gain intelligence information.
At the lower level of sophistication, such as
the POS example, attackers target common
vulnerability opportunities. At the higher end,
they target a specific organization’s weak-
nesses by doing a lot of reconnaissance.
“The more targeted the attack, the fewer
obvious mistakes your attacker is going
to make, because his attack is tailored to a
particular environment,”White Ops’s Kamin-
sky says.
To understand how targeted attack tech-
niques apply to your industry or business,
finger-in-the-wind Internet research won’t
cut it. Instead, gather true threat intelligence
about attacks occurring in near or real time
within real world environments.
“Intelligence can help you identify both the
risk to assets — by looking at the adversaries
that may be motivated to go after your data
—and can provide you with the understand-
ing of the trade craft and the capabilities of
those actors, so that you can start thinking
about how to adjust your defense model to
specifically meet the capabilities of those ad-
versaries,”Alperovitch says.
Zaichkowsky explains how threat intelli-
gence can help.
“Let’s say, for example, you know the state-
sponsored Chinese guys are coming after
you. You’ve got some intellectual property
you know they want,” he says. “They tend
to operate by spearphishing most of the
time for initial point of entry. So being able
to make sure certain file attachment types
COVER STORY
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
darkreading.com
STOP TARGETED ATTACKERS
Threat Intelligence data is most effective when it is integrated directly with other security efforts. The data can inform
both tactical security efforts,as well as more strategic governance and risk management processes.
Threat Intelligence Integration
Table of Contents
8. can’t be opened and installing next-gen
solutions in line mode, you can [take
actions that] actually prevent things as
much as possible.”
Understand Your Own Environment
Of course, understanding who’s likely to
attack you and how is only a part of the
puzzle. Internal data and system knowl-
edge is just as important as knowing your
enemy, to paraphrase Chinese military
philosopher Sun Tzu.
This means identifying what information
assets your organization has — and what
assets are most important to your business
— because each company has different
pain points and risk factors.
“Coordinate across business units to
identify the information that would be
critical if my competitor or a threat actor
were to take it,”says Jen Weedon, manager
for the intelligence team at FireEye. “That
gets you down the path of being able to
know,‘OK, I should protect X, Y, Z informa-
tion with higher levels of security.’”
In other words, targeted threat protec-
tion really starts with a targeted, internal
risk assessment.
“Info about a negotiation on a multi-
billion-dollar deal is probably a lot more
valuable than info about a $200,000 sales
opportunity,”Alperovitch says.
Similarly, organizations must under-
stand what’s going on within their IT en-
vironments, correlating that with the data
protection priorities they’ve made and
the threat intelligence feeds they receive
about external dangers. This is why or-
ganizations are investing more heavily in
detection technologies than in traditional
umbrella prevention techniques.
Detection is much more effective than
prevention, says Kaminsky.The notion that
vulnerabilities are instantly exploited and
that all useful data is instantly removed
simply isn’t true.
“There’s a period of time it takes to find
COVER STORY
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
darkreading.com
STOP TARGETED ATTACKERS
April 2014 8
“We’re treating everything as the
same level of threat – whether it’s
a targeted attack, a criminal, a
teenager trying to port scan your
network – and that’s not a sustain-
able model.”
— Dmitri Alperovitch, Crowdstrike
Table of Contents
9. your target and determine how to exploit
it,” Kaminsky says. “And it turns out that
there are specific things that show up in
the logs after the vulnerability has been
found but before it’s been successfully
exploited — and they can serve as a great
signal [of an attack in progress].”
Every company needs to remember that
it has an advantage over the targeted at-
tacker because the company has an in-
sider’s knowledge of its own environment.
“You don’t have to discover the proper-
ties of your environment in real time the
same way that an attacker does,”Kaminsky
says. “We do not use honeypots enough.
We do not attempt enough to exploit the
attackers’ real-time discovery of the net-
works that they’re breaking into.”
Too often, says Zaichkowsky, organiza-
tions “burn” the intelligence they may
have about attackers rather than using
it to identify their methods and stop
them. For example, if a business learns
from threat intelligence service providers
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
darkreading.com
COVER STORYSTOP TARGETED ATTACKERS
April 2014 9
How concerned is your organization about advanced cyber-espionage,nation-state or other types?
9%
24%
30%
13%
24%
Cyber-Espionage Concern
Data:InformationWeek 2013 Strategic Security Survey of 1,029 business technology and security professionals
at organizations with 100 or more employees,March 2013
1
2
3
4
5
6
7
89
Not at all concerned
Slightly concerned
Moderately concerned
Very concerned
Extremely concerned
Table of Contents
10. that a list of IP addresses is being used
to attack the business, its first instinct
may be to just configure the firewall to
block those addresses. But when you’re
dealing with targeted attackers, as soon
as they try to connect to you and it’s not
working, they’ll just go to another IP ad-
dress — and you’ve essentially burned
your intelligence.
Instead, take that tactical intelligence
and lay down “tripwires” to watch the at-
tackers’ activity and remediate a little fur-
ther down the line.
“Then when you actually remediate and
you kick them out,”says Zaichkowsky,“you
haven’t burned any of your intelligence.
They’ll have to start guessing, ‘Well, how
did they find me?’”
Frustrate Your Attacker
Ultimately, the goal is to make life very
hard for the targeted attacker and also
to buy your organization enough time to
respond to targeted attacks before the
crown jewels leave the building.
“Think of infrastructure hardening
like building a maze,” says Zaichkowsky.
“You’re making that maze more and more
complex, which buys you time. In a tar-
geted attack, they’re going to get to what
they’re after — it’s just a matter of time.
So make that maze as difficult as possible
and set up little tripwires everywhere to
identify attackers as they’re progressing
through it.”
Your team needs enough audit logs, fo-
rensics artifacts, and monitoring tools in
place to quickly scope out an attack when
a tripwire has been tripped. But even more
than that, companies should constantly
adjust their defenses to make it expensive
for the attacker to operate within their envi-
ronments, Kaminsky warns. While creating
a puzzle may make things more difficult
for attackers, the reward might be great
enough that the attacker will invest the time
and resources to figure out that puzzle.
“You have to play a chess game,” Kamin-
sky says. “You have to make sure there’s a
cost to the attacker for getting detected,
but you have to make sure the attacker
thinks maybe it will work. But when it
doesn’t work, they’re going to lose what
they have within your network. If you don’t
play the game, if you just try to make a
puzzle, you’ve already lost.”
Writetousateditors@darkreading.com.
Table of Contents
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
darkreading.com
COVER STORYSTOP TARGETED ATTACKERS
April 2014 10
11. April 2014 11darkreading.com
Table of Contents
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Online, Newsletters, Events, Research
READER SERVICES
DarkReading.com The destination for the
latest news on IT security threats, technology,
and best practices
Electronic Newsletters Subscribe to Dark
Reading’s daily newsletter and other newsletters
at darkreading.com/newsletters/subscribe
Events Get the latest on our live events and Net
events at informationweek.com/events
Reports reports.informationweek.com
for original research and strategic advice
How to Contact Us
createyournextcustomer.techweb.com/
2014-editorial-calendars/
Editorial Calendar informationweek.com/edcal
Back Issues
E-mail: customerservice@informationweek.com
Phone: 888-664-3332 (U.S.)
847-763-9588 (Outside U.S.)
Reprints Wright’s Media, 1-877-652-5295
Web: wrightsmedia.com/reprints/?magid=2196
E-mail: ubmreprints@wrightsmedia.com
List Rentals Merit Direct
E-mail: svigliotti@meritdirect.com
Phone: 914-368-1088
Media Kits and Advertising Contacts
createyournextcustomer.com/contact-us
Letters to the Editor E-mail
editors@darkreading.com. Include name, title,
company, city, and daytime phone number.
Subscriptions
E-mail: customerservice@informationweek.com
Phone: 888-664-3332 (U.S.)
847-763-9588 (Outside U.S.)
TimWilson Dark Reading Site Editor
timothy.wilson@ubm.com 703-262-0680
KellyJackson-Higgins Dark Reading Senior Editor
kelly.jackson.higgins@ubm.com 434-960-9899
IT TARGET: INFORMATIONWEEK, DARK
READING, NETWORK COMPUTING
Western US (Pacific and Mountain states), Central/
Midwest
VP & National Co-Chair, Business Technology
Media Sales, Sandra Kupiec (interim contact, N.M.,
Ariz.)
415-947-6922, sandra.kupiec@ubm.com
Wash., Ore., Mont., Wyo., Idaho, Nev., and So. Calif.
— Account Director, Matthew Cohen-Meyer
415-947-6214, matthew.meyer@ubm.com
No. Calif., Utah, Colo. — Account Director,Vesna Beso
415-947-6104, vesna.beso@ubm.com
Texas — Strategic Accounts Director, Michele
Hurabiell
415-378-3540, michele.hurabiell@ubm.com
Central/Midwest, Account Executive, Silas Chu
415-947-6105, silas.chu@ubm.com
Account Executive, Lynn Van
415-947-6157, lynn.van@ubm.com
South, Northeast US; Canada and International
VP & National Co-Chair, BusinessTechnology
Media Sales, Mary Hyland
516-562-5120, mary.hyland@ubm.com
Eastern Regional Sales Director, Michael Greenhut
516-562-5044, michael.greenhut@ubm.com
Southeast — District Manager, Jenny Hanna
516-562-5116, jenny.hanna@ubm.com
Northeast, Eastern Canada — District Manager,
Stephen Sorhaindo
212-600-3092, stephen.sorhaindo@ubm.com
Mid-Atlantic, R.I. — Account Director, Matt Payne
415-489-6307, matt.payne@ubm.com
Fla., Western Canada, International — Account
Executive, Anna Maria Charalambous
212-600-3193, annamaria.charalambous@ubm.com
Sales Associate, Joseph Van Scyoc
212-600-3387, joseph.vanscyoc@ubm.com
Strategic Accounts
Strategic Account Director, Vanessa Tormey
805-252-4357, vanessa.tormey@ubm.com
Strategic Account Director, Jennifer Gambino
516-562-7169, jennifer.gambino@ubm.com
Strategic Account Director, Amanda Oliveri
212-600-3106, amanda.oliveri@ubm.com
SALES CONTACTS—CREATE
MARKETING SERVICES
Director of Client Marketing Strategy,
Jonathan Vlock
212-600-3019, jonathan.vlock@ubm.com
Senior Manager, Client Marketing Strategy,
Blake Cohlan
415-947-6379, blake.cohlan@ubm.com
SALES CONTACTS—EVENTS
VP, Events, Robyn Duda
212-600-3046, robyn.duda@ubm.com
MARKETING
VP, Marketing, Winnie Ng-Schuchman
631-406-6507, winnie.ng@ubm.com
Director of Marketing, Monique Luttrell
415-947-6958, monique.luttrell@ubm.com
Marketing Assistant, Hilary Jansen
415-947-6205, hilary.jansen@ubm.com
UBM TECH
Paul Miller CEO
Marco Pardi President, Events
Kelley Damore Chief Community Officer
Tom Spaeth CFO
David Michael CIO
Simon Carless Exec. VP, Game & App Development
and Black Hat
Lenny Heymann Exec. VP, New Markets
Angela Scalpello Sr. VP, People & Culture
Copyright 2014 UBM LLC. All rights reserved.
RobPreston VP and Editor In Chief
rob.preston@ubm.com 516-562-5692
JimDonahue Managing Editor
james.donahue@ubm.com 516-562-7980
ChrisMurphy Editor
chris.murphy@ubm.com 414-906-5331
ShaneO’Neill Managing Editor
shane.oneill@ubm.com 617-202-3710
LornaGarey Content Director, Reports
lorna.garey@ubm.com 978-694-1681
DebeeRommel Senior Art Director
debee.rommel@ubm.com
Business Contacts