The term “targeted attack” gets thrown around an awful lot nowadays. In fact I’m guessing you’ll be hard pressed to find many public breach disclosures that make it to the news that aren’t labeled as having been “targeted”. It reminds me of an important quote from the character Inigo Montoya in The Princess Bride – “You keep using that word. I do not think it means what you think it means.”
Over the last couple of years I’ve given numerous presentations covering the state of the cybercrime ecosystem – detailing the affiliations between the various criminal service offerings, how attacks are constructed in reality and how the federated ecosystem came to be. Yet, despite having some vague awareness of the commoditization and sophistication of online criminal services, most organizations persist in thinking that attacks directed at them are “targeted”. It’s as if there’s something personal going on – an “attacker” attacked my organization and soiled my chastity.
The reality of the situation is very different. First of all, it’s not personal – it’s business. The folks that are attacking your organization are increasingly professional and financially motivated. Your organization is just one line on a long list they’ve constructed, and that list probably wasn’t even hand-selected; your organization just happened to appear in the results from some Google search that the attackers ran previously.
More significant though is the assumption that the attacker is basically an individual or self contained unit. Unfortunately this hasn’t really been the case for many years. The over simplification of what constitutes an attacker continues to raise problems and drive confusion when it comes to countering threats and recovering from a successful breach.
When I spoke at the FIRST conference in Vienna last month on the topic of “Targeted and Opportunistic Botnet Building”, I wrapped the talk up with a couple of summary slides:
The simplistic view of the threat is that the entity conducting the attack contains, manages and orchestrates all the components necessary to perform the attack. Or, in a simple Venn diagram format, the delivery, malware and fraud components are defined as being core components of the “attacker”.
The reality of the situation is very different…
In today’s federated cybercrime ecosystem, the “attacker” selects and manages relationships with multiple external entities that specialize in the delivery of specific components of an attack. Each specialization is independent of the attacker – and will more than likely be servicing multiple “attackers” simultaneously. More importantly, most of the service providers are so removed from the actual attack (and attacker) that the “victim” is unimportant and irrelevant to their contribution.
From a post-hack analysis and prosecution perspective, what you label an “attacker” is going to be heavily dependent upon which aspects of the federated operation you were capable of observing and the evidence you managed to collect.
For example, the delivery of the original malware component may have been orchestrated through a pay-per-install (PPI) affiliate program who were paid $17 per 1000 computers they managed to install the attackers malware upon – who in turn sub-contracted the delivery of the malware that breached your organization to an operator that specializes in drive-by-downloads to Mac platforms in North America. Meanwhile the actual theft of your organizations source code was conducted by a pay-per-hour SAP hacking specialist in Romania who used the installed malware as a beachhead into a critical server – only after the “original” attackers had performed a reconnaissance of your organization (and the other 25 organizations that “they” breached that particular day), uncovered the SAP administrative access credentials and thought there may be something saleable in there.
This all gets back to a definition of what we mean by “targeted”. Depending upon the criminal service delivery components we choose to isolate and label as the “attacker”, we’ll end up with completely different definitions of what constitutes a targeted attack. Even if you shrink this down to just the entity that assembled and coordinated the first rung of building blocks, what’s the process in which they selected your particular organization for the attack?
You may feel like you were singled out as the victim for a targeted attack, but you may want to remember that to practically all the cybercrime service operators within this federated ecosystem it’s just business and that the specifics of who you are is meaningless in the context of the services they provision and to those that’ll be paying them.
Gunter Ollmann is the VP of research at Damballa.