BARCELONA–Successful targeted attacks against companies such as RSA, Google and others have made huge splashes in the news in the last year or two and drawn a lot of attention to the phenomenon. But it’s not just the successful attacks that are interesting, security researchers say. In many cases, the failures contain the really useful data.
Many of the known successful attacks against large enterprises that have occurred in the last couple of years have involved specially crafted email messages sent to a small subset of the organization’s employees. The attack on RSA earlier this year, for example, involved an email sent to just a handful of people inside the company and it contained a malicious XLS attachment that had a Flash object embedded in it. One employee opened the attachment and the Flash object then exploited a previously unknown vulnerability and installed some malware on the user’s machine and then it was game over.
It’s rare to get many details about these kind of attacks, even well after the fact, as victimized companies are reluctant to share the data for fear of looking inept. So security researchers are beginning to rely more and more on the data that they can gather from the targeted attack attempts that they see that are not successful. Martin Lee of Symantec said in a talk at the Virus Bulletin conference here that this kind of intelligence can prove invaluable in finding trends and attack patterns.
The company’s cloud-based anti-malware service sees about 500,000 malware-infected emails per day and of those, about one in every 5,000 turns out to be a specifically targeted attack. By looking at the kinds of organizations that are being targeted, the industries that they’re in and other data such as geographic location, Lee said it’s possible to identify some interesting patterns.
“We can come up with guesses as to who’s next. It’s an interesting question to think about,” Lee said. “What tends to get overlooked is the attacks that weren’t successful and were identified. Once you start pulling the data together, you can analyze it topologically and see what’s going on.”
Although targeted attacks are often in the news these days and garner a lot of attention, Lee said that it’s still just a small percentage of the company’s customers that get hit by such attacks on a regular basis. About three percent of the customers are constantly under targeted attacks and some see at least one such attempt every day. Many others, meanwhile, likely see just a few attacks like that each year.
The data provides some interesting insights, Lee said, but it also raises some questions that aren’t necessarily answerable right now.
“It’s not clear what their business model is with these attacks,” he said. “We don’t necessarily know how they’re making money off of this.”