Targeted or zero-day attacks. Targeted attacks

Used for harmful effects on the infrastructure of companies and government agencies. Before an attack, cybercriminals carefully study the defenses of the attacked organization. Not only familiar Information Systems companies, but also automated process control tools (APCS). Antivirus products are unable to prevent a targeted attack, since malware in such cases is developed specifically for a specific infrastructure, including taking into account the security software used.

Recently, there has been a shift in emphasis from writing malware to conducting targeted attacks. The target of the attack is a specific organization, and preparation takes a lot of time. Criminals carefully study the security measures used by a potential victim and find the necessary vulnerabilities, which are used in a complex of malicious operations.

Classification of targeted attacks

Targeted attacks can be aimed at government and commercial entities. When hacking, standard mechanisms are used (spam, phishing, website infection) and exploit kits. Attackers mainly pursue the following goals:

• Theft of funds from bank accounts and electronic wallets, theft of confidential data.
• Unfair competition: manipulation of processes, falsification of documents, weakening of competitors, extortion and blackmail.
• Theft of intellectual property samples.
• Disruption of normal activities of military, industrial and civil infrastructure facilities, life support systems.
• Using the capabilities of telecommunication systems to carry out information influences and manipulate public opinion.

Stages of targeted attacks

At the preparatory stage, the object under attack is studied, information is collected, reconnaissance activities are carried out, and weak points are identified. For monitoring, mailing lists, official websites and accounts on social networks, and specialized forums are used. Analyzer programs are used to study the network infrastructure and software. Automated methods or individual forms of influence, such as telephone calls, can be used to obtain data.

After preparation is completed, a strategy is developed and attack tools are selected. Malicious programs are written for a specific attack and victim; it is necessary to overcome regular funds protection.

Target of targeted attacks

Targeted attacks may pursue economic, political or other goals.

There are known cases where attackers have infiltrated the control systems of individual technological processes and the activities of enterprises. For getting necessary information criminals can set up direct access and hack gadgets belonging to employees.

It is almost impossible to avoid penetration attempts. If attackers need access to certain resources, they will regularly launch combined attacks. There is always a possibility that one of the many attacks carried out will provide the desired result.

According to the observations of leading experts antivirus laboratories, government departments, the financial sector, the energy and space industries, telecommunications and IT companies, enterprises of the military-industrial complex, educational and scientific institutions, prominent public and political figures are most at risk.

List of systems that are most often targeted by targeted attacks:

• Research and development departments (R&D). Such subdivisions must have high level protection, but most often this is not the case.
• Management offices of companies. Most enterprises are vulnerable to the actions of insiders who are in cahoots with attackers and have physical access to computers.
• Data center. These systems run servers that run many applications. They need to ensure safe operation, which is the main problem.
• As the company grows, the network of suppliers who have a low level of computer system protection expands. A targeted attack can be carried out through them.
• Attacks on production. Not all production facilities are equipped modern equipment, many of them use old specialized systems, united in a network. Their security is difficult to control, which is what cybercriminals try to take advantage of.
• Office computer networks. To improve employee productivity, all devices are combined into one shared network, and this provides a wide field for hackers to operate.
• Marketing plans. The purpose of such attacks is to obtain a list of clients and sales plans, damaging the company’s reputation.
• Smartphones and tablets. This is an absolute headache for the information security departments of any company. It is impossible to do without gadgets, but a lot of valuable and confidential information and access passwords can be stored in the device’s memory, which become the target of criminals.
• Attacks on databases are carried out with the aim of obtaining important information; to achieve this result, details can be used account administrator.

Sources of targeted attacks

To achieve their goals, criminals use all available means. There are several main vectors of targeted attacks:

• Unauthorized access to office equipment and other equipment that can be penetrated or tampered with malicious code.
• Although data centers generally provide an acceptable level of security, they vulnerabilities related to the functioning server equipment and the software installed on it.
• Branched local networks thanks to the development of technology, they allow attackers, if connected to one of the devices (it could be a computer, fax, printer or MFP), to safely move inside corporate network.
• The use of smartphones and other personal electronics for work purposes and within the corporate network can become a weak link in the protection and Starting point in the development of the attack.

Targeted attack risk analysis

It is unlikely that a targeted attack will be used against ordinary PC users unless they are company employees. The target of an attack can be any information of value. Most often, such attacks are carried out to obtain industrial secrets, personal and payment data. Many prominent businessmen and enterprise leaders suggest that one day a similar attack could be carried out against their organization.

Today, more than a hundred hacker groups are known to carry out targeted attacks. Government and commercial structures in 85 countries suffer from their actions. This widespread use is explained by the optimization of hacking tools, which makes malicious operations easier and cheaper.

Manufacturers of information security tools are constantly improving tools to counter targeted attacks. Specialized products are being developed that are aimed not at searching for unknown samples of malicious code, but at identifying suspicious activity. This is explained by the fact that attacks do not always use malicious programs: attackers can use completely legal means. Separate modules analyze files downloaded from the Internet, network activity and user behavior on workstations. The most effective are comprehensive solutions, individual components which provide attackers with false sets of data and targets.

It is impossible to completely protect yourself from targeted attacks. Thus, if a criminal plans to gain access to company data, he can conduct attacks over many months or even years, sometimes developing several malicious operations in parallel. Having no time limits, it carefully checks the ability of the antivirus to detect malware and, if necessary, modifies them. On preparatory stage attacks take the bulk of time, but the attack itself takes a matter of minutes. Under such conditions, the probability of its success is very high.

Detecting a targeted attack is a very complex and complex task. The fact of penetration into the system may remain undetected for a long time. This makes it very difficult to estimate the total number of attacks carried out worldwide.

The main trend in recent years is a shift in emphasis from mass attacks to targeted attacks, or targeted ones, directed against a specific company, organization or government agency. And it turns out to be not very easy to resist them, although it is possible.

Traditional mass viral epidemics are acts of banal vandalism, which, generally speaking, do not bring any material dividends. Only gaining dubious fame, which, moreover, does not last too long and which, most likely, ends in arrest and a long prison sentence. Targeted attacks are a completely different matter. Here the means of cyber attack are used or for direct theft Money, or information that is easy to monetize, for example, payment card details or personal data, the black market for which is very developed.

Competitors may also be behind targeted attacks. Their goal may be all kinds of know-how, information about upcoming projects and new products, and other information critical for business. However, this kind of information can be stolen in other ways, for example, with the help of disloyal employees. However, the use of targeted attacks is often less troublesome from an organizational point of view and takes less time, and the material costs may be lower.

Intelligence agencies also show great practical interest in these types of tools. This category is the most insidious and dangerous, since there is most likely no direct material motive behind their actions, but at the same time they have significant resources and qualified personnel, both their own and hired ones. By the way, behind the most high-profile actions of recent times, in particular, the sensational attack on Sony Pictures, there were just hired hackers. Reporters from the notorious British tabloid News of the World, who were caught under surveillance, also resorted to the services of cyber-mercenaries.

Also, the target of hacktivists and cyber spies can be not only information, but also various kinds of dispatch systems and control complexes, an attack on which can lead to enormous damage. So these objects can become a target for terrorist attacks.

As a result, according to a global survey conducted by the consulting and auditing company PricewaterhouseCoopers (PwC), the risks associated with cyber attacks have been consistently in the top five since 2012. Also, this kind of threat is cited as one of the main obstacles to business growth, since security services often prevent the implementation of new critical IT systems due to fears about their possible vulnerability to cyber attacks. The PwC survey also noted a significant increase in cyber attacks, which amounted to 60% year on year. The average cost of a cyber attack per company, according to the “2014 Cost of Cyber ​​Crime Study” conducted by the Ponemone Institute, the results of which were summed up in the fall of 2014, was $2.3 million.

The main danger of cyber attacks is for large companies. They have significant amounts of cash or liquid information that can be easily monetized. And the very fact of hacking can be the subject of blackmail, since regulatory and reputational risks are high, the damage from which can be higher, sometimes many times, than the costs associated with the theft as such. Also, the public airing of all sorts of dirty laundry can cause great damage, as was the case with Sony Pictures or the victims of surveillance by News of the World reporters. Small businesses may simply not accept the same card payments and they do not handle large volumes of personal data.

The most susceptible to attacks are enterprises in such industries as the fuel and energy complex, telecommunications, high technology, and the military-industrial complex. It is for them that it is easier to steal something from a competitor than to create an analogue of a successful product from scratch.

Targeted attack. How it's done

It all boils down to the fact that control over any device within the network of the attacked company is seized, and from there access to business applications and/or file servers is gained. Next, the information needed by the attackers is collected and transmitted to its destination, usually indirectly.

As a rule, funds are used for such purposes remote control PC or servers. The most difficult thing is to determine where exactly in the corporate network you can find the required information. So it requires preliminary reconnaissance or the presence of an accomplice inside. For example, you need to know on what platform the CIS of the attacked company is built. And the procedure for obtaining the necessary information in systems based on 1C, SAP, Oracle, Microsoft is significantly different.

The theft of many categories of information in a fully automatic mode is also extremely common. Such tools are in greatest demand, since the problem of lack of personnel for attackers is also very acute. The control centers of many botnets allow you to configure individual nodes not only to send spam or conduct DDoS attacks, but also to search for and transmit various categories of data to a designated location: including details bank cards or authentication data for remote banking systems (RBS). Moreover, botnet clients can be customized to suit your needs for a separate, quite reasonable fee. For example, the author of one of the “popular” banking Trojans charged about $2,000 for updating his program.

The technology for introducing malware is also very simple, although it changes over time. Now users are much less likely to open executable files, and corporate mail servers can block such attachments. However, there are other methods. For example, lure you to an infected page. Preparing it takes just a few minutes. Recently, it has become more popular to use documents in the following formats as containers for malware: Microsoft Office or Adobe PDF. In Russian conditions, this is facilitated by the established traditions of working with by email. In addition, the botnets themselves automatically infect PCs en masse, including corporate ones. For this, all kinds of vulnerabilities in software are used. A 2014 HP study found that 70% of enterprise software contains vulnerabilities. Very often, malware penetrates through public unprotected Wi-Fi networks, to which many people connect their work laptops.

Sometimes both approaches are combined. When attackers realize that their bot has entered the network of, for example, a bank or retail chain, a remote control system is implemented on the infected computers, from which they carry out what the bot cannot do.

There are ways to penetrate the network using other devices, for example, printers, MFPs, some types network equipment. Their firmware also has vulnerabilities, often serious, and at the same time these same firmwares are updated much less frequently than operating systems on workstations and servers, and this is precisely what attackers take advantage of. And IT personnel often, as they say, don’t even get around to properly configuring network equipment. So you can very often find a switch, router or point wireless access, where they did not have time to change the factory password, which are well known. If passwords are used, then this is often not a problem for attackers. Thus, hacking the WEP protocol takes a matter of minutes even on a smartphone. And this is exactly what many people use, including Russians. retail chains to protect their wireless networks. Methods of hacking and the more secure WPA protocol have appeared, but this process can already take hours.

Vulnerable equipment can be found using wardriving. This method can be quite time consuming but is cheap and easy to perform. This is exactly how the sensational hacks of American retail chains Target and TJX, during which several tens of millions were compromised credit cards, and the damage was measured in billions of dollars. But, again, you need to know well where the required information is.

Also, according to PwC, the number of incidents related to the activities of external companies is growing at an accelerated pace. However, this is usually due to the fact that the level of protection provided by external contractors is significantly lower, which attackers often take advantage of. It also happens that certain types of changes are made to information systems by developers, both in-house and external. As a rule, we are talking about regular transfers of money (very small) to the accounts of attackers. But such cases are not observed too often.

How to identify and counter attacks

As mentioned above, traditional means of protection, primarily antiviruses and firewalls, are ineffective against malware that is used in targeted attacks. So many information security practitioners recommend considering that an attack is already underway.

As a rule, the fact of an attack itself is detected due to the detection of an atypical network activity. For example, when the volume of network traffic suddenly increased for some unknown reason, which led to a noticeable increase in bills from the telecom operator. Or it was discovered that data flows go to a country in which there are definitely no suppliers, buyers, customers, or partners.

Naturally, you should not rely on the fact that one of the staff will discover such a fact and stop malicious activity. But classes of security tools such as attack detection and prevention systems (IDS/IPS) or event monitoring and correlation systems (SIEM) allow them to be identified. As the 2014 Cost of Cyber ​​Crime Study showed, those who implemented them saved an average of $5.3 million per company due to higher efficiency.

It is important to note that there are both IDS/IPD and SIEM systems with open source, which cost nothing to license. You just need to allocate server power, and these tools work great in a virtual environment. It is also worth recalling that the delivery package of most firewall software and hardware on the market also includes IDS/IPS systems, the capabilities of which may well be sufficient.

As a result, the entry barrier is not that high. However reverse side is the need for careful configuration, which, moreover, needs to be updated from time to time. At the same time, you also need a good knowledge of your own infrastructure. This, however, fully applies to commercial systems. A year ago, the Habrahabr portal hosted comparative testing leading IDS/IPS systems out of the box. The result was discouraging: the systems were allowed to best case scenario half of the attacks, and these were well-known scenarios (http://habrahabr.ru/company/it/blog/209714/).

For a SIEM system, it is also important to ensure the safety of event logs for quite a long time, with which problems often arise. They reach large volumes (up to tens of gigabytes per working day), but there is always not enough storage capacity. Plus, again, the need for careful setup by a qualified specialist.

Specialized tools are also appearing, aimed exclusively at combating targeted attacks, which are appearing in the arsenal of a number of vendors, including BlueCoat, CheckPoint, InfoWatch. However, this is a fairly young class of software with big amount“childhood diseases”, and should be used with some caution.

It is also necessary to regularly conduct penetration tests, and in conditions that are as close as possible to combat conditions. This is the only way to identify potential security holes that could be exploited by attackers.

Raising staff awareness is essential. It is necessary to regularly clarify what methods attackers can use, how to act in the conditions of certain incidents, and the like. The fewer those who could potentially follow the lead of attackers, the better.

Targeted attacks first became the subject of active discussions in the world community back in 2009. Then the Stuxnet attack became known. Perhaps we can say that this is where it began recent history targeted cyber attacks. Read more about what this type of cybercrime is and how such attacks can turn out in more detail in our material.
1. What are targeted attacks?
Targeted (or purposeful) attacks are pre-planned actions against a specific state or non-state entity or organization. As a rule, cybercriminals who carry out targeted attacks are professionals, they can be compared to traditional attackers who steal cars on demand: they have a specific target, they study the car’s security measures in order to successfully circumvent them.
Today, the activities of hackers are acquiring more and more features of traditional business. On Russian market there is a kind of “black market” - shadow schemes and places of sale software necessary to attack the IT infrastructure of a company. There are fixed prices that can be easily found on the Internet.
You can even find already established product lines: cybercriminal “companies” are expanding the sales funnel, preparing individual modifications of solutions taking into account various target segments. There are prices for botnets, and new versions of Trojans are being actively announced. You can even purchase targeted attack as a service. Cyber ​​attackers create their own development plans, which are also actively announced.
“Announcements, as a rule, are given in closed sources,” says Andrey Arefiev, product development manager at InfoWatch. – But, nevertheless, we can say that the modern botnet industry has all the signs of a full-fledged commercial products. According to independent research, the number of utilities used to build botnets has increased tenfold in recent years.
In addition, the nature of attacks has changed significantly in recent years: they have become very sophisticated. Today's attacks have become more ramified: the attacking party is trying to adapt to the company's own infrastructure and make the attack as invisible as possible. The attack must either be detected as late as possible or not detected at all. Therefore, such attacks, as a rule, are extended over time and become noticeable only when the time comes to actively manifest themselves.
Targeted attacks on IT infrastructure have the following characteristics:
џ They study the security system that the company has and bypass it.
џ The nature of the attacks has become more multi-stage: they can start on the secretary’s computer, and the final target will be the accountant’s computer - for example, the attackers’ task may be to install malware there.
“As an interim result, it can be noted that if you do not observe visible signs of an attack on the company’s IT infrastructure, this does not mean that it is not being attacked,” summarizes Andrey Arefiev.
2. Examples of targeted attacks.
According to a number of open sources, the “entry point” for introducing a Trojan virus program is often the insider activity of disloyal company employees. A similar example could be observed in Iran not long ago.
The main purpose of this attack was to contain the Iranian nuclear program. As far as is known, a sovereign state controlled enrichment nuclear centrifuges, and a number of facilities were transferred to emergency mode. Centrifuges quickly broke down and repairing them took time and money, so uranium enrichment was delayed. As we found out, this attack was planned in advance, carried out and carried out over a long period of time.
The goal of the attack was not to steal equipment, but to control industrial facilities. It’s scary to imagine what could happen if someone starts to control a nuclear power plant: transferring it to emergency mode threatens, at a minimum, with a second Chernobyl...
However, attackers are targeting not only strategically important objects and large government organizations. Recently, one owner of a business organization had the opportunity to see this personally. They tried to infect the company's server using contact vulnerabilities - the owner of the company was lucky in that only the accountant's computer was attacked.
Malware is a program that allows you to obtain unauthorized access to confidential information using vulnerabilities. Apply similar programs usually to gain primary access to the enterprise network. Typically, system injection means access to data when the system is rebooted. The “registration” of the executable module is to restart it each time.
Malicious software can end up on a company employee’s computer not only due to the latter’s malicious intent, but also as a result of social engineering used by hackers (for example, a cybercriminal may ask the victim to follow a particular link or visit a third-party resource).
As a result, the victim becomes available for attack, and attackers gain access to operating system employee's work computer. Now you can launch malicious files in order to subsequently gain control over your organization’s computers. The actions listed above are called “zero-day attacks.”
3. What data is most often stolen?
This largely depends on the profile of the company. The target of hackers may be industrial secrets and strategic developments of a closed plan, payment and personal data. It is interesting that, according to research, 63% of respondents understand that a targeted attack on their company is just a matter of time.
Methods for identifying targeted attacks:
1. Signature analysis.
Carrying out a signature analysis implies that analysts have a file infected with a virus. Studying such malware allows you to remove a signature (digital fingerprint) from it. After the signature is entered into the database, you can check the file for infection with this virus by simply comparing the signatures. The advantage of signature analysis is that it allows you to accurately diagnose an attack. If there is a file with a matching signature, then we can safely say that the computer is affected.
Signature analysis has a number of advantages:
џ It can be used not only to scan for viruses, but also to filter system traffic.
џ You can “sit” on the gateway and monitor the presence of certain unverified signatures.
џ It allows you to carry out diagnostic systems to counter attacks with great accuracy.
A significant disadvantage of signature analysis is the need to update the signature database. Most companies are forced to update the signature database every 15 minutes. At the same time, every half hour a new virus. Next comes a long process of registering and studying it, and only after this the signature is entered into the database. Until this moment, the company has been defenseless against the new virus.
Another method of studying previously identified malware is heuristic analysis.
The function of heuristic analysis is to check executable code for the presence of suspicious activity, characteristic of the activity of viruses. This technique is good because it does not depend on the relevance of any databases. However, heuristic analysis also has its drawbacks.
Due to the fact that all major antiviruses are known and available for use by everyone, hackers can test the written software and modify it until it bypasses all known means antivirus protection. Thus, the effectiveness of the main heuristic algorithms is reduced to nothing.
Another method of detecting targeted attacks involves the use of so-called next-generation firewalls, which, in addition to traditional capabilities, also allow traffic filtering. The main disadvantage of firewalls is excessive “suspiciousness”; they generate a large number of false positives. In addition, firewalls use technologies that can be deceived (sandboxing, heuristic analysis and signature analysis).
There is also another method of protection used to launch applications. The idea is very simple: the station can only launch individual applications (this is called WhiteListening). The downside is that such a “white list” must contain all applications that the user may need without exception. In practice, this method is, of course, quite reliable, but very inconvenient, as it slows down work processes.
Finally, there is a recently developed technology for dynamic attack detection, which is used in the InfoWatch Targeted Attack Detector product, says Andrey Arefiev. – This technology is based on the fact that the actions of attackers inevitably lead to modifications of enterprise IT systems. That's why InfoWatch solution periodically scans the organization's IT system, collecting information about the status of critical objects. The received data is compared with the results of past scans, then an intelligent analysis of the changes that have occurred is carried out to determine the presence of anomalies. When unknown malware is detected, a company analyst is involved in analyzing its actions and possible harm to the enterprise infrastructure.
- At what stage is it possible to classify an attack as targeted?
- In fact, identifying anomalies is the primary sign that there is a problem with your system, it is an indirect sign that the company is under attack. Moreover, the attack does not necessarily have to involve a Red October-level virus. As practice shows, a small Trojan periodically sent further is enough. In principle, this is enough to bring money to specific cyberattackers.
In general, I would like to note that targeted attacks are powerful tool to influence the corporate policies of large government and commercial organizations. That is why it is necessary to combat these types of cybercrimes systematically and carefully.
Grinev Sergey Olegovich, for the portal "Security Technologies" (RB)

VENIAMIN LEVTSOV, Vice President, Head of the Corporate Division of Kaspersky Lab
NIKOLAY DEMIDOV, technical consultant for information security at Kaspersky Lab

Anatomy of a targeted attack
Part 1

Every year, organizations improve their business tools, introducing new solutions, while simultaneously complicating their IT infrastructure. Now that the company is hanging mail server, is erased from the final workplaces important information or the operation of the automated system for generating invoices for payment is disrupted, business processes simply stop

Aware of the growing dependence on automated systems, business is also ready to increasingly care about information security. Moreover, the path to creating an information security system depends on the situation in a given specific organization - on the incidents that have taken place, the beliefs of specific employees - and is often formed “from below”, from individual information security subsystems to the overall picture.

As a result, a multi-stage, one-of-a-kind system is created, consisting of various products and service work, complex, usually unique for each company, where information security specialists can:

• scan files using endpoint security systems;
• filter email and web traffic using gateway solutions;
• monitor the integrity and immutability of files and system settings;
• monitor user behavior and respond to deviations from normal traffic patterns;
• scan the perimeter and internal network for vulnerabilities and weak configurations;
• implement identification and authentication systems, encrypt disks and network connections;
• invest in a SOC to collect and correlate logs and events from the subsystems mentioned above;
• order penetration tests and other services to assess the level of security;
• bring the system into compliance with the requirements of standards and carry out certifications;
• teach staff the basics of computer hygiene and solve an infinite number of similar problems.

But, despite all this, the number of successful ones, i.e. attacks on IT infrastructures that achieve their goal are not decreasing, but the damage from them is growing. How do attackers manage to overcome complex security systems, which are usually unique in their composition and structure?

The answer is quite short: by preparing and carrying out complex attacks that take into account the characteristics of the target system.

Concept of targeted attack

It's time to give a definition that, in our opinion, accurately reflects the concept of a targeted, or targeted, attack.

A targeted attack is a continuous process of unauthorized activity in the infrastructure of the attacked system, manually controlled remotely in real time.

Firstly, this is precisely a process - an activity in time, a certain operation, and not just a one-time technical action. Having analyzed such attacks, Kaspersky Lab experts note that their duration ranges from 100 days or more.

Secondly, the process is designed to work in a specific infrastructure, is designed to overcome specific security mechanisms, specific products, and involve specific employees in interaction. It should be noted that there is a significant difference in the approach of mass mailings of standard malware, when attackers pursue completely different goals - essentially, gaining control over a separate endpoint. In the case of a targeted attack, it is built around the victim.

Thirdly, this operation is usually managed by an organized group of professionals, sometimes international, armed with sophisticated technical tools, essentially a gang. Their activities are indeed very similar to a multi-stage military operation. For example, attackers compile a list of employees who could potentially become the “entry gate” to the company, establish contact with them on social networks, and study their profiles. After this, the task of gaining control of the victim’s work computer is solved. As a result, his computer is infected, and the attackers move on to seize control of the network and directly commit criminal acts.

In a targeted attack situation, do not computer systems fight with each other, and people: some attack, others repel a well-prepared attack, taking into account the weaknesses and features of counteraction systems.

Currently, the term APT (Advanced Persistent Threat) is becoming increasingly widespread. Let's look at its definition.

APT is a combination of utilities, malware, mechanisms for exploiting zero-day vulnerabilities, and other components specifically designed to implement this attack.

Practice shows that APTs are used repeatedly and repeatedly in the future to carry out repeated attacks with a similar vector against other organizations.

A targeted, or targeted, attack is a process, an activity. APT is a technical tool that allows you to implement an attack.

We can safely say that the active spread of targeted attacks is due, among other things, to a strong reduction in the cost and labor costs of implementing the attack itself. A large number of previously developed tools are available to hacker groups, sometimes there is no urgent need to create exotic malware from scratch. Most modern targeted attacks are based on previously created exploits and malware; only a small part uses completely new techniques, which are mainly classified as APT threats. Sometimes completely legal utilities created for “peaceful” purposes are used as part of an attack—we will return to this issue below.

Stages of a targeted attack

In this material, we would like to outline the main stages of a targeted attack, look inside, show the skeleton of the general model and the differences in the penetration methods used. The expert community has an idea that a targeted attack, as a rule, goes through four phases in its development (see Fig. 1).

The figure below shows the four phases of a targeted attack, demonstrating its life cycle. Let us briefly formulate the main purpose of each of them:

• Preparation– the main task of the first phase is to find a target, collect enough detailed private information about it, based on which, identify weak points in the infrastructure. Build an attack strategy, select previously created tools available on the black market, or develop the necessary ones yourself. Typically, planned penetration steps will be thoroughly tested, including undetectability by standard information security tools.
• Penetration– the active phase of a targeted attack, using various techniques of social engineering and zero-day vulnerabilities to initially infect the target and conduct internal reconnaissance. After reconnaissance is completed and the identity of the infected host (server/workstation) is determined, additional malicious code can be downloaded through the control center at the attacker’s command.
• Spreading– the phase of consolidation within the infrastructure, mainly on the victim’s key machines. Extend your control as much as possible, adjusting versions of malicious code if necessary through control centers.
• Achieving the goal– the key phase of a targeted attack; depending on the chosen strategy, the following can be used:
  • theft of classified information;
  • deliberate alteration of classified information;
  • manipulation of the company's business processes.

At all stages it is carried out required condition to hide traces of targeted attack activity. When an attack is completed, it often happens that cybercriminals create a “Point of Return” for themselves, allowing them to return in the future.

First phase of targeted attack - Preparation

Identifying the goal

Any organization can become a target for an attack. And it all starts with an order or general reconnaissance or, more precisely, monitoring. In the course of long-term monitoring of the global business landscape, hacker groups use publicly available tools, such as RSS feeds, official Twitter accounts of companies, and specialized forums where various employees exchange information. All this helps to identify the victim and the objectives of the attack, after which the group’s resources move to the active reconnaissance stage.

Collection of information

For obvious reasons, not a single company provides information about which technical means it uses, including information protection, internal regulations, etc. Therefore, the process of collecting information about the victim is called “reconnaissance.” The main task of reconnaissance is to collect targeted private information about the victim. All the little things are important here and will help identify potential weaknesses. The work can use the most non-trivial approaches to obtain private primary data, for example, social engineering. We will present several social engineering techniques and other intelligence mechanisms used in practice.

Methods of reconnaissance:

Insider. There is an approach to searching for recently fired company employees. A former employee of the company receives an invitation to a routine interview for a very tempting position. We know that an experienced recruiting psychologist is able to talk to almost any employee who is competing for a position. From such people they receive a fairly large amount of information to prepare and select an attack vector: from the network topology and the means of protection used to information about privacy other employees.

It happens that cybercriminals resort to bribing the people they need in a company who have information, or enter a circle of trust through friendly communication in public places.

Open sources. In this example, hackers take advantage of companies' unscrupulous attitude towards paper media, which is thrown into the trash without proper destruction; reports and inside information, or, for example, company websites that contain the real names of employees in public access. The data obtained can be combined with other social engineering techniques.

As a result of this work, the organizers of the attack may have enough full information about the victim, including:

• employee names, email, telephone;
• work schedule of company departments;
• internal information about processes in the company;
• information about business partners.

Government procurement portals are also a good source of information about the solutions that the customer has implemented, including information security systems. At first glance, the above example may seem insignificant, but in fact it is not. The information listed is successfully used in social engineering methods, allowing a hacker to easily gain trust by using the information received.

Social engineering.

• Telephone calls on behalf of internal employees.
• Social media.

Using social engineering, you can achieve significant success in obtaining confidential company information: for example, in the case phone call an attacker can introduce himself as an information service employee, ask the right questions, or ask to execute the desired command on the computer. Social networks are a good way to determine the circle of friends and interests of the right person; such information can help cybercriminals develop the right strategy for communicating with a future victim.

Strategy Development

Strategy is mandatory in the implementation of a successful targeted attack, it takes into account the entire plan of action at all stages of the attack:

• description of the stages of an attack: penetration, development, achievement of goals;
• social engineering methods, exploited vulnerabilities, bypass standard means security;
• stages of attack development taking into account possible emergency situations;
• consolidation within, increased privileges, control over key resources;
• data extraction, trace removal, destructive actions.

Creation of a stand

Based on the information collected, a group of attackers begins to create a stand with identical versions of the exploited software. A testing ground that makes it possible to test the penetration stages on an existing model. Practice various techniques for covert implementation and bypassing standard information security measures. Essentially, the stand serves as the main bridge between the passive and active phases of penetration into the victim's infrastructure. It is important to note that creating such a stand is not cheap for hackers. The cost of executing a successful targeted attack increases with each stage.

Development of a set of tools

Cybercriminals face a difficult choice: it is important for them to decide between the financial costs of purchasing ready-made tools on the shadow market and the labor costs and time to create their own. The shadow market offers a fairly wide selection of various instruments, which significantly reduces time, except in unique cases. This is the second step that distinguishes the targeted attack as one of the most resource-intensive among cyber attacks.

Let's look at the set of tools in detail. Typically, a Toolset consists of three main components:

1. Command center, or Command and Control Center(C&C). The basis of the attackers' infrastructure is C&C command and control centers, which ensure the transmission of commands to controlled malicious modules, from which they collect the results of their work. The focus of the attack is the people carrying out the attack. Most often, centers are located on the Internet by providers providing hosting, colocation and rental services. virtual machines. The update algorithm, like all algorithms for interaction with “hosts,” can change dynamically along with malicious modules.

2. Penetration tools solve the problem of “opening the door” of an attacked remote host:

• Exploit– malicious code that exploits software vulnerabilities.
• Validator– malicious code is used in cases of primary infection; it is capable of collecting information about the host, transferring it to C&C for further decision-making on the development of the attack or its complete cancellation on a specific machine.
• Downloader for the Dropper delivery module. The downloader is extremely often used in social engineering attacks and is sent as an attachment in email messages.
• Dropper delivery module– a malicious program (usually a Trojan), the task of which is to deliver the main Payload virus to the victim’s infected machine, designed to:
  • securing inside an infected machine, hidden startup, process injection after the machine is rebooted;
  • Inject into a legitimate process to download and activate the Payload virus over an encrypted channel, or extract and launch an encrypted copy of the Payload virus from disk.

Code execution occurs in an injected legitimate process with system rights, such activity is extremely difficult to detect using standard security tools.

3. Payload virus body. The main malicious module in a targeted attack, downloaded onto an infected Dropper host, can consist of several functional additional modules, each of which will perform its own function:

• keylogger;
• screen recording;
• remote access;
• intra-infrastructure distribution module;
• interaction with C&C and updating;
• encryption;
• cleaning traces of activity, self-destruction;
• reading local mail;
• searching for information on disk.

As we can see, the potential of the considered set of tools is impressive, and the functionality of the modules and techniques used can vary greatly depending on the target attack plans. This fact emphasizes the uniqueness of this type of attack.

To summarize, it is important to note the growth of targeted attacks directed against companies in various market sectors, the high complexity of their detection and the colossal damage from their actions, which cannot be guaranteed to be detected later long term. According to Kaspersky Lab statistics, on average, detection of a targeted attack occurs 200 days after its activity, which means that hackers not only achieved their goals, but also controlled the situation for more than half a year.

Also, organizations that have discovered the presence of APT in their infrastructure are not able to properly respond and minimize risks and neutralize activity: this is simply not what information security personnel are trained to do. As a result, every third company suspends its operations for more than one week in an attempt to regain control of its own infrastructure, then faced with a complex incident investigation process.

According to a Kaspersky Lab survey, losses as a result of a major incident amount to a global average of $551,000 for a corporation: this amount includes lost business opportunities and system downtime, as well as costs for professional services to eliminate the consequences. (Research data " Information Security business" conducted by Kaspersky Lab and B2B International in 2015. More than 5,500 IT specialists from 26 countries, including Russia, took part in the study.)

The following articles in the “Anatomy of a Targeted Attack” series will tell you how an attack develops, methods of bypassing standard security measures and exploiting zero-day threats, social engineering, spreading and hiding traces when key information is stolen, and much more.

In contact with

Targeted attacks first became the subject of active discussions in the world community back in 2009. Then the Stuxnet attack became known. Perhaps we can say that this is where the recent history of targeted cyber attacks began. Read more about what this type of cybercrime is and how such attacks can turn out in more detail in our material.

What are targeted attacks?

Targeted (or purposeful) attacks are pre-planned actions against a specific state or non-state entity or organization. As a rule, cybercriminals who carry out targeted attacks are professionals, they can be compared to traditional attackers who steal cars on demand: they have a specific target, they study the car’s security measures in order to successfully circumvent them.

Today, the activities of hackers are acquiring more and more features of traditional business. There is a kind of “black market” on the market - shadow schemes and places for selling software necessary to attack the IT infrastructure of a particular company. There are fixed prices that can be easily found on the Internet.

You can even find already established product lines: cybercriminal “companies” are expanding the sales funnel, preparing individual modifications of solutions taking into account various target segments. There are prices for botnets, and new versions of Trojans are being actively announced. You can even purchase targeted attack as a service. Cyber ​​attackers create their own development plans, which are also actively announced.

Announcements, as a rule, are given in closed sources,” says Andrey Arefiev, product development manager at InfoWatch. – But, nevertheless, we can say that the modern botnet industry has all the features of full-fledged commercial products. According to independent research, the number of utilities used to build botnets has increased tenfold in recent years.

In addition, the nature of attacks has changed significantly in recent years: they have become very sophisticated. Today's attacks have become more ramified: the attacking party is trying to adapt to the company's own infrastructure and make the attack as invisible as possible. The attack must either be detected as late as possible or not detected at all. Therefore, such attacks, as a rule, are extended over time and become noticeable only when the time comes to actively manifest themselves.

Targeted attacks on IT infrastructure have the following characteristics:

• They study the security system that the company has and bypass it.
• The nature of the attacks has become more multi-stage: they can start on the secretary’s computer, and the final target will be the accountant’s computer - for example, the attackers’ task may be to install malware there.

As an interim result, it can be noted that if you do not observe visible signs of an attack on the company’s IT infrastructure, this does not mean that it is not being attacked,” summarizes Andrey Arefiev.

Examples of targeted attacks

According to a number of open sources, the “entry point” for introducing a Trojan virus program is often the insider activity of disloyal company employees. A similar example could be observed in Iran not long ago.

The main purpose of this attack was to contain the Iranian nuclear program. As far as is known, a sovereign state controlled enrichment nuclear centrifuges, and a number of facilities were transferred to emergency mode. Centrifuges quickly broke down and repairing them took time and money, so uranium enrichment was delayed. As we found out, this attack was planned in advance, carried out and carried out over a long period of time.

The goal of the attack was not to steal equipment, but to control industrial facilities. It’s scary to imagine what could happen if someone starts to control a nuclear power plant: transferring it to emergency mode threatens, at a minimum, with a second Chernobyl...

However, not only strategically important facilities and large government organizations become targets of attackers. Recently, one owner of a business organization had the opportunity to see this personally. They tried to infect the company's server using contact vulnerabilities - the owner of the company was lucky in that only the accountant's computer was attacked.

Malware is a program that allows unauthorized access to confidential information through vulnerabilities. Such programs are usually used to obtain primary access to an enterprise network. Typically, system injection means access to data when the system is rebooted. The “registration” of the executable module is to restart it each time.

Malicious software can end up on a company employee’s computer not only due to the latter’s malicious intent, but also as a result of social engineering used by hackers (for example, a cybercriminal may ask the victim to follow a particular link or visit a third-party resource).

As a result, the victim becomes available for attack, and the attackers gain access to the operating system of the employee's work computer. Now you can launch malicious files in order to subsequently gain control over your organization’s computers. The actions listed above are called “zero-day attacks.”

What data is most often stolen?

This largely depends on the profile of the company. The target of hackers may be industrial secrets and strategic developments of a closed plan, payment and personal data. It is interesting that, according to research, 63% of respondents understand that a targeted attack on their company is just a matter of time.

Methods for identifying targeted attacks:

Signature analysis.

Carrying out a signature analysis implies that analysts have a file infected with a virus. Studying such a malicious program allows you to remove its signature (digital fingerprint). After the signature is entered into the database, you can check the file for infection with this virus by simply comparing the signatures. The advantage of signature analysis is that it allows you to accurately diagnose an attack. If there is a file with a matching signature, then we can safely say that the computer is affected.

Signature analysis has a number of advantages:

• It can be used not only to scan for viruses, but also to filter system traffic.
• You can “sit down” at the gateway and monitor the presence of certain unverified signatures.
• It allows you to carry out diagnostic systems to counter attacks with great accuracy.

A significant disadvantage of signature analysis is the need to update the signature database. Most companies are forced to update the signature database every 15 minutes. At the same time, a new virus appears in the world every half hour. Next comes a long process of registering and studying it, and only after this the signature is entered into the database. Until this moment, the company has been defenseless against the new virus.

Another method for studying previously identified malware is heuristic analysis.

The function of heuristic analysis is to check executable code for the presence of suspicious activity, characteristic of the activity of viruses. This technique is good because it does not depend on the relevance of any databases. However, heuristic analysis also has its drawbacks.

Due to the fact that all major antiviruses are known and available for use by everyone, hackers can test written software and modify it until it bypasses all known antivirus protection tools. Thus, the effectiveness of the main heuristic algorithms is reduced to nothing.

Another method of detecting targeted attacks involves the use of so-called next-generation firewalls, which, in addition to traditional capabilities, also allow traffic filtering. The main disadvantage of firewalls is their excessive “suspiciousness”; they generate a large number of false positives. In addition, firewalls use technologies that can be deceived (sandboxing, heuristic analysis and signature analysis).

There is also another method of protection used to launch applications. The idea is very simple: the station can only launch individual applications (this is called WhiteListening). The downside is that such a “white list” must contain all applications that the user may need without exception. In practice, this method is, of course, quite reliable, but very inconvenient, as it slows down work processes.

Finally, there is a recently developed technology for dynamic attack detection, which is used in the InfoWatch Targeted Attack Detector product, says Andrey Arefiev. – This technology is based on the fact that the actions of attackers inevitably lead to modification of the enterprise’s IT systems. Therefore, the InfoWatch solution periodically scans the organization's IT system, collecting information about the status of critical objects. The received data is compared with the results of past scans, then an intelligent analysis of the changes that have occurred is carried out to determine the presence of anomalies. When unknown malware is detected, a company analyst is involved in analyzing its actions and possible harm to the enterprise infrastructure.

- At what stage is it possible to classify an attack as targeted?

In fact, identifying anomalies is the primary sign that your system is going wrong and is an indirect sign that the company is under attack. Moreover, the attack does not necessarily have to involve a Red October-level virus. As practice shows, a small Trojan periodically sent further is enough. In principle, this is enough to bring money to specific cyberattackers.

In general, I would like to note that targeted attacks represent a powerful tool for influencing the corporate policies of large government and commercial organizations. That is why it is necessary to combat these types of cybercrimes systematically and carefully.

Elena Kharlamova