Automated cyber attacks have been popular for some years. Attackers have built up automation tools, and then found exploitable vulnerabilities. By rapidly attacking many potentially vulnerable systems, attackers have usually managed to find some that they can compromise.
However, there is a growing trend in more targeted attacks. Automation can be predicted, and the security industry has responded to the threat. A targeted attack, however, is not predictable. An attacker can continue to try different techniques if security measures initially prevent them from making progress.
Supply Chain Attacks
A type of targeted attack, a supply chain attack attempts to cause damage to an organisation by finding weaknesses in products and services it is supplied with.
For example, Stuxnet was thought to specifically target energy infrastructure in Iran.
By depositing malware inside an otherwise legitimate piece of software, and before it is provided to the organisation, the attacker can avoid security measures the organisation has put in place.
Living off the Land
Living off the Land (or LotL) is another targeted attack, where an attacker identifies a vulnerability and then uses existing tools within the target system to launch their attack. Such tools include PowerShell scripts, VB scripts, documents with macros, or compromising Remote Desktop Protocol (RDP) access through a brute-force attack.
One example of a large attack that used LotL methods was the NotPetya variant of the Petya ransomware, which also used a supply chain attack. It is thought that the update utility of a common application used in Ukraine was compromised to commence the attack.
How to protect against targeted attacks
Some simple steps can be taken apply to numerous security threats as well as targeted attacks, including:
- ensuring that systems are kept up to date (i.e. patching);
- using strong passwords for all accounts;
- being cautious when receiving unexpected or suspicious emails; and
- being cautious with Microsoft Office documents that request macros are enabled.
Other steps that can be taken specifically to reduce the risks of targeted attack include:
- reviewing the built-in tools that are operating on systems;
- considering application whitelisting; and
- implementing multi-factor authentication.