Whenever people think of APTs and targeted attacks, people ask: who did it? What did they want? While those questions may well be of some interest, we think it is much more important to ask: what information about the attacker can help organizations protect themselves better?
Let’s look at things from the perspective of a network administrator trying to defend their organization. If someone wants to determine who was behind an attack on their organization, maybe the first thing they’ll do use IP address locations to try and determine the location of an attacker. However, say an attack was traced to a web server in Korea. What’s not to say that whoever was responsible for the attack also compromised that server? What makes you think that site’s owner will cooperate with your investigation?
With sophisticated attackers, it’s quite common for an attacker to bounce from one compromised machine to another. You can try to go back as far you can, but that will rarely tell you anything about the attacker. We don’t really have access to a lot of information about the attackers that, say, intelligence agencies may have access to. We have open source databases, but those only go so far. Sometimes the attackers make mistakes – that’s when we’re able to talk about who they are, who they targeted, etcetera. But if you’re defending an organization, you can’t count on that.
Knowing what kind of attack you’re up against
That’s not to say that you should completely ignore who’s attacking you. Instead of who they are, what matters more is what they are capable of. For example, if someone is attacking you with tools that any script kiddie could pick up from some part of the Internet, it’s probably not a serious threat. If someone is attacking you with fresh vulnerabilities and well-crafted malware, pay attention.
Their capabilities may also reflect what their intentions are. For example, vandalism (such as website defacement) is more likely to be the goal of a hacktivist, not a nation-state. Understanding what kind of adversary you face gives you understanding into their motives. The most frequent goal of many attacks, however, is to steal data. Sometimes it can be financial data that can be monetized right away, like payment information. Sometimes it can be more sensitive information, like company secrets.
It doesn’t have to be that a breach occurs in one big giant leak that ends up on the front page of every tech news website. It can be more gradual: it could be an backdoor inside your network that’s been there for months, slowly leaking information without anyone being the wiser. If anything, that’s what a lot of attackers want: a constant stream of information from their target. Access, in and of itself, could become a commodity as well: imagine an ad in the cybercrime underground that says, “For $10000 I’ll give access to Company A.” Imagine if you’re a network administrator for Company A and you see that.
Defense against bad intentions
So, how do you defend against all this? Breach detection is now of paramount importance. Understand what is normal and what isn’t within your network so that you can quickly find what’snot normal and, therefore, possibly malicious. You can no longer assume that perimeter defenses will be able to prevent all attacks from reaching your organization; instead you have to assume that some sort of compromise will eventually take place and work on detecting such a breach as soon as possible.
Congruent with that, there has to be an incident response plan in place. Particularly for serious, large-scale breaches, it is extremely important to know what to do, acquire the necessary tools, have the right people, and provide the appropriate training so that when a major incident occurs, people can respond according to a carefully thought out plan, instead of reacting in a hurried, panicking manner. An ill-prepared response can cause significant damage to an organization, both in material terms and in regards to its reputation.
This is happening at a time when organizations know the importance of cybersecurity. Years ago for a security incident, a hapless system administrator – or maybe a middle-ranking manager – would have been held responsible and fired. Now? CIOs and CISOs now get fired for security breaches. It’s good that companies now take this seriously, but if you’re one of those CIOs or CISOs – that may not be good for you.
So, in short: does attribution and motives matter? Attribution is interesting, but from the point of view of defense, motives matter more. This shapes how threat actors behave once inside your network – and that, in turn, influences how you should set up your own defenses.
In order to strengthen your knowledge of targeted attacks and what can be done to defend against them, we’ve launched the Understanding Targeted Attacks campaign in our Targeted Attacks Hub where we revisit the definition of targeted attacks, and what you can learn from our analysis of these attacks. You can check our introductory piece, Understanding Targeted Attacks: What is a Targeted Attack?