Cyber attacks come in many forms, and most are a source of enormous frustration and anger for corporate security and compliance teams. Few attacks, however, are as frustrating – and dangerous – as a targeted attack.
Targeted attacks are more like the cyber equivalent of hand-to-hand combat rather than a quick fleecing from online criminals looking for a quick score. They are formidable threats, capable of enormous damage, and require dedicated counter-strategies to fight them off.
What is a targeted cyber attack, precisely? Why are hackers and cybercriminals targeting specific industries or organizations in recent years? And why is “cyber resilience” critical to resist such attack strategies?
This detailed guide addresses all these critical questions and explores five proven strategies to help you build cyber resilience to protect your organization from targeted cyberattacks.
What Is a Targeted Cyber Attack?
Historically, attackers launched attacks against as many organizations, users, devices, and services as possible. These “untargeted” attacks are akin to “spray and pray” marketing: send out generic content to a mass audience without personalizing the messaging to attract a particular demographic, and hope for the best. For criminals seeking a quick financial score, that’s often all they need to do.
A targeted cyberattack focuses on attacking one company (or group of companies) in one industry. In some cases, the attacker may narrow his scope even further to a group of employees or a specific employee. Spear phishing is an example of this latter type of targeted attack.
Other kinds of targeted attacks may involve:
- Targeted data breaches via malware attacks or zero-day attacks;
- Deploying a botnet to initiate a distributed denial of service (DDoS) attack against a particular organization;
- Attacking the software supply chain to attack one or more organizations using that software;
- Man-in-the-middle (MitM) attacks where an attacker “listens in” on legitimate communications;
- DNS (domain name system) spoofing to redirect a company website’s traffic to a malicious website.
A targeted cyberattack has three key features:
- The attacker spends time and resources to scope out the target before the attack.
- The goal is specific, such as to steal sensitive data or to establish a presence inside the target’s systems for spying or corporate espionage.
- The attacker looks beyond a one-off payload or initial network penetration to a persistent threat and ongoing data infiltration.
A targeted cyberattack is not the same as an advanced persistent threat (APT). APTs are usually targeted at defense contractors, government agencies, and other “really big fish.” In contrast, small groups of hackers are behind targeted attacks, focusing on specific industries or companies.
Stages of a Targeted Cyber Attack
Almost all targeted attacks follow a multi-stage approach:
The attacker surveys the target, gathers information about its systems and infrastructure, and looks for potential vulnerabilities to exploit to launch a successful attack. To find information about the target, the attacker may use:
- Social networks;
- Domain name management services;
- Commodity toolkits and techniques;
- Network scanning tools.
The attacker may also employ social engineering to trick authorized users into sharing less well-known information, and then use that information to launch the targeted attack.
The threat actor prepares to exploit the vulnerability by identifying the threat vector and selecting the best delivery path. The attacker may attempt to install malware on a target’s devices by sending phishing emails containing malicious attachments. Fake websites may be used to attract users to visit them and share personal details or login information.
The attacker exploits the identified vulnerability to gain access to the target’s accounts or systems. For this, the attacker may impersonate legitimate users and use their access rights and privileges.
The attacker attempts to establish a persistent presence in the target’s networks and systems to disrupt normal business operations, retrieve intellectual property or sensitive information, or compromise systems for their own benefit.
The Most Common Types of Targeted Cyber Attacks
Modern-day targeted cyber Attacks are often sophisticated, persistent campaigns with a long-term focus. The attacker tries to get a foothold into an organization’s IT infrastructure so that he or she can damage systems, exfiltrate sensitive information, or disrupt operations. Some of the most common types of attacks are described below.
Targeted Data Breaches
In a targeted data breach, attackers pursue specific organizations to obtain confidential, sensitive, or protected information. The attackers may use one or more methods to gain unauthorized access to your enterprise networks. Once they’re in, they may steal user login credentials, personally identifiable information, business plans, or intellectual property.
A data breach can haunt a company for years. The 2017 Equifax breach exposed the personal data of more than 145 million people; more than three years later, Equifax was still paying damages. As part of a proposed settlement with the Federal Trade Commission, the company agreed to pay up to $700 million to settle with regulators.
Some common targeted attacks that often result in data breaches are:
The attackers may trick a legitimate user into opening a malicious attachment or clicking on a malicious link in an email. Then they inject malicious software (malware) into the user’s system, which can spread across your entire network and leave the organization vulnerable to further breaches.
Attackers often look for and exploit vulnerabilities in enterprise software to launch previously unknown, “zero-day attacks.” The attacker attempts to launch exploits before the organization has a chance to identify and patch the vulnerability.
DoS and DDoS Attacks
In a denial-of-service (DoS) attack, threat actors aim to damage or crash enterprise networks by overloading servers with fake requests. This overload prevents legitimate users such as employees from accessing the IT resources they need, disrupting day-to-day business operations.
A distributed denial-of-service (DDoS) attack also aims to interrupt regular services. In this case, however, attackers use multiple infected machines collectively known as a botnet, managed by a command-and-control (C&C) server, to launch the attack and flood the target with fake traffic.
A cousin to untargeted phishing tactics, spear phishing is also a social engineering tactic that involves emails and malicious attachments. This particular type of phishing attack, however, targets specific individuals within an organization. The attacker does prior research on the target individual or groups of individuals like C-suite leaders or board members. The target is usually someone who has access to sensitive data or is involved in confidential or high-profile operations.
A spear phishing campaign attempts to gain the target’s trust by including information specific to the target, such as the person’s name and job title. It persuades the target to carry out the desired action, such as clicking on an infected link in the email, providing sensitive information on a fake website, or opening an attachment – and downloading malware.
Supply Chain Attacks
In a supply chain attack, threat actors take advantage of a software application to attack the companies using that application. This happened with the SolarWinds supply chain attack of 2020.
In the SolarWinds attack, attackers slipped malicious code into SolarWinds’ Orion network monitoring software, which SolarWinds customers then installed as part of their regular software patching efforts. By compromising the application at the source, the attackers could target many U.S. government institutions using Orion, including:
- Department of Defense;
- Treasury Department;
- Homeland Security Department;
- Department of Commerce;
- Department of State;
- Department of Energy;
- National Nuclear Security Administration.
Since reconnaissance is an essential first step of a targeted attack, it enables threat actors to find target organizations that use a particular software and then attack them by compromising that software.
A man-in-the-middle attack is a relatively common targeted attack where threat actors interject themselves into the organization’s communication process to:
- Silently steal data or information;
- Alter the content of legitimate messages between authorized participants;
- Impersonate one or more authorized participant;
- Gather further intelligence about their targets.
To become a “man in the middle,” the attacker may use various techniques:
ARP Spoofing or Cache Poisoning
The attacker injects false information into the system. When a legitimate user connects to the network, the attacker reroutes all the legitimate network traffic on his own device.
A bad actor sets up an HTTPS website that looks like a legitimate site with valid authentication certificates. The URL of the fake website, however, is slightly different from the authentic website. Most users cannot see this difference and proceed to interact with the fake website, clicking on links and entering information.
In this targeted MitM attack, the attacker waits for a user to log into a web page. Then the attacker steals the user’s session cookie to log into that same account from his own browser. This stolen session allows the attacker to infiltrate your enterprise network and get a stronger foothold into your infrastructure.
DNS Spoofing Attacks
In DNS spoofing (also known as DNS cache poisoning), the attacker introduces incorrect DNS data into the organization’s domain name system resolver cache. The goal is to redirect legitimate online traffic to another fraudulent website. This website may look like the original website, so users may not be able to distinguish between the two.
Once the user lands on the fake website, he or she is prompted to log into what they believe is their account. This allows the perpetrator to steal the user’s access credentials or other sensitive information. The threat actor may also use this method to install a virus or worm on users’ devices, gaining long-term access so that the attacker can steal data over an extended period.
Strategies for a Cyber Resilience Plan
Strong cybersecurity is critical to deal with targeted attacks and minimize their potential damage. In the post-COVID era, bad actors are looking to take advantage of fears, uncertainties, and confusion. They try to find the most vulnerable organizations and target them with security breaches, ransomware attacks, phishing scams, and more.
Like most organizations worldwide, your company may have also adopted a new business model centered around remote work to maintain business continuity. But this opens you up to unknown risks in an ever-expanding cyberthreat landscape.
To protect your organization and its assets from targeted cyberattacks, it’s not enough simply to implement cybersecurity tools and short-term incident response plans. It’s also crucial to think about cybersecurity in the context of business strategy, crisis management, and business continuity. Here’s where a cyber resilience plan comes in.
What Is Cyber Resilience?
Cyber resilience (also known as cyber resiliency) is an organization’s ability to continue to operate even during a cyber attack. In a cyber-resilient organization, leaders and cybersecurity teams are aware of the latest cyber threats. Comprehensive and up-to-date plans are prepared to defend all assets, data, and users from threat actors.
A practical cyber resilience framework will cover the security of all aspects of an organization’s IT ecosystem, including:
- Data security;
- Software and application security;
- Infrastructure and hardware security;
- Cloud security;
- IoT security.
If your company is cyber resilient, it means that your organization:
- Has the ability to be agile and nimble even in the face of an attack;
- Can effectively address many kinds of cyber risks and restore business following a cyber incident or threat event;
- Understands and accepts that attackers with sophisticated tools and time will find ways to break into your enterprise assets;
- Prepares for such eventualities to prevent operational collapse and to ensure that systems and users can recover as soon as possible;
- Is able to deal with ongoing and persistent challenges in a rigorous manner.
By developing an agile cyber resilience approach, you can anticipate targeted cyber threats whether they are data breaches, supply chain attacks, DDoS attacks, or anything else. You will also have plans in place to resist these threats, recover from them with minimal damage, and withstand persistent adversaries.
Best Practices to Create a Cyber Resilience Plan
Like business and operational resilience, cyber resilience takes time to achieve. You can, however, improve your cybersecurity plan and become a cyber-resilient organization by following the below strategies:
Understand the Threat Landscape
The first step to cyber resilience is understanding your organization’s threat landscape. If you don’t know what kind of risks, vulnerabilities, and threats exist, you can’t implement risk management or take action to protect your assets, users, and data.
To boost cybersecurity, it’s critical to think like a hacker by:
- Understanding what makes your organization a particularly valuable target for a targeted cyberattack;
- Expecting attacks and preparing for them with defensive and offensive protective measures;
- Studying past attacks (either against your organization or other organizations in your industry) to understand the common patterns threat actors follow;
- Perform vulnerability analyses and penetration testing to seek out and identify possible security loopholes.
Know Your IT Infrastructure
To resist targeted cyberattacks, it’s not enough to understand only what’s out there. You must also understand what’s “in here.” In other words, you should know your systems and where they are most vulnerable.
Analyze your operations and business-technology assets, and look for existing security gaps and vulnerabilities. Create an asset inventory to identify the assets that may attract attackers and compel them to launch a targeted cyberattack.
Establish baselines of expected or normal behaviors for all devices and critical systems, so you can detect abnormal or potentially dangerous behaviors that may indicate the presence of a targeted cyberattack.
The zero-trust approach to security means that you should never trust anything or anyone trying to access your network, systems, or data. Zero-trust adopts an “always verify” mindset that’s markedly different from the older “trust but verify” mindset. Sophisticated threat actors often exploit such trust-based approaches to launch targeted cyberattacks.
With zero trust, every user and device is treated as a potential threat. It also leverages the principle of least privilege (PoLP), where every user or device only has the access permissions required to perform their intended function or role. Moreover, each user’s identity is always authenticated before being allowed to access your enterprise resources.
Zero-trust also adopts micro-segmentation, the idea of creating smaller segments around IT assets to strengthen enterprise security and reduce your attack surface against targeted attacks.
Strengthen Your Cybersecurity Ecosystem
Check to see whether your existing security technology is optimally configured to withstand targeted attacks. All system access rights should be audited to determine whether they need to be updated or revoked.
Perform secure code reviews of all software developed in-house and flaw analysis of any code binaries or libraries received through the software supply chain. Further, make sure to assess all applications for cracks, fraudulent identities, or foul paths that increase your vulnerability. These actions will help limit the attack surface of software applications.
Defense-in-depth security controls and threat hunting tools can help you detect existing and emerging targeted threats. They can also contain such threats to prevent lateral movement and mitigate the threats’ harm.
Another powerful way to boost cyber resilience is to adopt advanced or automated technologies to replace manual security processes. You can adopt automation tools for:
- Real-time threat hunting;
- Vulnerability management and assessment;
- Security orchestration, automation, and response (SOAR);
- User behavior analytics (UBA).
Create a Cyber-Aware Culture
A cyber-aware culture is an essential component of cyber resilience. Top leaders should speak “cybersecurity language” and set an example about expected and safe behaviors to protect the organization from targeted cyberattacks.
The organization’s policies, best practices, and standard operating procedures should also reflect this language to assure that every employee supports the company’s cybersecurity goals.
Employee security awareness is also critical to create a cyber-resilient organization. Employees need to be trained on how to identify and resist targeted cyberthreats. Improve their cyber hygiene and establish procedures for them to report threats.
Also, make sure you have fully trained and experienced security teams to deal with these threats. These professionals should be able to search for, identify, hunt, analyze, and mitigate cyberthreats.
A robust cyber-aware culture will go a long way towards increasing your organization’s cyber resilience, particularly when faced with agile and persistent adversaries looking to launch targeted cyberattacks.
Make Reciprocity ROAR Part of Your Cyber Resilience Plans
Over the coming years, the cyberthreat landscape is only going to expand. A robust cyber resilience plan will not be optional but a requirement to defend your organization’s operations and customers.
In addition to the strategies highlighted in this guide, you should engage with a trusted security partner to boost your cyber resilience. Reciprocity ROAR can be such a partner for your company.
Reciprocity ROAR increases visibility into your threat landscape and provides a holistic view of organizational risk. If you are ever at the receiving end of a targeted attack, you can quickly identify and respond to such incidents to minimize loss and damage with the ROAR platform. This automated, integration-ready solution will help you plan for worst-case scenarios.
To see how Reciprocity ROAR can help you maintain a strong security profile and become a cyber-resilient organization, schedule a demo today.