Understanding Targeted Attacks: What is a Targeted Attack?

September 24, 2015

Targeted attacks can be considered one of the biggest cyber-threats to an organization in today's Internet-connected landscape. It is the worst-case scenario for any company of any size, as not only does the targeted company lose reputation, it could also cost millions in damages. We hear about these targeted attacks in headlines as ‘data breach’ incidents, like the ones that affected Sony, Target, and Ashley Madison.

As sensational and damaging as they're made to sound like in the news, the data breach itself doesn't paint the entire story. There is even more to a targeted attack than bringing big companies to their knees, as they're also used for cyber espionage activities against countries and their government agencies.

So what is a targeted attack? How are they different from the usual threats we keep hearing about in the news? We’re here to answer all these questions and more with this first part in a series of articles tackling the threat that could cripple department stores as easily as it could topple governments.

When is an attack considered a targeted attack?

An attack can be considered a targeted attack when it fulfills three main criteria:

  • The attackers have a specific target in mind and has been shown to have spent considerable time, resources and effort in setting up or carrying out the targeted attack
  • The main aim of the targeted attack is to infiltrate the target’s network and steal information from their servers
  • The attack is persistent, with the attackers expending considerable effort to ensure the attack continues beyond the initial network penetration and infiltration of data.

Targeted attacks are often discovered years after the fact, after thousands—and even millions of customer records or units of information already stolen.

How is a targeted attack different from hacktivism?

Hacktivism or activism-related hacking attacks are different from targeted attacks due to the former’s one-off, vandalistic nature. They are often more like nuisances—not that harmful, and something that can be dealt with easily, like the defacement of a public wall. Hacktivism attacks often yield no network penetration and little to no information theft of any sort.

They are also done with the maximum amount of aplomb and visibility—they are designed to be seen, rather than staying out of sight like targeted attacks are designed to do.

How is a targeted attack different from a cybercrime operation?      

The biggest difference between a targeted attack from a cybercrime operation is the scope. A cybercrime operation aims to victimize as many users as possible in the shortest amount of time to outrace security efforts.

A targeted attack operation, on the other hand, has a very narrow scope—usually limiting its target to just one company or organization. Sometimes the scope is narrowed down even further to a specific employee or a handful of employees in that organization. All that work, all that effort, all that research, is carried out to ensure that the target takes the bait and falls into their trap—which then gives them a way into the network.

An easy way to differentiate a targeted attack and a cybercriminal operation: targeted attacks are deliberate, purposeful and persistent. They are not automated, opportunistic or indiscriminate in nature.

If an attack is found to have focused on a specific target, or the identified targets have a strong unifying theme (such as companies in the same industry)—then chances are high that it’s a targeted attack.

Lastly, cybercrime operations are also mostly driven by financial intent (for example, stealing banking credentials). While targeted attacks are, at some level, also driven by financial motivations, the primary goal of the attack is always to steal information.

How is a targeted attack different from an APT (Advanced Persistent Threat)?

Targeted attacks differ from APTs the same way a regular handgun differs from a state-of-the-art, military-issued rifle: sophistication, engineering, and user.

APTs are attacks that use code and tools that have been designed from the ground up—not just by hackers like in the case of targeted attacks, but by groups of well-talented, salaried engineers. APTs are also state-sponsored attacks—which means that actual governments are behind them, rather than just a small group of hackers as it is in the case of targeted attacks.

APTs are much more serious in scope and firepower than targeted attacks, and only go after really big targets like defense contractors and other government agencies. Companies may not need to worry about them as much as they should with targeted attacks, but it’s better to protect against both, just in case.

Solutions like the Trend Micro Deep Discovery threat protection platform enable companies to detect, analyze, and respond to modern threats such as sophisticated malware, targeted attacks and APTs.

This is the first part of a series of articles on targeted attacks—the subject will be covered in more detail on future articles and updates.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.