In an effort to shed light on the topic of targeted attacks, we have released a series of articles that tackle the different aspects of a targeted attack; what it is and what it can do, its impact to companies, and its components. This is where we discuss countermeasures and what to do in the event of a targeted attack.
Before anything, let us recap what a targeted attack is. A targeted attack happens when a specific company, or a set of people in the company, are targeted by threat actors in an attempt to infiltrate their network and steal information. They're usually are long and sustained attacks that often occur without the targets knowing it. Once threat actors get access to the company network, they work to gain further access in search of their target data. This whole process could take months to accomplish, with data exfiltration as main goal. The effects of a successful Targeted Attacks include the theft of intellectual property, business disruption, financial and reputation loss, and customer information loss.
How to Defend Your Data from Targeted Attacks
Threat actors behind targeted attacks spend an enormous amount of time and effort looking for specific data that they can steal, sell, or use later on. Categorizing data is the first step to secure them, and access to specific data should be limited to workgroups that require it.
Data Protection Infrastructure and Network Segmentation
How a network is structured can affect data security. The sensitive data needs to be stored in separately, where higher security clearance is required before it can be accessed. Companies can utilize multi-tier access data storage and place it in a separate or disconnected network. Poorly configured networks can open the entire corporate data infrastructure to threat actors.
Dividing the network into segments according to functions is also a good to minimize the impact of a targeted attack. Segmentation allows better network administration and assigning privilege to certain users. This makes lateral movement from the threat actor very difficult, requiring them to go through more machines or obtain better user privileges to move from one network to another.
Personnel Education and Threat Intelligence
It is very important for employees, regardless of expertise or role, to learn about basic threat intelligence. Companies can offer free seminars or properly brief their employees about threat actors’ tools, tactics, and procedures. They can also refer to past events to show the gravitas of the situation. Ultimately, this knowledge lessens the chances of human error.
The enterprise may also set up protocols for lost or stolen company equipment to further boost security. Proper account maintenance should also be exercised, such as regular password replacement, making sure passwords are strong, and consistent monitoring by local IT.
Securing User Accounts and Accountability
It is very common for workplaces to give employees their own accounts and access to the network. However, accounts have to be configured to limit employee access to data that they need. Likewise, limiting the number of high priority users that can access sensitive data makes it harder to be infiltrated.
While it is very difficult to know if an attack is currently ongoing, the presence of attackers may be revealed with systematic log checking and analysis. By working with security information and event management (SIEM) or security event manager (SEM) groups, companies would be able to see patterns in the lateral movement of these threat actors and create countermeasure for the threat.
For companies keeping sensitive data or for industries that are known to be targets of threat actors, knowing how to respond to targeted attacks is a necessity. Incident response can be summed up in four steps:
Prepare – Plan for a targeted attack before it happens. This includes building threat intelligence, dealing with normal threats, identifying abnormal threats, and learning new techniques to help improve threat response.
Respond – Once an attack is identified, fast action is necessary. This pertains to threat containment and removal, damage assessment, and continued monitoring of existing network activity.
Restore – The company must restore its operations on two fronts. Internally, it must revert back to its regular operations after responding to the threat. Externally, the company must reach out to its stakeholders and customers to communicate the scope of the damage done by the attack, as well as provide steps on mitigating possible damage.
Learn – Companies must gain knowledge from their experiences. Each incident can shed further light on a possible future situation—what worked and what didn’t work? What can be improved? This information can be vital when its time to respond to future threats.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).