Hackers have evolved since the days when you would receive an anonymous email with a suspicious attachment. Now cyber-criminals are using ever more sophisticated methods to circumvent system defenses and actively pursue an organization’s single biggest weakness, the user.
But why has the user come under so much scrutiny?
Despite all the sophisticated IT defenses which are commonly employed by organizations, all of it can be bypassed by a few clicks of a button from inside any point in the network. This has given rise to what we call the ‘insider threat’.
Yet while most of the attention is directed towards ‘rogue employees’ such as Edward Snowden, very little consideration is given to the innocent and often unwitting user, who is being targeted by cyber-criminals with overwhelming precision.
This advanced and, admittedly, well planned approach has meant that the blanket spam tactics of old are becoming a thing of the past. Today’s cyber threats involve a significant amount of research and investigation, largely as a result of advancements to OS patching and malware defenses which have left relatively few doors unguarded, prompting attackers to shift their focus outside the perimeter defense.
What we are subsequently seeing is that cyber-attacks aren’t always starting with a brute-force attack or breach in network defenses, rather with a trusted website or any other resource which may be used by an organization and its employees.
Being located outside company infrastructure, these emerging threats are impossible to lock down and are inherently difficult to identify, and thus prevent. Yet when successfully executed, they effectively invite the attacker inside the network.
View our infographic – Overcoming cyber threats – to learn about the attack vectors facing modern enterprises.
An increasingly common form of attack is the watering hole. Acquiring its name from a familiar land feature in which predators will lay in wait for their victims, attackers will compromise a source known, or at least predicted, to be used by their target group.
Originally discovered in July 2012 by the RSA Advanced Threat Intelligence Team, watering hole campaigns typically begin with the attacker guessing or observing which websites members of their target group visit. These are usually lower tier sites than the target group themselves; hence the attacker will take advantage of the weaker security posture and infect them with malware.
From then on the attacker simply has to sit back and wait for a user of the target group to visit the site and, if successful, become infected. Judging by previous incidents, the odds of this certainly appear to be in the attacker’s favor if they’ve done their homework.
Analysis has shown that these attack campaigns can have comparatively high success rates in comparison to conventional methods, with groups who are resistant to spear phishing even susceptible. All in all, what we often see is multiple endpoints within the same organization being compromised in a single campaign.
Yet perhaps the most startling fact regarding watering holes is that even companies such as Microsoft, Apple, Facebook and Twitter have been compromised through this method of attack. In these cases, attackers targeted a number of third-party developer websites known to be used by employees.
Another method which has been making headlines is DNS cache poisoning; a man-in-the-middle attack in which the DNS records of popular websites are modified to redirect users to an alternative, malicious website, often resembling the original site to ensnare unsuspecting visitors.
If an attacker inserts a ‘poisoned’ record into a DNS server, altering the record to redirect domain traffic from the correct IP address to one belonging to the attacker, it can rapidly propagate to other DNS servers. This can lead to hundreds, if not thousands, being directed to a malicious site.
The redirected site can be adapted to appear like the original, as is the norm in phishing campaigns. Yet while a phishing attack can often be exposed by a suspicious URL, that is not the case with DNS poisoning as the URL is legitimate, meaning that a well-crafted duplicate site will leave many users none the wiser.
This is another technique which has had various high-profile targets. Google Malaysia was compromised earlier this year, as were WhatsApp, AVG, Avira and Alexa around the same time.
Heading into 2014
The smart money for 2014 is that attacks of this variety are only going to become more common. Cyber security analysts have already noted a recent fall in the quantity of new malware samples as cyber-criminals look to employ zero-day attacks in a much more targeted manner, with customer data and intellectual property often placing high on the agenda.
Watering holes in particular are likely to be established at the weapon of choice, facilitated by the increasing resources made available to cyber-criminals, allowing them to research and target the supply chain surrounding their target group.
Yet as employee internet access becomes the norm within the corporate environment – nearly 70% of large enterprises are predicted to allow access to external social media by 2014 according to Gartner – it is difficult to think of a data breach at some point as anything but inevitable.
The best form of defense against these evolving attacks is a multi-layered security strategy, which protects the corporate network as well as restricting the damage caused by any infiltrating malware.
Kris Zentek, Senior Product Manager
Kris Zentek is a Senior Product Manager at BeyondTrust, focusing on Endpoint Privilege Management solutions. Based in the UK, he has over 20 years of experience working in the cybersecurity industry.