Targeted attack mitigation: everything can go wrong

The most common definition of security intelligence is knowing how your business may be attacked. This is an important part of security expertise, but it’s not the only one.

Targeted attacks on businesses vary in their level of sophistication, goals and points of entry into the corporate infrastructure, but they all have one thing in common – they are ridiculously hard to detect. And that’s not all, the remediation of an attack, once it’s discovered, is also difficult. Time is critical. There are two major ingredients for an effective remediation approach – technology and intelligence.

Defining intelligence

The most common definition of security intelligence is knowing how your business may be attacked. This is an important part of security expertise, but it’s not the only one. With companies spending up to 80% of their resources on prevention technologies, dealing with an active security breach may present them with a problem. Cybercriminals are very good at covering their tracks, so when an attack has been discovered, a company may find itself in a tricky position, with no knowledge of the number of compromised machines, logs erased, or evidence of a breach destroyed. Even worse, once a successful attack remediation has been reported, a business may actually still be at risk from an unidentified vulnerable point in the corporate infrastructure.

Proper security intelligence combines knowledge about potential and real acts of corporate cybercrime, with the information and approaches needed to gather all necessary data on an on-going attack. Such a combination is achieved via expertise and tools, developed in-house and/or by working with an expert security vendor.

Defining technology

Even a small company produces a huge amount of data. Terabytes of data are sent and received, and millions of connections are established every day, from e-mail communications, IMs, and social networks, to cloud services. An attack may affect just a handful of connections, but even a small chunk of data leaking to the outside world can bring a lot of trouble. There are millions of ways to breach the network perimeter. It is absolutely necessary to reduce the opportunity for attack. But breaches happen from time to time, and that’s where new technology is required.

We concentrated on one particular goal whilst we were developing our Kaspersky Anti Targeted Attack Platform. We knew it is important to merge proven anti-malware technologies, advanced new methods of statistical analysis, and machine learning to spot the tiny bits of online communication that belong to cybercriminal activity. No security expert is able to control everything, so that’s where the machines step in – controlling every data transmission and analyzing the workflow for discrepancies, and joining different pieces of evidence together to produce a substantiated alert.

So, if your employee’s PC connects to a previously unknown server in a distant country, it might look suspicious. But it might also be a false positive. What if this happens at 3am, when no one is in the office? Did it previously download an unknown executable? Now this is the time to call security.

When a business tries to protect itself from targeted attacks, it finds itself in a harsh environment of many unknown variables, with millions of attack methods on thousands of devices, from routers to  mobile phones. The only way to keep up is to collect tons of data and use knowledge about the constantly evolving threat landscape to process it as fast as possible.

This data-driven approach to protecting companies from the most sophisticated and targeted attacks requires a vast amount of industry expertise, balanced with powerful technology. If your automated systems spot a targeted attack, protection requires the skills and knowledge of a professional. Yet that professional’s efficiency relies on how well the attack is documented – by technology – at every step.

Last year one fifth of businesses reported a targeted attack, and lost anywhere from 38K USD to half a million from every incident. So, it’s the right time to take action and combine expertise with advanced technology for the best protection possible.