Advanced cyberthreats, demystified

Cyberweapons have to communicate to their creators, propagate within the infrastructure and send data. That’s when an effective and highly flexible algorithm can be capable of spotting them.

A few years from now someone will start writing the history of advanced, highly sophisticated cyberthreats. This person will obviously start with Stuxnet, and go through the findings of campaigns like The Equation, Red October, Regin or Dark Hotel. These are the names every security researcher knows, as they significantly impact our understanding of cyberthreat evolution. But they are not the ones that cause the most damage. Much simpler, unsophisticated but still dangerous targeted attacks are the ones businesses should fear the most.

Let me be clear, it’s not that high-profile threats are not dangerous. The major goals of people behind them are espionage and sabotage, and their victims, unfortunately, do feel the impact. The security community’s attention is biased towards the complicated cases, but this sometimes leads to false assumptions on the side of businesses. For example:

  • Those advanced threats are not targeting my company.

Wrong, because even smaller businesses can be used as a vulnerable point to reach a larger and more protected company.

  • I can’t protect myself from such advanced attacks anyway, so why should I even try?

Again, this is not true, detecting even the most sophisticated cybercriminal campaign is possible, and the security industry is definitely showing some progress here.

This bias shifts the attention of corporate IT professionals from a simple fact: advanced threats are not the only ones that target them. Based on our intelligence, we can roughly divide all threats into three categories: known threats, unknown threats and targeted attacks/advanced threats.

  • Known threats: generic malware, phishing attacks. These should not present a problem to a company, if IT security is deployed and maintained in a correct fashion. Basic security technology and intelligence systems (like cloud security) are required. This is roughly 70% of all attacks faced by businesses today.
  • Unknown threats: new malicious programs. In general all the attempts of cybercriminals to evolve their tools and overcome protection belong here. Advanced technologies are required to prevent such threats, including proactive detection and heuristic technologies, application control and other approaches. Still, it’s quite clear how to deal with such threats, using existing endpoint security solutions, network filtering, etc. These threats amount to around 29% of all attacks.
  • And finally, the remaining 1%. Targeted attacks and advanced threats. What’s the difference? Advanced threats use advanced cyberweapons: zero-day vulnerabilities, and sophisticated tools to hide their presence in a victim’s network. Targeted attacks rarely use such an ‘expensive’ tool set, but what is common between the two is the research of a specific victim and adaptation of attack methods, in order to increase its chances of success. Unlike the other 99% of attacks, people behind these threats know about your company much more than you know about them. They find a reckless employee. An unpatched machine with access to sensitive data. A web application created by a subcontractor with security lapses. Anything they could use to break in. And no matter how good your security perimeter is, they will break it eventually.

So what should businesses do? The answer is simple. We all agree that companies need experts and technology to secure their perimeter (don’t forget that the other 99% of typical threats is still there). Likewise, they need intelligence and technology to identify and remediate attacks inside the perimeter, should they happen. The worst case scenario is when you learn about a compromise of your data from a newspaper, and not your CISO.

There are many approaches to creating a technology to detect targeted attacks. The most effective are based on the knowledge of the normal behavior of your company’s network. Which websites and services do your employees visit? At what frequency? What is the typical time they do that? How often do you exchange data with your partners and clients? Knowing these patterns, threat detection solutions are able to spot irregular behavior and alert IT personnel. Is it okay if a laptop connects at 3am to an unusual server in a distant country? Why is that machine sending gigabytes of data to a previously unknown location? In fact, this is where advanced threats and ‘unsophisticated’ targeted attacks start showing similar behavior. No matter how brilliant, these cyberweapons have to communicate to their creators, propagate within the infrastructure and send data. That’s when an effective and highly flexible algorithm can be capable of spotting them.

This evolution of the threat landscape requires a specific protection technology. That is what we have designed in the Kaspersky Anti Targeted Attack Platform. It uses sophisticated algorithms to analyze files, URLs and data to identify potentially suspicious activity: something that stands out of the normal office workflow. It enables businesses to identify targeted attacks at the point of infection and provides them with enough intelligence to counteract. Together with traditional security solutions, this helps businesses cover the entire range of cybersecurity threats they face.