Would you change your behavior if you knew you were targeted?

No amount of scary headlines or warnings issued by security experts and government agencies has the impact of the sure knowledge that you have been targeted. Would you change your IT security posture if you knew someone or some organization was after your data?  In fifteen years of talking to people about improving their security, I repeatedly hear the response “but we are just a <insert benign industry here> who would want our data?”  Industry by industry, organizations have learned the hard way that their data is valuable to someone. Banks, stock trading firms, software vendors, payment processors, retailers, hospitals, NGOs, militaries, and governments have discovered through very public breaches that their data is indeed wanted by some bad actors, be hacktivists, cyber criminals, competitors, insiders or foreign agencies. 

So imagine for a minute that you get clear intelligence that you or your organization is targeted.  It could be as blatant as the hacktivist group Anonymous calling you out for some perceived slight.  You may get an alert of a spear phishing attack against an executive.  Or you may see your organization appear in the press such as this excellent article from The Tech Herald that lists the organizations whose machines had the most connections to the notorious Shady-RAT Command and Control server. 

Once you realize you are the target of an adversary, your approach to security transforms. You circle the wagons; you check your access logs; you take the results of your vulnerability scans seriously. You seriously consider updating and patching your operating systems and revisiting your firewall policies.  These measures are summed up well by The Tech Herald:

“The best mitigation to prevent attacks like the one this server helped to propagate is to ensure that an organization's systems and software are always kept up to date. The vulnerabilities targeted by this C&C are not new. They have all been patched at some point in the past.

Another way to catch attempts from similar attacks is to ensure that any endpoint protection, such as anti-Virus on a desktop, is maintained and updated. In addition, monitoring traffic logs within an organization for unknown connections to and from a domain, will allow C&Cs such as this one to standout. IPS detections aimed at known exploits and back channel communications will help, but are not foolproof.”

However, I think this advice does not go far enough. It may protect you from attacks that target a broad swath of targets, but if the adversary is determined, they will bypass even systems that are patched and running the latest AV signatures. They will use zero-day vulnerabilities, target your more-vulnerable partners, or find systems that do not even run AV.  To protect your endpoints from this level of targeting, you need to lock them down so no unauthorized code can run. Period. 

This is what whitelisting does. The droppers, remote access and Trojan horse applications used in targeted attacks will not run. Is that all you have to do? Of course not.  Targeting involves a lot more that computers and networks.  A determined adversary will go to great lengths to get what they are after. Bribing, blackmail, breaking and entering and infiltrating take data protection into the human and physical realms.

But why make it easy for your attacker? Preventing desktops and mobile platforms from falling victim to relatively simple attacks is the first step. Beefing up your background checks and internal monitoring is next.

Richard Stiennon
September 7, 2011