by Paul Wood
Targeted malware and advanced persistent threats (APTs) have been big news in 2011, particularly in the wake of the Stuxnet attacks of 2010, and the recent discovery of Duqu.
Though the term has been overused and occasionally misused, it is undeniable that APTs represent a significant threat to some companies and industries. Symantec.cloud found that the number of APTs detected worldwide increased fourfold from January to November of this year. So as 2011 comes to a close, we thought it would be a good idea to use our November Intelligence Report to take a closer look at what have been dubbed “advanced persistent threats”.
So what is an APT?
As its name suggests, an APT is a highly targeted attack aimed at a specific person, department or organization. Hackers who use APTs will often apply social engineering techniques, or “head-hacking”. This means that the hacker attempts to use information that we make available ourselves through social networking and social media sites to gain access to our network. The hacker could pose as a friend, an acquaintance, or a co-worker in order to build more believable and convincing attacks against us.
For example, a hacker may send us a tailored email from our boss with an attached document called something like “staff_salaries.doc”. If human curiosity takes over and the document is opened, the victim’s machine will have been compromised, allowing malicious code to be installed on the internal network. This can become a stepping stone to the rest of the network, and even to the supply chain beyond the immediate organization.
It is at this stage that the attack becomes an APT – the computer is now under the control of the attackers, giving them access to confidential intellectual property, or even the ability to disrupt operations. Once that one machine is compromised, the hacker will begin a long-term campaign of attacks, much different from the traditional “smash-and-grab” approach of traditional malware.
Though APTs are seen across all industries, those most targeted are government, chemical/pharmaceutical, manufacturing, and finance. For those enterprises that are targeted, they tend to be larger, well-known organizations with more than 2,500 employees.
Not surprisingly, most of these attacks occur in the U.S., originating from free webmail servers, at an average rate of one APT detected every day. In Canada, one in 513 users is attacked, with a rate of one attack every 8.8 days.
Potential impact of APTs
With an estimated 48 billion emails in circulation every day, an APT is a relatively rare occurrence, though undeniably on the rise. Intellectual property will always have value in a competitive market, so the key is to properly estimate whether your organization is a target. Remember, you may not be the primary target – the hacker may use you to get to your supply chain. No one wants their business to be the weakest link in the chain.
Reinforce your defences
Symantec has worked with and helped some companies who have been victims of APTs. We have developed a number of best practice guidelines for both companies and consumers, which are outlined in the November Symantec Intelligence Report. Take a look at what we’ve found, and begin reinforcing your defenses now.
Other highlights from the Symantec Intelligence Report: November 2011
- Spam – 69.5 per cent of total email in Canada (a global decrease of 3.7 percentage points since October 2011)
- Phishing – One in 242.2 emails identified as phishing in Canada (a global increase of 0.04 percentage points since October 2011)
- Malware – One in 255.8 emails contained malware (a decrease of 0.03 percentage points since October 2011)