• Trials & Downloads
  • Personal / Home Office products
  • Business Products
  • Malware Cleaner
  • Installers
• • Corporate
  • Norge
  • France
  • Deutschland
  • Sverige
  • Danmark
  • Suomi
  • Nederland
  • Schweiz
  • España
  • United States
  • United Kingdom
  • Italia
• About Norman
  • Vision & Values
  • Management Team
  • Our Technology
  • Awards & Certifications
  • Customer Cases
  • Press & Media Center
  • Events
  • Careers
  • Subscribe to newsletter
  • Contact Us

Security Center

Targeted attacks: More "Bang for the Buck"

2011-07-08 [Malware discussion, Protection projects, Social engineering, Spam, Spreading mechanisms, Trends & predictions]

Introduction

In our security article at the beginning of this year, Email spam - an old-fashioned technique?, we discussed reasons why the volume of traditional email spam had decreased in recent weeks. Different explanations were offered.

In a Cisco report published June this year - Email Attacks: This Time It’s Personal - a similar approach is taken. The report examines which attack types that are most profitable.

The Cisco report's findings

Types of attack

Cisco divides the types of attacks into two categories:

• Mass attacks
• Targeted attacks

Mass attacks techniques are typically used when the attacker has little or no information about those that are attacked. The idea is that a sufficient number of (interesting) persons/organizations will respond according to the attacker's intent. This number will usually be a very small percentage of the total number that was initially attacked.

Targeted attacks on the other hand, are, according to Cisco :

(...) highly customized threats directed at a specific user or group of users typically for intellectual property theft. These attacks are very low in volume and can be disguised by either known entities with unwitting compromised accounts or anonymity in specialized botnet distribution channels. Targeted attacks generally employ some form of malware – and often use zero day exploits – in order to gain initial entry to the system and to harvest desired data over a period of time. With these attacks, criminals often use multiple methods to reach the victim. Targeted attacks are difficult to protect against and have the potential to deliver the most potent negative impact to victims.

Interestingly, the so-called spearphishing attacks are placed in the mass attack category. Cisco's differentiates spearphishing and targeted attacks this way:

A targeted attack is directed toward a specific user or group of users. A spearphishing attack is usually directed toward a group of people with a commonality, such as being customers of the same bank. The following comparison table is used:

Attributes	Targeted attacks	Spearphising atacks
Intent	Intellectual property theft	Financial gain
Malware	Yes, often with zero-day exploits	Possibly
Target reconnaissance	Yes	No
Level of personalization	Very high	Some

In our discussion in this article, we will use the term focused attacks, to include both these attacks types.

Attack economics

The Cisco report compares different types of attacks and their potential for financial gain. The findings indicate that while there is a lower initial cost of e.g. a mass phishing attack versus a spearphishing attack, the potential for financial gain from the latter is relatively higher. The expected revenue from the same investment is higher if used for spearphising attacks than for mass attacks.

The report illustrates this with monetary examples - we refer to the report for more details.

The overall result is a shift from mass attacks to more focused attacks. The initial investment in a focused attack will be higher, but the cybercriminals seem to be willing to increase their investment in order to further increase the expected gain (purely financial or other).

Organizational loss

An organization that is the victim of any successful attack suffer in three different ways

1. Financial/Monetary
2. Remediation
3. Reputation

Cisco has conducted primary research with 361 organizations to evaluate the impact of attacks.

Interestingly, the results show that the impact of the remediation cost per infected user is 2.1 times that of the monetary loss. The impact of the reputation cost is even higher - 6.4 times the direct monetary loss.

Implications from the Cisco report

There are several implications that result from the Cisco report. Let us elaborate on a few.

Less mass attacks

Since the cybercriminals seem to shift from randomly directed mass attacks to more focused attacks (spear attacks and targeted attacks), the total volume of spam (malicious and not) will decrease. This is an obvious advantage, as "the average user" will be less bothered with "noise" that has to be filtered (automatically and/or manually).

The average user will also be less at risk to be the victim of an attack, as the total number attacked is smaller. 

Larger consequences for those attacked

Those who are attacked however, are more exposed.

• The probability for the attacker to succeed is much greater.
• The consequences for the attacked person or organization is higher; direct monetary loss is of relatively minor consequence.

Target diversification

Since attacks are becoming more targeted, the probability for "the average, private person" to become a victim is lower. Potential targets will change to individuals belonging to organizations that for various reasons are viewed as interesting targets.

If an organization sees itself as a potential target, the rational behavior is probably to invest more in protection systems than previously.

We refer to our article last week about targeted attacks, and the fact that it is almost impossible to fully protect against those. Resources should be allocated also to action plans for what to do if the organization is compromised. This may e.g. reduce the financial consequences of remediation as well as the reputation loss if the organization is successfully attacked.

• Privacy policy
• License agreement
• Trademarks
• Sitemap
• Contact Us

© Norman ASA