Targeted attacks: More "Bang for the Buck"
Introduction
In our security article at the beginning of this year, Email spam - an old-fashioned technique?, we discussed reasons why the volume of traditional email spam had decreased in recent weeks. Different explanations were offered.
In a Cisco report published June this year - Email Attacks: This Time It’s Personal - a similar approach is taken. The report examines which attack types that are most profitable.
The Cisco report's findings
Types of attack
Cisco divides the types of attacks into two categories:
- Mass attacks
- Targeted attacks
Mass attacks techniques are typically used when the attacker has little or no information about those that are attacked. The idea is that a sufficient number of (interesting) persons/organizations will respond according to the attacker's intent. This number will usually be a very small percentage of the total number that was initially attacked.
Targeted attacks on the other hand, are, according to Cisco :
Interestingly, the so-called spearphishing attacks are placed in the mass attack category. Cisco's differentiates spearphishing and targeted attacks this way:
A targeted attack is directed toward a specific user or group of users. A spearphishing attack is usually directed toward a group of people with a commonality, such as being customers of the same bank. The following comparison table is used:
| Attributes | Targeted attacks | Spearphising atacks |
|---|---|---|
| Intent | Intellectual property theft | Financial gain |
| Malware | Yes, often with zero-day exploits | Possibly |
| Target reconnaissance | Yes | No |
| Level of personalization | Very high | Some |
In our discussion in this article, we will use the term focused attacks, to include both these attacks types.
Attack economics
The Cisco report compares different types of attacks and their potential for financial gain. The findings indicate that while there is a lower initial cost of e.g. a mass phishing attack versus a spearphishing attack, the potential for financial gain from the latter is relatively higher. The expected revenue from the same investment is higher if used for spearphising attacks than for mass attacks.
The report illustrates this with monetary examples - we refer to the report for more details.
The overall result is a shift from mass attacks to more focused attacks. The initial investment in a focused attack will be higher, but the cybercriminals seem to be willing to increase their investment in order to further increase the expected gain (purely financial or other).
Organizational loss
An organization that is the victim of any successful attack suffer in three different ways
- Financial/Monetary
- Remediation
- Reputation
Cisco has conducted primary research with 361 organizations to evaluate the impact of attacks.
Interestingly, the results show that the impact of the remediation cost per infected user is 2.1 times that of the monetary loss. The impact of the reputation cost is even higher - 6.4 times the direct monetary loss.
Implications from the Cisco report
There are several implications that result from the Cisco report. Let us elaborate on a few.
Less mass attacks
Since the cybercriminals seem to shift from randomly directed mass attacks to more focused attacks (spear attacks and targeted attacks), the total volume of spam (malicious and not) will decrease. This is an obvious advantage, as "the average user" will be less bothered with "noise" that has to be filtered (automatically and/or manually).
The average user will also be less at risk to be the victim of an attack, as the total number attacked is smaller.
Larger consequences for those attacked
Those who are attacked however, are more exposed.
- The probability for the attacker to succeed is much greater.
- The consequences for the attacked person or organization is higher; direct monetary loss is of relatively minor consequence.
Target diversification
Since attacks are becoming more targeted, the probability for "the average, private person" to become a victim is lower. Potential targets will change to individuals belonging to organizations that for various reasons are viewed as interesting targets.
If an organization sees itself as a potential target, the rational behavior is probably to invest more in protection systems than previously.
We refer to our article last week about targeted attacks, and the fact that it is almost impossible to fully protect against those. Resources should be allocated also to action plans for what to do if the organization is compromised. This may e.g. reduce the financial consequences of remediation as well as the reputation loss if the organization is successfully attacked.
