Defending Against Targeted Attacks
Kevin Epstein of Proofpoint on New Strategies, SolutionsMore than merely a phishing incident, a targeted attack is part of an advanced persistent threat. How can organizations defend against these attacks? Kevin Epstein of Proofpoint offers insight.
"Targeted attacks refine the tactics of phishing," says Epstein, VP of product marketing at Proofpoint Inc. "Instead of blasting the same email indiscriminately, targeted attack emails are sent to a very limited set of very specific or chosen enterprise users."
These users are chosen often through social networks such as LinkedIn, and they are targeted because of their position within an organization. They have access to the information the fraudsters want.
And the attackers are stealthy, Epstein says. Their messages often appear authentic - even though they are malware-laden. Defending against these attacks is the new challenge.
"The challenge of detection has gone from spotting an army of people dressed in red coats, coming over the hill, phishing, to finding the few folks sneaking in, carrying time bombs - targeted attacks."
In an interview about defending against targeted attacks, Epstein discusses:
- Today's most common threat vectors;
- Why many organizations are ill-prepared to detect or defend against these attacks;
- How organizations can respond to targeted attacks.
Epstein is the most recent addition to the Proofpoint product marketing team, directing Proofpoint's global product marketing initiatives. He is also a lecturer at Stanford University and author of the popular trade book, Marketing Made Easy (Entrepreneur Magazine Press). Prior to joining Proofpoint, he was VP Marketing at Drobo (Data Robotics, Inc.), a prosumer and SMB storage appliance company; served as an executive at CloudShare, a cloud computing and virtualization SaaS company; was an Executive in Residence (XIR) at Mohr Davidow Ventures; and served as the Vice President of Marketing and Products at Scalent Systems. Prior to that, he founded VMware's outbound marketing organization. Mr. Epstein previously held management positions at Inktomi, RealNetworks and Netscape. He holds several patents, has founding experience at three successful small business ventures, and is committed to innovation and appropriate marketing, serving as an outside adviser to venture backed and individual entrepreneurial start-up companies. He holds a BS degree in Physics from Brown and an MBA from Stanford.
Defining Targeted Attacks
TOM FIELD: We often associate the term "targeted attack" with phishing or with the advanced persistent threat. Tell us please: how have these attacks evolved and what do you find to be today's most common threat vectors?
EPSTEIN: Among organizations, especially those that have information worth stealing, a targeted attack is different than traditional phishing attacks and is part of an ongoing advanced persistent threat, or APT. A phishing attack is basically sneaky spam. Instead of bombarding you with a thousand ads for Viagra, an open ad, traditional basic phishers send a thousand of the same generic fake e-mails and there's a link to click on in the e-mail. The e-mail purports to be from your bank, delivery company or dating service - anything to get you to click on the link. Much like a spam advertisement, phishers are basically playing a numbers game. They hope e-mails get through security filters and enough people click on a link to either provide their real banking login credentials or allow a malware download to make it worth the phisher's time. Again, a certain percentage has to get through so they just do a volume attack.
Now fortunately, many of these traditional phishing attacks are detected and caught in enterprise environments because the environments have the right e-mail security gateway solution deployed and configured at the perimeter. Using a combination of reputation and signature analysis, typically you can catch a basic mass-volume phishing attack.
On the other hand, targeted attacks refine the tactics of phishing. They basically borrow from the business world of customized marketing. For example, instead of blasting the same e-mail indiscriminately, targeted attack e-mails are sent to a very limited set, very specific or chosen enterprise users. Attackers really effectively used leaked org. charts or LinkedIn or other public websites to do their research and pretty quickly determine the specific users through whom the attackers can be able to accomplish their attack objectives.
Another point of difference in a targeted attack versus a phishing attack is the actual message itself. Targeted messages are deliberately stealthy. They're sent from a wide range of IP addresses with good reputations and they're customized to the recipient population. We've seen e-mail messages that have used co-worker and manager names, referenced LinkedIn connections and Facebook updates, and they rotate through various permutations to simultaneously make the e-mail seem normal to the end-user but unique, in other words not part of a pattern to the e-mail protection system. The result is that e-mail remains the big vector for malware. After all, it's the easiest way to target individuals. But the challenge of detection has gone from spotting an army of people dressed in red coats coming over the hill - phishing - to finding the few folks sneaking in carrying time bombs - targeted attacks.
Risks to Specific Sectors
FIELD: What do you find to be some of the specific risks to industries such as healthcare and financial services? What are typically the types of losses that these organizations are suffering because of targeted attacks?
EPSTEIN: Healthcare and financial institutions have all of the risks faced by any other company, and they have a lot more. For example, every industry, from defense to technology to manufacturing and retail, has significant intellectual property and sensitive information that attackers are after. And healthcare and financials are no different in that regard, but healthcare and financial institutions also have the challenge of dealing with extremely sensitive, very privileged and regulated client information. They have to protect this not only from deliberate outside attack but internal inadvertent loss, what we're calling the "oops" factor.
Given that, this data - which includes things such as health records, Social Security information, banking account information, credit card data you name it - is particularly popular among attackers as it's the type of information that's really fungible. It's easily monetized on the black market. You can sell it really easily, unfortunately, and so the problem we're facing with healthcare and financial institutions is that you're like a bank in the old days. You're a large obvious target. You're where the money is. You're a giant pot of gold where attackers can find very, very marketable, saleable information in large chunks, and all the attacker has to do is get access to the right corporate network with one compromised machine.
Back to phishing, why would you go hit a whole bunch of random people with phishing, try and get one credit card, when you could go where the money is. Hit a healthcare institution or financial institution and get a ridiculous amount of highly lucrative, easily sellable data. The worst part is that healthcare and financial institutions suffer twice when they lose data, because they suffer both from the classic regulatory and civil penalties as well as brand damage. It's just doubly painful.
Security Gaps
FIELD: With that as our context, in what ways do you find that organizations are ill-prepared today to either detect or defend against these attacks?
EPSTEIN: The challenge is that you can be a super well-prepared company for yesterday's threats with a great security posture looking backward, and yet you can be completely unable to defend against these new targeted attacks, and we've seen that result every week in the news. Now this isn't the company's fault. Again, this is a company that could be well prepared against yesterday's attacks. It's just that yesterday's attacks are mainly traditional, perimeter-based defense approaches and the perimeter-only tools can't handle the new type of attack. The detection technology just didn't exist 18 months ago.
In a recent attack we saw, hostile e-mail represented less that .06 percent. I can't figure out if that's ten thousandths of a percent of the targeted company's e-mail flow. And the IP addresses of the senders and the sender-alias were rotated in the attacking e-mail, so no two e-mail addresses were alike. There are no volume-triggers that are going to be set off, and there are no attachments to the e-mail, only embedded URLs. There's nothing in there to trigger virus-filters.
In addition, the reputations of the sending IPs and the compromised URLs in the e-mail were all neutral or positive. Nothing was going to trip that tripwire alarm either. The combination of mass-customization and proportionally low-volume made this industrial phishing attack, if you will, effectively invisible to traditional anti-spam products. Unfortunately, the result is that the attackers got very widespread access to corporate networks. The e-mail all got in. Then, once the e-mail is in, once it has cleared that perimeter and is sitting in people's inboxes, effectively the companies were dead men walking. There's no recourse because almost 20 percent of people click on links in e-mail outside of a traditional corporate perimeter: on their mobile devices, from home, from the road. Any perimeter firewall or web sandboxing isn't going to block those clicks. It's not going to block the threats.
Again, this isn't a company's fault. The technology to do this kind of real-time big-data analysis and checking of these URLs that were clicked on wasn't mature 18 months ago, but it's certainly time to be looking very explicitly at targeted-attack protection, and any solution that company promises for that can't be perimeter-only. It has to be cloud-based and more holistic.
Mobile Risks
FIELD: How does mobility complicate the risk landscape for security leaders?
EPSTEIN: Mobility definitely makes the threat landscape much more complicated for organizations because there are no walls. There's no defined secure perimeter. In the good-old days, it used to be that we could keep everyone in the physical building on a single, physically connected network. We could examine all data coming and going, passing into and out of the organization. Now, the truth is data is everywhere. Data is on your phone. Data is on your cloud account; your tablet accessed from your house. [You] check it from the hotel or the airport, and we click on links everywhere. When you click on a link, the browser may or may not pass through your corporate firewall or other web-checks on the way to the site. Odds are if you're on the road, it's not going to do that.
With more companies agreeing to let users bring their own devices inside the network perimeter, it's pretty obvious that challenges will continue to grow because enterprises need to protect themselves from other folk's exposure in the wide world. It's like letting your kids go out to kindergarten. They're going to bring back things. Not all of those things are pleasant. People will go out; they will click on links and then bring back those compromised devices and connect back into the corporate environment.
Unfortunately, for security folks we can't deploy a heavy-handed isolationist approach. Data and mobility will happen. Deploy solutions that work on the data versus on the device, because you want to be protected wherever you open the link. You don't want to know that you're protected on your laptop and not protected on your mobile, for example. The solution has to be associated with the data, not the place you're opening it. The solution has to be deployed in a transparent way so that users are pushed to circumvent the security you're putting in place. Those two aspects - data everywhere/data attached and transparency - have to be a key consideration for such security solutions.
Security Solutions
FIELD: Let's discuss solutions now. In what ways does Proofpoint help organizations respond to these targeted attacks we've been discussing?
EPSTEIN: In an ideal world, any solution addressing targeted attacks would do a few things. First, the solution would not interfere with mail flow. It can't interfere with mail flow. Imagine if TSA screeners at the airport prevented every suspicious person from flying. We'd never get any work done. I personally would never make it through checkpoint. Secondly, a good solution would follow the e-mail because you want to know whether the embedded URL is going to be protected even if you click on it on your phone or at home, or forwarded to a client. You don't want to be device-specific. A good solution is just going to protect the e-mail, the URL in the e-mail, no matter where it's clicked on.
To that point, a third good solution would check that URL every time you click on it, because URLs' characteristics can change. Something that was healthy today may have malware added to it tomorrow. You want to check each time you click before letting the end-user's browser proceed.
Lastly, a good solution is going to give IT a dashboard so they can see who clicked on what, when and where, so if something does get through you're going to get alerted earlier and have a lot more precise direction as to the threat.
In fact, that's what Proofpoint built with our targeted attack protection product. First of all, we used big-data techniques to model every protected user's, our clients, e-mail patterns. We can tell you if you're getting an e-mail that's suspicious even if the e-mail itself claims to come from one of your friends. Then, we also scan every URL embedded in those e-mails using our malware detection service. We go out and check the destination. We look for dangerous exploits and credential attacks, and, even if the initial check comes back okay, we're still going to rewrite the URL in that e-mail and then go ahead and let the e-mail be delivered. But every time you click on that URL, it will go back and check our malware detection service before letting your browser proceed. We're checking at click time.
Lastly, our threat insight service within the Proofpoint targeted-attack protection product provides insights into exactly which URLs went bad, when those e-mails were delivered, who clicked on them and when they clicked on it - all the information you're going to need just in case someone clicked before the system was able to detect that the e-mail had gone bad. There's an open window there. You'll know exactly who needs remediation from what type of threat.
Bluntly, in the attack game, data is king. Insight is priceless so we decided to provide that. That's the product. It's the industry's first of its kind. It works. It does seem to dramatically reduce targeted attacks and assist in the remediation of the few that get through. We're pretty proud of it.
Where to Begin
FIELD: Where should organizations start? How should they begin to assess and then respond to their risks?
EPSTEIN: As a former IT guy, I think it's crucial to answer two questions. Number one: do I even think I know how many attacks I'm suffering weekly? And number two: how would my systems and my team handle the attacks that get through? As far as part one goes, the easiest way to assess your attack status is to get a vendor to do the audit for you, bluntly. Get someone to come in and examine the actual inbound e-mail flow and determine the volume of hostile URLs over a period of a few weeks, real data counts. Most vendors will be happy to have that opportunity and do it for free. Proofpoint for example offers an easy, pretty well-structured audit for targeted attacks in your environment, and such an analysis will give you real data to take back to the team and make a rational risk tradeoff as to whether it's worthwhile to invest in a specific product.
Part two is also important. If your current method of threat incursion, detection and response is some one coming and waving e-mail printouts and going, "I clicked on this link last week and now my computer is acting funny," it would probably be a good idea [to have] a product that would give you a little more real-time dashboard and insight capabilities than that. You want to look at both aspects. How big is the threat and what's my potential response to it? But again, as is said in so many contexts, the first step is to understand if you have a problem. Give us a shout here at Proofpoint. We can help.