In a recent article for techtalk titled, “Targeted Attacks or Untargeted Attacks—Which is Most Common?” Kayla Elliot explains the importance behind knowing the difference between targeted attacks and opportunistic attacks. While opportunistic (or “untargeted”) attacks are not focused on an organization, nor their specific information, they are more focused on vulnerabilities and computing power to conduct other types of attacks. In a targeted attack, your systems are not the objective, your data is, and you have something they want.

All companies are subject to opportunistic attacks, but do you know if you are subject to a targeted attack based on the data you generate or maintain? In this podcast, LBMC’s Bill Dean addresses this question while diving deeper into the key differences between targeted attacks and opportunistic attacks.

Listen to Podcast

Listen, and discover these key takeaways:

  • An explanation of the key differences between targeted attacks and opportunistic attacks
  • How to know if you are vulnerable to a targeted attack
  • Essential action items you should take to build your resilience against opportunistic attacks
  • Helpful exercises you should perform to defend against a targeted attack

Subscribe to the Cybersecurity Sense Podcast on iTunes.

To learn more about LBMC or to speak to one of our trusted professionals about our services, including prevention of opportunistic and targeted attacks, contact us today!

Targeted Attacks Compared to Opportunistic Attacks

This topic is something we discuss often here at LBMC, both internally and externally, as it is very important to understand the differences. These thoughts are further conveyed by a post from Kayla Elliot on the techtalk site. The post is titled, “Targeted Attacks or Untargeted Attacks—Which is Most Common?” There are some very good points in the article that I want us to add to.

While the article references “untargeted attacks,” and is applicable, we like to refer to these as “opportunistic attacks.” Opportunistic attacks are not focused on an organization nor its specific information. These attacks are more focused on vulnerabilities and computing power to conduct other types of attacks. Commons examples are:

  • Remote Desktop services available to the Internet. This is an opportunity to gain access to the systems to perform many nefarious acts:
    • Install Bitcoin miners
    • Deploy ransomware
    • Use these systems to obfuscate the attacks on other targeted attacks
  • Spam emails to infect internal systems with ransomware
  • Phishing emails to gather mailbox access for future spear phishing attempts
  • Previously identified vulnerabilities that can now be exploited for benefit of future attacks
  • Web application platforms vulnerable to specific types of attacks

Essentially, opportunistic attacks are focused on the benefit of compromising your systems in their endeavors. This can be mining Bitcoins, getting a ransom payment, sending trusted phishing emails, harvesting credentials, etc.

The point here is that they are not focused on YOU or your organization as far as the specific data types or the value of the data that you have.

If you don’t provide what they seek, they move on to another organization to meet their needs

As the referenced article summarizes, what we call “opportunistic” “attacks are when hackers have no specific vertical, business, or person they are attacking.”

However, while we call it “opportunistic,” the impact can still be very serious. The organization, while not “targeted,” still faces:

  • Potential business outages and ransom payments from ransomware infections
  • Potential brand issues when spear phishing emails requesting credentials are sent to clients and prospects
  • Additional brand issues if a website is defaced or infected with malware
  • Potential disclosure issues if mailboxes are accessed that contain PII, ePHI, or payment information
  • System performance issues from malware infections mining Bitcoins (best case scenario)

Now, let’s talk about targeted attacks.

Let’s begin by disclosing that I am not a motivational speaker. I have been leading incident response engagements for more than a decade.

In a targeted attack, your systems are not the objective, your data is. You have something they want. It can be anything from ePHI, intellectual property, trade secrets, financial information, M&A information, etc. This information is specific to your organization.

If the attacker group cannot find a vulnerability, they do not quit and move on. You are the target, and they persist. They do not quit easily.

These are the high-profile attacks we hear about such as RSA, Heartland, Equifax, Target (no pun), Home Depot, and thousands of cleared defense contractors that we will never hear about, and numerous other entities that do not have a duty to disclose publicly (law firms).

This is where the marketing term “APT” came from. An advanced persistence threat does not concede when their first attempts fail; they continue until they succeed.

Most defenses depend on known “bad” signatures. The attackers develop new malware and attack approaches not previously seen.

They will exploit vulnerabilities not previously known (0-day).

They will compromise the networks of small companies that are soon to be acquired. When the infected networks join the clean networks, all is not infected. (Example: pediatrician “well room/sick room” analogy) This approach has produced many of the data breach case studies that we have cringed after reading.

Now, I will be honest that many organizations do not fall into this category. I will also disclose that many are vulnerable because they do not know they are in this category.

Some basic questions to help are:

  • Do we have information that is valuable to nation states?
  • Do we have information that cannot be obtained somewhere else?
  • Are we part of a supply chain for valuable products?
  • Do we have patents pending?
  • A link in the references below clearly outlines information that a specific nation state seeks. I have used a slide with this information in my incident response talks for years. Over the past year or so, they have exchanged the term “materialize” with R&D numbers. Make no mistake, they seek this information from us. Do you have any of the information they seek? If so, you are a target.

Takeaways

Opportunistic and targeted attacks are not the same. While the objectives are different, the impact can still be devastating if they succeed.

All companies are subject to opportunistic attacks. Do you know if you are subject to a targeted attack based on the data you generate or maintain?

Action

Routine vulnerability assessments and penetration tests, along with social engineering will help build your resilience against opportunistic attacks. In addition, stay abreast of vulnerability disclosures between tests for protection.

Targeted attack protection builds on that with:

  • Purple-teaming exercises to ensure your security controls are effective
  • Adversary simulation exercises help you understand how well you can defend yourself against a targeted attack and assist in improving your controls

References:

https://techtalk.pcpitstop.com/2018/09/13/untargeted-targeted-attacks-untargeted/
http://www.china.org.cn/china/2012-09/24/content_26607377.htm

Bill Dean is a Senior Manager at LBMC. While involved in various aspects of LBMC’s security services, he is also the practice lead for the organization’s incident response, forensics, and litigation support practice.