When planning the cyber defenses of an organization, it’s important to factor in the total threat landscape – including continuing threats as well as emerging security issues. In this way, organizations can create a more holistic data protection posture.

While not seen in many headlines currently, targeted attacks continue to pose a threat to today’s enterprises, and it’s imperative that those in charge of the enterprise’s security keep this risk in mind.

What makes a targeted attack different?

Cyber threat actors are utilizing more sophisticated tactics than ever before – these hackers aren’t just shooting in the dark, hoping for results. Targeted attacks come as part of this more advanced approach to cybercrime.

As opposed to other types of infiltrations, a targeted attack takes place when an actor latches on and pursues a specific target victim, working to compromise the target’s infrastructure while remaining anonymous. This allows the hacker to leverage a specific set and order of malicious procedures to break into the target’s underlying systems, identify valuable data and move this information to a system that is under the hacker’s control.

According to Trend Micro’s research paper, “Understanding Targeted Attacks: The Six Components,” an incident falls under the targeted attack umbrella when it:

Involves a specifically identified target. This could include a high-profile individual or a business. The threat actor behind the attack will spend considerable time, effort and resources pursuing this particular target. Centers around infiltrating the target’s infrastructure to make off with information assets and intellectual property. This data can then fetch the hacker a profit when sold on underground marketplaces or used for fraudulent purposes. Is supported by a persistent hacker. As Trend Micro noted, the cyber attackers launching these types of infiltrations will expend the time and effort necessary to carry out the attack to the data exfiltration stage.

“Attacker groups are increasingly picking targets deliberately to pilfer very specific intellectual property, collect trade secrets, or scoop up troves of valuable customer data,” Trend Micro researchers wrote in the paper. “To accomplish these goals, attackers are not only focusing their efforts on particular industries but specific organizations as well, including specific individuals whom they hope to deceive into helping them infiltrate their target’s network.”

Stages of a Targeted Attack

In addition to involving a persistent hacker aimed at a certain target, these attacks are also defined by the particular stages attackers use to support their success. The stages of a targeted attack include:

Gathering intelligence: Because hackers are willing to put forth the time and effort necessary to ensure they are able to steal the specific data they are after, their persistence begins by gathering as much detail about their target and the systems they use as possible. Cybercriminals will seek out information about the company’s infrastructure technologies, the employees that could potentially be pinpointed and deceived as well as the type of data the business stores. Hackers will even go so far as to uncover specific partnerships between their target and other organizations to help plan their hacking route, such as the case with the infamous Target retail hack.

Because hackers are willing to put forth the time and effort necessary to ensure they are able to steal the specific data they are after, their persistence begins by gathering as much detail about their target and the systems they use as possible. Cybercriminals will seek out information about the company’s infrastructure technologies, the employees that could potentially be pinpointed and deceived as well as the type of data the business stores. Hackers will even go so far as to uncover specific partnerships between their target and other organizations to help plan their hacking route, such as the case with the infamous Target retail hack. Identifying point of entry: After intelligence gathering, hackers will pinpoint the entryway they will leverage to infiltrate the victim’s systems. This phase can include tactics like sending a legitimate-looking, yet fake phishing email with a malicious attachment, monitoring a popular website for a watering hole attack, or creating a backdoor into the victim’s platforms. These backdoors also create an exit for the attacker should they risk being discovered in the entity’s infrastructure.

After intelligence gathering, hackers will pinpoint the entryway they will leverage to infiltrate the victim’s systems. This phase can include tactics like sending a legitimate-looking, yet fake phishing email with a malicious attachment, monitoring a popular website for a watering hole attack, or creating a backdoor into the victim’s platforms. These backdoors also create an exit for the attacker should they risk being discovered in the entity’s infrastructure. Establishing a Command&Control server: Before launching the attack, the hacker must create a place where the victim’s stolen data can be exfiltrated. This requires the use of a C&C server, an external system under the control of the hacker. Trend Micro noted that some attacks have begun leveraging machines inside the victim’s system to act as an intermediary C&C, which can also help spread the malicious infection throughout the organization’s infrastructure.

Before launching the attack, the hacker must create a place where the victim’s stolen data can be exfiltrated. This requires the use of a C&C server, an external system under the control of the hacker. Trend Micro noted that some attacks have begun leveraging machines inside the victim’s system to act as an intermediary C&C, which can also help spread the malicious infection throughout the organization’s infrastructure. Using lateral movement: This tactic helps hackers hide their identities throughout the attack, and hinges on the use of actual system admin tools to cover their malicious tracks. This makes it difficult – yet not impossible – for an organization to pinpoint suspicious activity connected with a targeted attack, thus slowing their response and providing more time for hackers to steal sensitive data. Lateral movement is a process that takes place continually during nearly every phase of the attack to help ensure the hacker isn’t discovered before he or she is able to exfiltrate stolen data.

This tactic helps hackers hide their identities throughout the attack, and hinges on the use of actual system admin tools to cover their malicious tracks. This makes it difficult – yet not impossible – for an organization to pinpoint suspicious activity connected with a targeted attack, thus slowing their response and providing more time for hackers to steal sensitive data. Lateral movement is a process that takes place continually during nearly every phase of the attack to help ensure the hacker isn’t discovered before he or she is able to exfiltrate stolen data. Maintaining presence: According to Trend Micro, the most successful targeted attacks are those that involve a long-term hacker presence within the victim’s infrastructure.”Like anything else, the hacker needs to perform maintenance on an attack in progress to keep it operational,” Trend Micro researchers explained. “This can include using different backdoors and C&C servers, or the use of patches to ensure that the other attackers can’t exploit the same vulnerabilities using in the attack.”

According to Trend Micro, the most successful targeted attacks are those that involve a long-term hacker presence within the victim’s infrastructure.”Like anything else, the hacker needs to perform maintenance on an attack in progress to keep it operational,” Trend Micro researchers explained. “This can include using different backdoors and C&C servers, or the use of patches to ensure that the other attackers can’t exploit the same vulnerabilities using in the attack.” Exfiltrating data: The overall goal of any targeted attack is the final phase in which hackers actually steal the victim’s valuable data. While this process contains the real payload attackers are after, it is also the most difficult and dangerous part of the targeted attack procedure. Because data exfiltration creates considerable traffic on the victim’s network, hackers risk discovery and attempt to leverage an array of different strategies to quiet the “noise” created by the act of data theft. Attackers may leverage an internal C&C to hide this traffic and slowly exfiltrate data in a more controlled way.

“Targeted attacks are a significant problem for any organization today, and will continue to be so for the foreseeable future,” Trend Micro noted. “It is important for those playing defense to understand that the threat landscape is constantly changing in order to create the appropriate defenses necessary.”

How can businesses guard against targeted attacks?

When it comes to protection, awareness and education are the first steps. Business and IT leaders must keep in mind that while other threats may be taking much of the spotlight currently, targeted attacks aren’t something that can be overlooked.

Enterprises should also leverage a Breach Detection System to ensure that the suspicious activity and network traffic associated with a targeted attack can be identified as quickly as possible. In this way, the organization is in a position to respond and stop the attack before hackers can make off with stolen data.

Trend Micro’s Deep Discovery is an ideal breach detection system, recommended by NSS Labs for three years in a row. This best-in-class safeguard uses specialized engines, custom sandboxing and other advanced techniques to analyze infrastructure in-depth and ensure an organization’s rapid response to top threats.

Click here to find out more.