The Rise Of The Customised Security Attack
by Mark Sunner - CTO at MessageLabs - Monday, 7 March 2005.
What about the malware itself? Are the perpetrators using common methods of creating the tools used in these attacks, or is something more sinister going on? To date, most of the viruses, Trojans and worms have been of the same ilk as you’d expect to be used in a random attack. But there is evidence to suggest that this is changing, and there have been some instances of Trojans constructed with a particular organisation in mind. By investigating the defences of a company, it is possible to design a piece of malicious code with the express purpose of circumventing them.

Consider the following scenario. It wouldn’t be too difficult to find out which anti-virus software product a company is using and how efficient that vendor is at issuing signatures for new viruses. All that is then needed are the names of users working in department most likely to have access to sensitive information, perhaps the financial team. It is possible to create a virus designed to search for documents with particular filenames, such as ‘sensitive’ or ‘confidential’, and email these documents to a designated account.

If this is the first time the virus has been seen, a company using reactive software probably won’t be alerted. By the time the infection is discovered, it will take another few hours to issue a patch. But the damage has already been done, and your highly sensitive information and intelligence has already exited the building.

It isn’t possible to say for certain which organisations are more likely to be targeted with these types of attacks. In reality, any business is a potential victim. However, those with a strong online presence or heavy reliance on ecommerce are most likely to be at risk. Anyone with a high profile brand should also seriously consider this type of threat – it takes years to build a brand but only minutes to destroy it.

Companies relying on generic, blanket security products such as out of the box software may find it most difficult to protect against customised attacks. Software products are generally unable to identify where a threat has come from, and do not have a team of experts acting as an early warning system. A proactive managed service provider has these capabilities, precisely because email traffic must pass through its systems – allowing for analysis of unusual traffic patterns, email origin and new, previously unseen vulnerabilities and malicious code. The perpetrators of email security attacks are learning to adapt their methods according to their target, and are making it personal. To effectively combat this breed of threat, organisations must do the same.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th