SMBs Not Immune To Targeted Attacks

Joe Stewart, a longtime researcher at Dell SecureWorks, said manufacturers or distributors in the supply chain and services organizations, such as small law firms, could be at risk of an attack. The attacks commonly begin with a spearphishing email and, if successful, the cybercriminal organization can hop from system to system, remaining stealthy for as long as it takes to achieve its objective.

"It can be unexpected where they might pop up," Stewart said of a targeted attack. "If you are likely to have something they're interested in or if you are doing something to annoy them then, yes, you have to look at all the services you trust around you that you are using in order to conduct business or keep yourself private."

[Related: 5 Most Dangerous New Hacking Techniques ]

Security firms have been documenting advanced persistent threats and have warned that intellectual property is being stolen at alarming rates. Alexandria, Va.-based security firm Mandiant issued a report documenting as many as 20 China-based groups that it suspects are being controlled by the Chinese government. A rash of data breaches, from The New York Times to Facebook and Apple have illustrated that no organization is immune.

"They might not care about your IP, but they might entrench themselves in a network to make sure they can always use it as a conduit," Stewart said.

Dell SecureWorks is expanding its incident response services, providing organizations with a threat assessment to determine a company's ability to detect, respond to and resist a cyberespionage attack. The expanded services include an assessment for withstanding denial-of-service attacks, a tool that some experts believe can be used by attackers to throw off incident response teams.

Successful attacks are increasingly being uncovered. In late February, Kaspersky Lab released information about targeted attacks against 59 organizations in 23 countries, including organizations in the U.S. The goal is to steal data and spy on the infected system, according to analysis of the malware found on victim machines. The attacks all share the same exploit -- an Adobe Reader zero day -- and Kaspersky identified it as MiniDuke because it resembles an earlier targeted attack called Duqu. Once inside, communication is encrypted, more malware can be downloaded and the attackers have remote access to hop to new systems on the corporate network. The group behind the attacks remains a mystery.

"This is something that appears to be cyberespionage but it doesn't tie back to any place in the world that anybody has found yet. So it's a mystery, and that's the kind of things that inspire us to dig deeper," Stewart said.

Stewart and Silas Cutler, a Dell SecureWorks security researcher, are sharing their sinkholing tools and techniques with other security researchers. The goal is to glean new insight into the hordes of data being captured in sinkhole servers and avoid duplication of work, Cutler told CRN.

Cutler calls the new sinkhole technique Proximity. He said it was developed to help dial down the unwanted noise in Internet traffic to identify and analyze interesting data. Last year SecureWorks researchers took control of a domain at a university used by a group of hackers known for its advanced persistent threat activity and determined that the target of the campaign was the university's research laboratory, which does military research projects.

"We're classifying data and starting to identify and weed out which parts of malware families are commodity and which parts are APT," Cutler said. "We saw someone with a 'World of Warcraft' botnet stealing passwords and on the other side we saw targeted attacks where there are clear motives and objectives."

PUBLISHED MARCH 11, 2013