Abstract
Recent high-profile attacks against governments and large industry demonstrate that malware can be used for effective industrial espionage. Most previous incident reports have focused on describing the anatomy of specific incidents and data breaches. In this paper, we provide an in-depth analysis of a large corpus of targeted attacks identified by Symantec during the year 2011. Using advanced triage data analytics, we are able to attribute series of targeted attacks to attack campaigns quite likely performed by the same individuals. By analyzing the characteristics and dynamics of those campaigns, we provide new insights into the modus operandi of attackers involved in those campaigns. Finally, we evaluate the prevalence and sophistication level of those targeted attacks by analyzing the malicious attachments used as droppers. While a majority of the observed attacks rely mostly on social engineering, have a low level of malware sophistication and use little obfuscation, our malware analysis also shows that at least eight attack campaigns started about two weeks before the disclosure date of the exploited vulnerabilities, and therefore were probably using zero-day attacks at that time.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Zero-day Attack, http://en.wikipedia.org/wiki/Zero-day_attack
Bejtlich, R.: Understanding the Advanced Persistent Threat. Searchsecurity Magazine (July 2010), http://searchsecurity.techtarget.com/magazineContent/Understanding-the-advanced-persistent-threat
Chien, E., O’Gorman, G.: The Nitro Attacks, Stealing Secrets from the Chemical Industry. Symantec Security Response, http://bit.ly/tDd3Jo
Cova, M., Leita, C., Thonnard, O., Keromytis, A.D., Dacier, M.: An Analysis of Rogue AV Campaigns. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 442–463. Springer, Heidelberg (2010)
Dacier, M., Pham, V., Thonnard, O.: The WOMBAT Attack Attribution Method: Some Results. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 14–18. Springer, Heidelberg (2009)
Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. Institute for Software Research. Paper 20 (2006)
Dumitras, T., Shou, D.: Toward a Standard Benchmark for Computer Security Research: The Worldwide Intelligence Network Environment (WINE). In: EuroSys BADGERS Workshop (2011)
Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet Dossier (February 2011), http://www.symantec.com/security_response/whitepapers.jsp
Kornblum, J.: Identifying almost identical files using context triggered piecewise hashing. Digital Investigation 3(suppl.), 91–97 (2006)
MacSweeney, G.: The Top 9 Most Costly Financial Services Data Breaches, http://www.wallstreetandtech.com/data-security/232800079
Pescatore, J.: Defining the Advanced Persistent Threat (2010), http://blogs.gartner.com/john_pescatore/2010/11/11/defining-the-advanced-persistent-threat/
Ross, R., Katzke, S., Johnson, A., Swanson, M., Stoneburner, M., Stoneburner, G.: Managing Risk from Information Systems: An Organizational Perspective. NIST Spec. Publ. 800-39 Appendix B
Doherty, S., Krysiuk, P.: Trojan.Taidoor: Targeting Think Tanks. Symantec Security Response, http://bit.ly/ymfAcw
Symantec. Symantec Intelligence Report (November 2011), http://bit.ly/slWzF5
Symantec Security Response. The Luckycat Hackers, White paper, http://www.symantec.com/security_response/whitepapers.jsp
Symantec Security Response. The Trojan.Hydraq Incident: Analysis of the Aurora 0-Day Exploit (January 2010), http://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit
The Ponemon Institute. Growing Risk of Advanced Threats. Sponsored by Netwitness (June 2010), http://www.netwitness.com/resources/whitepapers
The Security for Business Innovation Council. When Advanced Persistent Threats Go Mainstream (August 2011), http://www.rsa.com/go/innovation/index.html
Thonnard, O.: A multi-criteria clustering approach to support attack attribution in cyberspace. PhD thesis, École Doctorale d’Informatique, Télécommunications et Électronique de Paris (March 2010)
Thonnard, O., Dacier, M.: A strategic analysis of spam botnets operations. In: Proceedings of the 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2011, pp. 162–171. ACM, New York (2011)
Thonnard, O., Mees, W., Dacier, M.: On a multicriteria clustering approach for attack attribution. SIGKDD Explor. Newsl. 12(1), 11–20 (2010)
Week, I.: RSA SecurID Breach Cost $66 Million, http://www.informationweek.com/news/security/attacks/231002833
WOMBAT. Deliverable D22 (D5.2) Root Causes Analysis: Experimental Report, http://wombat-project.eu/deliverables/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Thonnard, O., Bilge, L., O’Gorman, G., Kiernan, S., Lee, M. (2012). Industrial Espionage and Targeted Attacks: Understanding the Characteristics of an Escalating Threat. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33338-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-33338-5_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33337-8
Online ISBN: 978-3-642-33338-5
eBook Packages: Computer ScienceComputer Science (R0)