Targeted Not Targeted

In the past, I used to encounter people who consistently expressed skepticism about truly targeted activity “why would a nation-state target us?” Following the onslaught of publicly available reports of APT activity over the years, I more commonly encounter those that interpret indiscriminate malicious activity encountered by their organization as targeted “we were targeted by group/malware!” Both takes make it difficult to assess and prioritize the threats organizations face in a meaningful way. Sometimes, I think that the terminology we use gets in the way of precisely conveying the targeting preferences, or lack thereof, when it comes to threat activity.

Targeted vs. Personalization

Mass malware distribution operations may implement automated ways to personalize emails in an attempt to create legitimacy and lure the recipient into opening a malicious file or link. Sometimes, this is fairly simple (adding the domain name from the recipient’s email address to the subject line, looking up the domain name to find an organization name and appending that to the subject line etc.) and in other cases leveraging stolen email threads or email accounts using data obtained from previous compromises. As a result, some mass distribution activity may appear targeted, but is in fact personalized using automation.

This doesn’t mean that a malware delivery campaign – whether personalized or not – cannot leverage an opportunity to evolve into much more targeted activity. This is where understanding the nature of the initial attack vector and likely “follow-on” activity (h/t Cian, are you even on the Twitter?) can inform your defense — both posture and response. Emotet, for example, may drop TrickBot which may be followed by Powershell Empire or Cobalt strike followed by network wide deployment of ransomware, such as Ryuk.

Understanding the nature of the attack vector (not everything is “spearphishing” T1193) and what behavior to expect in a post-compromise situation allows for a more accurate assessment of what tactical remediation steps need to be taken next and what strategic defensive measures should be put in place.

Targeted vs. Impacted

Most vendors produce quarterly or yearly reports that rely on telemetry data to depict the top threats based on the highest volume of detections, often segmented by industry vertical or geographic location. But higher volumes concentrated within specific industry verticals or geographic regions do not necessarily indicate targeting – these volumes are influenced by a variety of factors. @tiskimber and I gave a presentation on this topic at the FireEye Cyber Defence Summit in 2018.

In short, due to the mechanisms by which organizations collect or compile telemetry data as well as the type and location of the sensors, reported statistics can be distorted. Moreover, the highest volume threats will not necessarily be the most significant for an organization because truly targeted threats often involve customized, low-volume attacks.

Therefore, I prefer to use the term impacted to describe the volume/breadth of telemetry data observed within an industry vertical or a geographic region. And I use the term targeted when analysis indicates that an observed threat was used by a specific threat actor group known to conduct targeted attacks and/or was used in a campaign specific to a geographic or industry vertical.

Targeted Not Targeted

The ability to assess whether an alert is related to truly targeted activity or a personalized mass distribution campaign informs your prioritization and response. Knowing what is specifically targeting – as opposed to indiscriminately impacting — your organization, your industry vertical or your region allows you to more accurately evaluate and prioritize threats.

Post a comment.