Symantec Launches New Defenses Against Targeted Cyber Attacks

Network security company Symantec has introduced four new software suites that address compliance management, data loss prevention, system management and infrastructure management to stop targeted attacks, which as opposed to a mass attack, are methodical and well-focused attacks on a particular network or networks, said David Dorosin, director of product marketing for Symantec.

The most high-profile examples of recent targeted attacks have been on the networks of Google, Adobe Systems, Juniper Networks, Rackspace and even Symantec, among others. Google publicized the attack in January, revealing that hackers in China had broken into Gmail accounts of Chinese dissidents. While commonly known as "the Google attack" in IT security circles, it's also been called Operation Aurora or the Hydraq Attack.

Dorosin explained that the new Symantec software, to be introduced at the Symantec Vision 2010 conference today in Las Vegas, is designed to upset the four stages of a typical targeted attack, which are Incursion, Discovery, Capture and Exfiltration.

Incursion is the method by which an attacker breaks into a targeted network. Unlike a mass attack, where malicious software is hidden in an e-mail in the hopes that someone will unwittingly open it and infect their computer with malware, a targeted attack focuses on an individual at a specific company who might have access to valuable data. The attacker will do research on that person and try to engage them to read e-mails or instant messages. These attackers are patient, Dorosin said. "It takes effort, which I think distinguishes these attacks, but the effort can pay off because there is a lot of information out there about a lot of high profile people in enterprises," he said.

Once in, the attacker enters the discovery phase, searching the target network to see where the valuable databases , files, e-mail archives or other assets are located. They will observe the targeted individual, his or her behavior and what kind of access privileges they have. This takes time, too. In the discovery phase for the Google Attack, Dorosin estimated that attackers were taking one or two weeks in the discovery phase.In the capture phase, that attacker takes the assets he wants based not just on their potential value, but on the level of security that surrounds them. Some assets may be highly valuable, but are so well-protected that the hacker is better off stealing less valuable data that is easier to take. However, even  well-secured data is at risk in the event of what Dorosin calls "data spills." Data may be well-encrypted, but if it has been moved from one place to another on a network, a copy may have inadvertently been made and left in a less-secure server.

Once the data has been captured, the attacker has to determine an escape route, called the exfiltration phase. "They are looking for a way out of the network, an unused firewall port, typically Port 80 or Port 443 for http or https. They are hiding the information in commonly used ports that everybody is using." As complex as these attacks are, Dorosin adds, "If there is a silver lining to this, it is that if we can break any link in this chain we can effectively stop the attack."

New software intended to thwart targeted attacks includes:

The Google attack may have been addressed and contained, but there will certainly be others, Dorosin said. "These attacks aren't something that have come and gone; it's an ongoing threat to the intellectual property of large organizations," he said.