The malicious messages are crafted to look as if they're from someone the recipient knows and has been communicating with, said Paul Wood, a senior intelligence analyst in Symantec's MessageLabs Intelligence unit. They can even be inserted into an ongoing email exchange, gaining authenticity because they include familiar subject headers and references to ongoing conversations.
Who's most at risk? Company directors, vice presidents, managers and executive directors -- especially at smaller companies, according to MessageLabs. Because larger companies tend to be better protected than smaller ones, cyber criminals aim for small firms that might be suppliers or business partners to big ones, Wood said.
Dealing with these threats requires a new ways of thinking, said Sean Arries, a researcher at Terremark Worldwide Inc., a Miami-based provider of IT infrastructure services. Because the attacks often take advantage of zero-day threats for which no defense exists, blocking them with signature-based anti-malware tools is almost impossible, he said.
Detection is key
As a result, companies need to strengthen their ability to detect intrusions and respond quickly, Arries said. Since targeted attacks are designed to siphon out data via the network, keeping a close eye on network traffic can help detect anomalies. A gusher of data going out over the network is a warning sign that something's amiss.
As part of their security efforts, companies should implement network traffic flow analysis tools, Arries said. Terremark, for instance, uses technology from Arbor Networks to monitor and model the normal flow of data on its networks. The tool helps Terremark quickly detect any traffic patterns that are unusual, he said.
In addition, Terremark uses technology from NetWitness Corp. to do network packet inspection. The NetWitness technology allows Terremark to quickly go through network logs and inspect specific data packets flagged as suspicious, Arries said. Though open-source tools such as Snort can do packet inspection, a commercial product such as NetWitness can allow companies to quickly sift through and investigate large volumes of data for suspicious packets, he added.
Using a whitelist can also be useful, said Amit Yoran, CEO of NetWitness. With a whitelist, a company can allow specific traffic over its networks while excluding everything else.
This sort of a default-deny approach can be very effective in stopping traffic coming in from or going out to destinations that have not been previously approved. Companies can block traffic from entire network blocks or even whole countries, if needed. As a result, even if a hacker compromises a network, the chances of his being able to smuggle out data is almost nonexistent.
The problem is that it's not very scalable, Yoran said. Restricting traffic to specific destinations is unworkable, especially in large enterprise networks. But it can work in specific situations, such as when protecting systems containing credit card data.
Could the cloud help?
Moving security controls into the cloud can also help companies detect targeted attacks, Wood said. As a provider of hosted security services that sifts through large volumes of network traffic on a daily basis, Symantec, for instance, can spot suspicious activity sooner than an enterprise would. Late last year, for instance, it was able to spot targeted attacks that took advantage of an undisclosed vulnerability in Adobe's PDF software -- a full month before the flaw was publicly disclosed and fixed.