Practical Countermeasures Against Targeted Attacks: An Easy-to-Understand Explanation

As cyberattacks become increasingly sophisticated, targeted attacks pose a significant threat to companies and organizations.

Targeted attacks are difficult to detect and can cause extensive damage over a long period because they target specific organizations and use sophisticated methods tailored to the target.

This article explains the threats and characteristics of targeted attacks, provides real-world examples, and explains practical countermeasures in an easy-to-understand manner.

Table of Contents

1. What are Targeted Attacks? Their Threats and Characteristics
   1. Objectives of Targeted Attacks
   2. Attack Methods and Threats
2. Examples of Targeted Attacks
   1. Targeted Attack on JAXA
   2. Targeted Attack on the University of Tokyo
3. Practical Countermeasures Against Targeted Attacks
   1. Endpoint Security
   2. Email Security
   3. Network Security
   4. Operational Security
   5. Employee Training and Awareness
   6. Building an Incident Response System
4. Summary

1. What are Targeted Attacks? Their Threats and Characteristics

Targeted attacks refer to attacks aimed at specific companies or organizations.

Unlike general cyberattacks, targeted attacks are characterized by thoroughly investigating the target in advance, pinpointing the target, and using methods tailored to it.

1-1. Objectives of Targeted Attacks

The objectives of targeted attacks vary, including information theft, system destruction, and service disruption.

Information Theft

The purpose is to steal confidential information and important data from companies and organizations.

This includes corporate secrets, customer data, and personal banking information.

System Destruction

The purpose may be to destroy the organization’s systems, causing business disruption and chaos.

This causes confusion and losses for the organization.

Service Disruption

Attackers try to maximize the impact on the organization by stopping specific services or systems.

This includes website downtime and network outages.

1-2. Attack Methods and Threats

In targeted attacks, detailed information about the target organization is collected thoroughly by all possible means.

Information is obtained through various methods, such as collecting posts on social media, gathering publicly available information, impersonating people involved, and contacting internal parties. Based on the information gathered, sophisticated attack methods optimized for the target organization are used.

Specific attack methods include the following:

• Impersonating business partners, collaborators, executives, or people involved in the target organization and sending emails with malware attached.
• Infiltrating the target’s internal network, activating malware, and enabling backdoor communication.
• Communicating with external attackers, exploring internal vulnerabilities, and using them as a stepping stone to steal data or deploy further malware.

As such, targeted attacks use sophisticated disguises and malicious programs, making them a threat that cannot be prevented by general cyberattack countermeasures.

Once an attack succeeds, it can cause extensive damage, such as the theft of confidential data, the takeover of important systems, and ransomware infection. The sophisticated methods and serious damage are the major threats of targeted attacks.

2. Examples of Targeted Attacks

A characteristic of targeted attacks is that once they have infiltrated, they are difficult to detect for a long period because the attacks are launched after spending time on prior investigation.

Let’s confirm through two examples.

2-1. Targeted Attack on JAXA

In November 2023, it was reported that the Japan Aerospace Exploration Agency (JAXA) was cyberattacked and suffered unauthorized access.

The target of the unauthorized access was a server for general operations, and it has been confirmed that confidential information such as research and development has not been leaked. However, JAXA has been cyberattacked in the past, so it disconnected the network and conducted a thorough investigation.

The unauthorized access had been occurring since the summer of 2023, and JAXA did not realize the fact of the unauthorized access until it received a contact from the police around the fall of 2023.

As such, targeted attacks attempt to infiltrate secretly and aim to steal information over a long period, so it is necessary to continuously monitor and detect them.

2-2. Targeted Attack on the University of Tokyo

In October 2023, the University of Tokyo announced that a PC used by a faculty member was infected with malware, and there was a possibility that confidential information (a total of 4,341 items, including personal information of faculty, staff, and students, and past exam questions) contained in the PC was leaked.

This is believed to have been caused by the fact that the faculty member received a targeted attack email more than a year ago.

The faculty member received an email requesting a lecture from a person in charge, and clicked on the URL in the email while exchanging emails to coordinate the schedule, which led to malware infection.

At that time, they received a message that the lecture had been canceled, and they did not notice the damage.

3. Practical Countermeasures Against Targeted Attacks

Targeted attacks use sophisticated methods, so a single countermeasure is not sufficient.

To protect an organization from targeted attacks, it is necessary to take multi-layered countermeasures from various aspects, such as the following:

3-1. Endpoint Security

First of all, countermeasures for endpoints (PCs and servers) are the most important.

Installing antivirus software to detect and remove known malware is fundamental.

Furthermore, by introducing EDR (Endpoint Detection and Response), detailed monitoring and advanced response at the endpoint become possible. A major advantage of EDR is that it can track and analyze the behavior of malware and take prompt action.

3-2. Email Security

Targeted attacks almost always begin with a stepping stone attack using spoofed emails.

Therefore, it is important to properly authenticate the email sender using SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance) and block fraudulent emails.

In addition, by combining risk determination of email content and URLs with dynamic analysis by sandbox analysis, more advanced automatic detection and blocking of suspicious emails can be realized.

3-3. Network Security

Targeted attacks involve communication with external attackers, so it is also important to take measures to protect the network.

Conventional firewalls cannot capture advanced threats, so consider introducing a next-generation firewall (NGFW). Next-generation firewalls can visualize and analyze communication content down to the application level and block suspicious communication.

Furthermore, by linking with IPS (Intrusion Prevention System) and IDS (Intrusion Detection System), it becomes possible to detect and defend against not only known malicious programs but also the behavior of unknown malware.

3-4. Operational Security

It is also essential to continuously apply the latest patches for OSes and applications in preparation for attacks targeting software vulnerabilities. Also, encrypt important confidential data and manage access rights appropriately.

In addition, the introduction of multi-factor authentication that combines knowledge information such as IDs and passwords with possession information and biometric information is also effective in reducing the risk of unauthorized access from inside.

3-5. Employee Training and Awareness

In addition to technical measures, it is necessary to thoroughly implement measures from a human perspective.

By providing regular education and awareness campaigns to each employee about the methods of targeted attacks, the latest cases, and the importance of countermeasures, the risk of human error can be significantly reduced.

3-6. Building an Incident Response System

In the unlikely event of a targeted attack, a response system must be fully prepared.

Check in advance the entire flow of initial response at the time of occurrence, identification of the cause, prevention of damage spread, system recovery work, etc., and clarify the roles and contact system. It is also essential to conduct regular mock training to improve effectiveness.

As such, a multi-layered approach that combines endpoint, email, network, and operational measures, and adds human aspects and incident response systems, is a practical countermeasure to prepare for targeted attacks.

Summary

Targeted attacks often combine sophisticated and multiple methods, and can cause extensive damage once an organization is victimized. In addition to countermeasures to prevent intrusion, it is also important to take countermeasures to prevent the damage from spreading after an intrusion has occurred.

Since a single countermeasure cannot prevent it, work on multifaceted countermeasures to protect your organization from targeted attacks.

Please contact globalsupport@jiran.com for pricing information or to request a free trial.