Targeted or Personalized Attacks?
Posted by Gunter Ollmann on February 19, 2007 at 4:51 PM EST.

Like a catch phrase from an old Arnold Schwarzenegger movie, the term “targeted attack” has swept the security industry and can be heard reverberating around conference stands and found scattered throughout this years glossy product brochures.  I haven’t seen this much attention being paid to a threat since Spyware became a household name.

If I had to identify a parallel threat from security history, I would compare these “targeted attacks” to the “Script-kiddies” at the turn of the decade.  That is to say, a grouping of threats based upon motivation as opposed to a particular technology.

While the motivations behind script-kiddies can be best summarized as ‘tinkering’, targeted attacks can be summarized as professional and financially motivated.  Perhaps the biggest difference between these two threat categories can be best summarized by the word “research”. 

Script-kiddy attacks were traditionally “fire and forget” – spray the internet with your malicious script hoping to hit something that was vulnerable – requiring no research as to who the victim would be.  Targeted attacks on the other hand are all about researching your target – whether that be a particular host or a limited audience – and customizing the delivery of the malicious payload to achieve the highest probability of success.

Depending upon which security professional or organization you talk with, you will get a slightly different interpretation of exactly what threats fall within the “targeted attack” bucket.  For example, some will say that Spear Phishing (Phishing emails that are only sent to known customers or employees of a specific organization) isn’t a targeted attack, while the recent MySpace worm was. Personally, I’d be inclined to ask whether the attacker researched and subsequently targeted a specific audience, and sought financial gain from the attack.  If the answers are all true, then yes, I’d include it in the threat bucket that is “targeted attack”.

Now, while everyone has been banging the jungle drums over this “targeted attack” threat category, a related threat has silently appeared amongst us.  Closely related to targeted attacks, this new threat category certainly shares the same motivations, however it deemphasizes the need to actively pursue the victim – instead it lies in wait for potential victims to stagger upon it and customizes its malicious content just moments before the attack.

While these “personalized attacks” may feel like a targeted attack to their victims, the dynamics are very different.

Today, this “personalized attack” threat most commonly appears in the guise of a web page.   As the potential victim visits a website, the attackers ‘engine’ (hosted upon the Web server) examines information that came with the page request and dynamically creates and serves a new page containing a malicious exploit payload – optimized for this visitor.  Each visitor to the website gets their own version of the malicious page – in fact, repeated visits by the same victim will likely result in different versions of the malicious page.

By “personalizing” the attack the attacker greatly increases the probability of successful infection and, more importantly, manages to slip past traditional protection systems (such as anti-virus software) by creating one-of-a-kind exploit payloads.  Already some of the more advanced ‘engines’ developed by the attackers ensure that the tools commonly used by security companies to search the Internet for bad content are never served malicious pages – thereby staying below the exploit radar.

While “targeted attacks” are all the rage and hogging the limelight, “personalized attacks” are silently propagating their way around the Internet.  Given their stealthy guise and non-discriminating nature, we can expect these “personalized attacks” to be highly successful and lucrative ventures for professional and financially motivated attackers over the next few years.
    Copyright 2001-2007 © Gunter Ollmann