Leapfrog down the waterhole: Symantec identifies weakest link attack
Another day, another threat report from a security software vendor. Probably the biggest challenge these vendors have is finding something – anything – interesting. And by Jove, Symantec appears to have done it, bringing to the world’s attention the concept of the ‘leapfrog attack’ or ‘waterhole attack’ in its latest Integrated Security Threat Report.
Evidently, cunning miscreants are seeking out the weakest link in information supply chains: the small business which thinks it has nothing worth stealing, but which trades with far juicier big business clients.
Peter Sparkes, Symantec Director MSS, APAC and Japan, prefers the term ‘waterhole attack’ (the company’s PR guys introduced the ‘leapfrog’ nomenclature). “From a trending point of view, we’re seeing a move from mass cybercrime to sophisticated targeted attacks. With this particular approach, attackers see the small business as a way of getting access to a larger company,” he explains.
While the larger targets tend to have good perimeter security, Sparkes says trusted connections to small suppliers can open up opportunities for exploits. “Often, these suppliers hold intelligence or intellectual property which is of direct or indirect value to the attacker.”
He adds that these kinds of attackers take their time, with good doses of surveillance and stealth before the real heist takes place.
What kinds of businesses are at risk? “We’re seeing these attacks from within our NZ data. Targets are a range of organisational types, but manufacturing is probably number 1. Attackers are there to make money, so they are seeking intellectual property, information on how their targets are operating, on mergers and acquisitions.” Corporate espionage? “To some extent,” Sparkes confirms.
Solving the problem is, as always, difficult since it is easier to attack than it is to defend. “As threats increase in sophistication, you need to increase the sophistication of your security technology. Most companies today use multiple different techniques to detect threats, including a move to big data behaviour analysis techniques,” says Sparkes.
But the real challenge is perhaps not a technology one. Instead, it is one of determining where, along the information security chain, responsibility lies. “It is up to individual organisations to protect their core information. At the same time, efficiency demands that companies work together and share information; but doing so depends on knowing that you can trust other organisations when information is transferred.”