Threat Research Blog

Threat Actor Tactics and Targeting Predictions for 2014

Predicting security challenges for the upcoming year is often an exercise in educated guesswork. These forecasts are often based on technological trends (e.g., attack surfaces to be exploited by adversaries, such as mobile devices and enterprise services in the cloud), attempts to influence potential customers ("this threat can only be solved by our widget!"), strategic shifts in adversary intents and motivations, red lines (or the absence thereof) for acceptable behavior and myriad other factors.

Mandiant Threat Intelligence has several sub-teams who track threats, analyze activity and disseminate out the resulting analysis -- whether it be the identification of adversary tactics, ways to detect malicious activity, potential targets, or the identification of risk factors that may put your company at risk. We are going to limit our predictions for 2014 to some high level themes in threat actor tactics and targeting rather than a broad-scope take on the security industry. What follows are a few thoughts on what we saw over the last year and what we expect to see in the next year:

Public exposure has thus far seemed to leave attackers undeterred. Based on our observations, targeted threat actors don't appear to be widely deterred by a public outing of their campaigns, infrastructure or modus operandi. Even with the APT1 report and countless other security vendor reports, blog postings, high-profile news coverage and other methods of exposure, we're not observing an abatement in targeted activity overall. That speaks volumes to targeted actors' tenacity, the continued political capital being risked to assure such cyber intrusions continue and to the commitment necessary to mitigate the effects of their activity.

Targeting by advanced threat actors will continue to expand beyond theft of intellectual property or information used for immediate financial gain. In addition to tenacity, we believe targeted threat activity will continue to diversify what - and who - they pursue; one example of this would be China-based APT groups expanding their efforts against "image" targets. Corporations with high-value intellectual property continue to be the vast majority of China-based APT targets; however these same APT groups are increasing their efforts against media organizations, non-profits, and other entities that can potentially shape China's national image. We expect this targeting trend to increase in the next year, but do not anticipate these targets will replace traditional corporate espionage in the year ahead.

Politically-motivated actors looking to make a statement will continue to target governments, corporations and civil society as outlets to promote their ideologies. This certainly isn't a new phenomenon, but we believe this activity will continue given the often low barriers to entry and ease of using the Internet as an effective communications medium. While actors aren't always operating with complete impunity, we're hard pressed to point to any effective deterrence measures or red lines in conduct. Murky lines between non-state actors and actors suspected to be working in line with state objectives complicate tracking and attributing these threats.

Efficient threat assessment remains a challenge. Equipping practitioners to capably evaluate and appropriately respond to possible incidents remains an important mission for those of us working in this industry. There's no "easy button" in making quick and accurate assessments on the nature of a threat based on limited evidence. Targeted actors' use of mass malware is a good example of this. Malware that is widely distributed - whether through strategic web compromises, generic web-based drive-by attacks, or large-scale spam campaigns - is often assumed to be low-risk "commodity" activity. While this is often the case, it is not necessarily so-we've seen plenty of targeted actors use such mass malware, and we expect that to continue as attempts to "blend in." We've also seen attackers use malware "traditionally" associated with Chinese APT activity to dispense distributed denial of service clients to victims. This emphasizes the importance of not making assumptions when bucketing threat activity based on single points of evidence, such as malware detected.

Humans aren't infallible; mistakes will continue to complicate defense and expose attackers. Malicious actors make mistakes all the time - they're human. Some of the assessments in our APT1 report were derived from taking advantage of attacker blunders. We recently found several builders related to a malware family that several APT groups use in a public space, indicating sloppy operational security. Likewise, social engineering (from spear phishing to threat actors engaging verbally or via chat with their victims) will continue to be a key weakness for organizations in defending themselves against cyber-enabled threats.