Martin Lee Symantec
download slides (PDF)
Malware-containing emails can be sent to anyone. Single malware variants can be sent to tens of thousands of recipients without distinction. However, a small proportion of email malware is sent in low copy number to a small set of recipients that have apparently been specifically selected by the attacker. These targeted attacks are challenging to detect and, if successful, may be particularly damaging for the recipient.
The vast majority of Internet users will never be sent a targeted attack. The few users to which such attacks are sent presumably possess features that have brought them to the attention of attackers, and have caused them to be selected for attack. Applying epidemiological techniques to calculate the odds ratio for features of malware recipients, both targeted and non-targeted, allows the identification of factors that are associated with targeted attack recipients.
In this paper we show that it is possible to identify specific risk factors that are associated with individuals subjected to targeted attack, by considering the threat akin to a public health issue. These risk factors may be used to identify those at risk of being subject to future targeted attack, so that these individuals can take additional steps to secure their systems and data.
