Opportunistic vs targeted cyberattacks

The difference between opportunistic and targeted cyberattacks comes down to what the attacker wants and how they are going to accomplish their goal. Cybercriminals are as human as everyone else—they don't want to work very hard unless the potential payoff matches the effort. 

An opportunistic cyberattack is when the attacker wants just someone or something. It's detached, launched at volume, and fairly painless to the attacker.

A targeted cyberattack is when the attacker wants you. It's precise, persistent and intimate.

If a burglar was in my house and took laptops, smart phones and jewelry, it's probably opportunistic. It’s likely the ability to enter my home presented itself—unlocked doors, open windows, obvious signs of being on vacation, etc. Opportunistic attacks are more in line with “smash and grab” crime and less likely to be cutting edge. Those attacks are looking to take advantage of known vulnerabilities all together and not be particularly quiet about it.

If that burglar instead surveyed my movements for a month, filmed me type in the garage code and then broke in only to steal my “Top Gun” soundtrack signed by Kenny Loggins, then it was probably a targeted attack. Those criminals want to be covert; to linger around, and build their plan phase by phase.

The stakes of a targeted cyberattack are higher—often moving beyond money or low-level personal identifiable information (PII) to specific information or data. The tactics used are typically newer, more sophisticated and curated to the targets. They include:

• Infrastructure: reconnaissance has been acutely performed
• Personnel: discrete exploitation of specific employees 

And thus, because of that intimacy, the fallout is more severe and long lasting.

Diagnosing an attack as targeted in the moment enables your defense to prioritize its efforts to the key areas that enable a more appropriate defense response. This diagnostic is driven by information and visibility available to the security team via the three C's of security: context, correlation and causation.

It's one thing to find the attacker, it's another to learn how they got there, what they may have seen along the way, how long it's been, and if they took anything. This visibility will also enable the remediation necessary to ensure it doesn't happen again, and make the security program stronger.

Support for the three C's includes deploying controls along the kill chain to create a field of landmines to slow an attack's progression and provide the security team time and visibility. 

A well-constructed centralized cybersecurity platform can bring together all of the insights related to a targeted attack that may differ from the noise of opportunistic drive-bys.

With a program that produces the three C's, a cybersecurity team should know clearly whether or not there are gaps to address. It can be confident on known patterns of successful attacks and unsuccessful attacks, thus prioritizing efforts and investment.

Without the three C's, cybersecurity can be led into comfort, thinking that they aren't being targeted or that targeted attacks are being stopped. The information they do have is incomplete for quantifying and qualifying risks—a gap in and of itself.

In reality, while perimeter defenses are working to stop opportunistic cyberattacks, the word might be out amongst the nefarious that your business is worth the effort to target. Lacking feedback, this is how businesses gain a false sense of security and could find themselves in the position of a breach that had been in place for six months...and they're shocked.

Managing cyber risk like other business risks helps IT and management see eye to eye on the budget, resources, and outcomes of the company's cybersecurity program.