The most high-profile examples of recent targeted attacks have been on the networks of Google, Adobe Systems, Juniper Networks, Rackspace and even Symantec, among others. Google publicized the attack in January, revealing that hackers in China had broken into Gmail accounts of Chinese dissidents. While commonly known as "the Google attack" in IT security circles, it's also been called Operation Aurora or the Hydraq Attack.
Dorosin explained that the new Symantec software, to be introduced at the Symantec Vision 2010 conference today in Las Vegas, is designed to upset the four stages of a typical targeted attack, which are Incursion, Discovery, Capture and Exfiltration.
Incursion is the method by which an attacker breaks into a targeted network. Unlike a mass attack, where malicious software is hidden in an e-mail in the hopes that someone will unwittingly open it and infect their computer with malware, a targeted attack focuses on an individual at a specific company who might have access to valuable data. The attacker will do research on that person and try to engage them to read e-mails or instant messages. These attackers are patient, Dorosin said. "It takes effort, which I think distinguishes these attacks, but the effort can pay off because there is a lot of information out there about a lot of high profile people in enterprises," he said.
Once in, the attacker enters the discovery phase, searching the target network to see where the valuable databases , files, e-mail archives or other assets are located. They will observe the targeted individual, his or her behavior and what kind of access privileges they have. This takes time, too. In the discovery phase for the Google Attack, Dorosin estimated that attackers were taking one or two weeks in the discovery phase.