Symantec uses visual maps to identify e-mail-based targeted attacks

Symantec has developed a way of detecting targeted attacks through mapping e-mail patterns to identify single gang activity.

Advanced persistent threats (APTs) are one of the most difficult challenges faced by the anti-virus community.

Rare and notoriously tricky to detect, successful targeted attacks can be extremely damaging to an organisation.

To the unsuspecting recipient, these attacks appear to be random, but when mapped visually a pattern emerges, showing how targeted these incidences are, said Martin Lee, senior analyst at Symantec.

Within a hosted service environment, targeted attacks over e-mail remain rare, he said, but substantial numbers of such attacks can be collected due to the high number of e-mails processed and the large number of organisations for whom e-mails are scanned for malware.

This means that the broader pattern of activity of targeted attacks can be studied, Lee wrote in a blog post.

Since April 2008, Symantec has identified 72,500 targeted attack e-mails sent to 28,382 e-mail addresses.

"We block approximately 500,000 malicious e-mails each day sent to the approximately 10 million e-mail addresses that we protect," said Lee.

However, the rarity of targeted attacks and the persistence of attackers can be exploited by researchers to draw up maps of activity of what may be the activities of single gangs, he said.

The map consists of dots representing each e-mail address that was sent an attack, and the lines joining the dots represent two e-mail addresses that were sent the same attack to create a visual representation of a series of targeted attacks against individuals.

During 2010, Symantec identified 3,477 targeted attack e-mails sent to UK-based private sector customers. These e-mails could be arranged into 351 distinct attacks based on many of the e-mails containing similarities.

Although many of the attacks are singletons, Lee said 311 of the attacks could be associated with others to form "constellations", representing clusters of activity.

"We believe that these 'constellations' demonstrate the concerted action of the unknown organisations that are often referred to as the APT and their activities against companies within the UK," he said.

According to Lee, the application of network theory and the use of unordered graphs to map topographically targeted attacks represents a promising technique for understanding and protecting against such attacks.