Today, the majority of nation states are developing cyber war capabilities. Zero-day exploits (exploits that are designed for unknown vulnerabilities for which vendors have no awareness and no patches are available) in critical software are now considered to be attack weapons that can be used to either disrupt or gain control of an opponent’s network infrastructure. Government security agencies are spending millions of dollars for unknown zero-day exploits. The US government is one of the biggest buyers of these cyber weapons [1]. In fact, legitimate security companies find vulnerabilities, write zero-day exploits and sell them to governments for large amounts of money. The result is that the nation states are well equipped to launch targeted cyber attacks. In addition, even with a zero-day exploit in hand, launching a well-crafted targeted cyber attack is not cheap as substantial effort is expended in building multilayer model of attack vectors and adapting them to the target network’s environment. However, targeted attacks are nation state independent and can be initiated by independent attackers around the globe.

It is easy to underestimate the impact and capabilities of targeted cyber attacks. They are capable enough to produce a kinetic effect in which command execution from a remote attacker can disrupt the physical infrastructure of a target. Examples already exist such as the Stuxnet worm [2] that targeted Industrial Control Systems (ICSs). Basically, ICS is a control system that manages and commands the behavior of a machine (equipment) used in production industries (critical infrastructure) comprising of oil, gas, water, and electricity. A well-designed cyber attack can act as a parasite that leeches critical information from the target. The value of a targeted cyber attack is directly proportional to its ability to persist and remain undetected in the target network. To succeed in the hostile environment of network resilience and counter strategies, targeted attacks require multistage attack vectors to build a cumulative attack model. On the other side, automatic breach prevention technologies are required to have the capability to assess and map the probability and effect of targeted cyber attacks.

There exists several definitions of targeted cyber attacks. We adhere to a basic definition based on the naming convention—a targeted attack is a class of dedicated attacks that aim at a specific user, company, or organization to gain access to the critical data in a stealthy manner. Targeted attacks should not be confused with broad-based attacks that are random in nature and focus on infecting and compromising large groups of users. Targeted attacks have a characteristic of discrimination and are not random in nature. It means attackers involved in targeted attacks differentiate the targets (systems/users/organizations) and wait for the appropriate opportunity to execute the attack plan. However, the term “targeted attack” is overused. We believe that the best model of a targeted attack is composed of different elements to perform insidious operations in five different phases: intelligence gathering, infecting targets, system exploitation, data exfiltration, and maintaining control. The intelligence-gathering phase consists of different information-gathering tactics used by attackers to extract data about targets. The infecting-the-target phase reveals how the targets are infected with malware through infection carriers. The system-exploitation phase shows how the target systems are fully compromised using exploits. The data-exfiltration phase is all about extracting information from the compromised systems. The maintaining-control phase shows how the attackers become persistent and remain stealthy in the network while at the same time gain access to additional number of systems in the target environment.

Some important characteristics of targeted attacks are as follows:

Next is the need to understand the purpose of targeted attacks. The attackers’ intentions behind launching targeted attacks are important, but targeted attacks are primarily used for earning financial gain, conducting industrial espionage, stealing intellectual property, disrupting business processes, making political statements, and subverting the operations of a nation’s critical infrastructure.

Overall, targeted attacks are complex in nature because attackers have to invest substantial amount of time in selecting targets, preparing attack models and discovering zero-day vulnerabilities (known vulnerabilities can also be used). Attackers behind the targeted attacks are experts in technology, and are highly motivated to pursue intrusion campaigns. All these factors collectively provide an environment to launch targeted attacks.

A recent study on the elements of targeted attacks has shown that a sophisticated targeted attack can result in millions of dollars in losses for large organizations [3]. For Small and Medium Enterprises (SMEs), a single-targeted attack could be worth many thousands of dollars. A study conducted by Symantec [4] observed that there has been a significant increase in targeted attacks showing a jump of 42% in 2012. This number indicates that hundreds of targeted cyber attacks are happening routinely. On a similar note, Anderson et al. [5] conducted a study on measuring the cost of cyber crime, in which a framework for calculating the cyber crime cost was designed. The framework segregated the cost of cyber crime into four elements: direct costs, indirect costs, defense costs, and cost to the society. The study estimated that global law-enforcement expenditures are close to 400 million dollars worldwide to defend against cyber crime. These figures provide a glimpse of the ever increasing insecurity on the Internet.

There are other variants of targeted attacks known as Advanced Persistent Threats (APTs) [6] that exist on the Internet. Targeted attacks can be considered to be a superset of APTs [7]. Generally, APTs are highly advanced, targeted threats that use multiple attack vectors, persist (easily adaptable) in the wild and can exist undetected (stealth execution) for a long period of time. A number of researchers believe that APTs are primarily state sponsored [8], but we believe that definition to be too restrictive—an APT need not be spons...