Systems and methods for classifying security events as targeted attacks

What is claimed is: 1. A computer-implemented method for classifying security events as targeted attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising: detecting at least one malicious security event in connection with at least one organization; comparing the malicious security event against a targeted-attack taxonomy that comprises a plurality of categories, each category including a plurality of characteristics of targeted attacks; determining, based at least in part on comparing the malicious security event against the targeted-attack taxonomy, that the malicious security event is likely specifically targeting the organization by: calculating, based at least in part on comparing the malicious security event against the targeted-attack taxonomy, a category score for each category within the plurality of categories included in the targeted-attack taxonomy; determining the number of features of the malicious security event that match corresponding characteristics identified in the targeted-attack taxonomy; calculating, based at least in part on each category score and the number of features of the malicious security event that match corresponding characteristics identified in the targeted-attack taxonomy, a taxonomy score that represents the likelihood that the malicious security event is part of a targeted attack campaign as opposed to an indiscriminate or non-targeted attack; and determining that the taxonomy score exceeds a certain threshold; and in response to determining that the malicious security event is likely specifically targeting the organization, classifying the malicious security event as part of a targeted attack campaign that is specifically targeting the organization instead of an indiscriminate or non-targeted attack. 2. The method of claim 1 , wherein comparing the malicious security event against the targeted-attack taxonomy comprises: identifying a plurality of features of the malicious security event; and comparing the plurality of features of the malicious security event against the plurality of characteristics identified in the targeted-attack taxonomy. 3. The method of claim 1 , further comprising weighting at least one of the characteristics identified in the targeted-attack taxonomy to increase or decrease the characteristic's influence in the calculation of the taxonomy score. 4. The method of claim 1 , wherein determining that the malicious security event is likely targeting the organization comprises determining that each category score exceeds a corresponding threshold. 5. The method of claim 1 , further comprising weighting at least one category score to increase or decrease the category score's influence in the calculation of the taxonomy score. 6. The method of claim 1 , further comprising: collecting security-related telemetry data from at least one security system; identifying, within the security-related telemetry data, a plurality of characteristics indicative of targeted attacks; and creating the targeted-attack taxonomy from the plurality of characteristics indicative of targeted attacks. 7. The method of claim 1 , further comprising notifying the organization that the malicious security event has been classified as part of a targeted attack campaign that is specifically targeting the organization. 8. The method of claim 1 , wherein classifying the malicious security event as part of the targeted attack campaign comprises labeling the malicious security event to indicate that the malicious security event is part of the targeted attack campaign. 9. The method of claim 8 , further comprising: detecting another malicious security event in connection with the organization; comparing the other malicious security event against the targeted-attack taxonomy; determining, based at least in part on comparing the other malicious security event against the targeted-attack taxonomy, that the other malicious security event is likely specifically targeting the organization; classifying the other malicious security event as another part of the targeted attack campaign that is specifically targeting the organization instead of an indiscriminate or non-targeted attack; and labeling the other malicious security event to indicate that the other security event is part of the same targeted attack campaign as the malicious security event. 10. A system for classifying malicious security events as targeted attacks, the system comprising: a detection module, stored in memory, that detects a malicious security event in connection with at least one organization; a determination module, stored in memory, that: compares the malicious security event against a targeted-attack taxonomy that comprises a plurality of categories, each category including a plurality of characteristics of targeted attacks; determines, based at least in part on comparing the malicious security event against the targeted-attack taxonomy, that the malicious security event is likely specifically targeting the organization by: calculating, based at least in part on comparing the malicious security event against the targeted-attack taxonomy, a category score for each category within the plurality of categories included in the targeted-attack taxonomy; determining the number of features of the malicious security event that match corresponding characteristics identified in the targeted-attack taxonomy; calculating, based at least in part on each category score and the number of features of the malicious security event that match corresponding characteristics identified in the targeted-attack taxonomy, a taxonomy score that represents the likelihood that the malicious security event is part of a targeted attack campaign as opposed to an indiscriminate or non-targeted attack; determining that the taxonomy score exceeds a certain threshold; and a classification module, stored in memory, that classifies the malicious security event as part of a targeted attack campaign that is specifically targeting the organization instead of an indiscriminate or non-targeted attack in response to the determination that the malicious security event is likely specifically targeting the organization; and at least one hardware processor that executes the detection module, the determination module, and the classification module. 11. The system of claim 10 , wherein the determination module compares the malicious security event against the targeted-attack taxonomy by: identifying a plurality of features of the malicious security event; and comparing the plurality of features of the malicious security event against the plurality of characteristics identified in the targeted-attack taxonomy. 12. The system of claim 10 , further comprising weighting at least one of the characteristics identified in the targeted-attack taxonomy to increase or decrease the characteristic's influence in the calculation of the taxonomy score. 13. The system of claim 10 , wherein the determination module determines that the malicious security event is likely targeting the organization by determining that each category score exceeds a corresponding threshold. 14. The system of claim 10 , further comprising a taxonomy module that weights at least one category score to increase or decrease the category score's influence in the calculation of the taxonomy score. 15. The system of claim 10 , further comprising a taxonomy module that: collects security-related telemetry data from at least one security system; identifies, within the security-related telemetry data, a