The global pandemic has seen a massive change in how people work, live, shop and communicate. We have seen businesses completely change how they interact with their customers. Business to consumer organizations have seen the biggest changes, but it has also impacted business to business organizations. Traditional approaches to basic business functions such as sales, marketing, supply chains and customer service need to be reimagined and focused. Many new developments and technologies that have come out of the COVID-19 era will forever change how we do things. These changes have also created a new set of vulnerabilities for cybercriminals to exploit.
Amidst the pandemic, we have seen a dramatic rise in the number of cyberattacks over the last nine months. Based on recent statistics, cyberattacks tripled in the second quarter of 2020 over the first quarter. Losses from cybercrime have increased by 50% over the last 12 months. Cybercriminals have taken this opportunity to become more efficient at their craft by incorporating new technologies such as AI and Analytics and working together.
With cybercrime growing fast, as is the number of businesses experiencing a critical cyber event, I more often hear folks asking, “Are we are losing the war on cybercrime?” This is a good question, and the answer is complex. As an industry, we have made incredible advances in security detection and monitoring technologies, and businesses are purchasing these technologies at a record rate. Unfortunately, people look at security as a technology issue. It is not. Security and the privacy of your critical digital assets are business issues.
Sun Tzu, in his writings, The Art of War, states that in order to be successful, you must (1) Know Yourself; (2) Know Your Enemy and (3) Know the Battlefield.
Knowing Yourself is fairly straightforward – you need to understand your current security program and what threats and vulnerabilities exist.
Knowing Your Battlefield means understanding what you are protecting and the flow of sensitive data as well as access to data, including third-party organizations that share your data.
Knowing Your Enemy is about understanding the cybercriminal, what they are after, how they think, what motivates them and their strategy and approach to attacking your business. This is where most organizations are blind. They do not really understand how these groups think and fail to adjust their strategies to account for this.
If you apply traditional military strategy concepts to information security, most companies have a defensive strategy when it comes to their security infrastructure, building walls around the critical assets. If an overwhelming force is trying to breach the walls, it will eventually overcome the defenses. Suppose this opposing force utilizes additional strategies, such as flanking or feigning (deception). In that case, it can attack known weaknesses in the defenses or even from the inside and will be successful. I will get more into defensive strategies later. Understanding how these groups think is critical in building an effective security strategy.
Type of Cybercriminals
Understanding the enemy is the first tool when defending and fighting against them. Cybercriminals are continually exploring new ways of intrusion, looking for new vulnerabilities to exploit without being detected. In many cases, the organizations being attacked do not notice the intrusion for months or even years. These criminal individuals and groups have more expertise as well as advanced tools and technologies at their disposal.
To start, we must understand the different types of “hackers” and their motivations.
- Script Kiddies are typically young (teenage to mid-20s) who attempt to hack for the challenge or recognition from their peers. Many of these kids became involved in using hacking techniques as early as in their pre-teens. Unfortunately, in most cases, there is little oversight from parents/guardians to put into context the ethical and legal impacts of their actions. Since sophisticated hacking and network tools are readily available at no or little cost, it is not surprising that many of these kids graduate to one of the other cybercriminal entities. I am going to include cyberstalking in this group, since it is typically an individual with a grudge against a person who is bent on causing personal destruction, primarily through social media.
- Eco and Political Activists are intent on disrupting environmental organizations or businesses they view as opponents to their cause. Typically, their actions are to disrupt the operation, deface the website and embarrass the organization.
- Cyber Criminal Organizations are focused on making money by stealing personal or financial information as well as intellectual property. Recently, the main focus has been holding a company hostage by encrypting all the business’s data and demanding payment in the form of a ransom in exchange for releasing the information. The term for this is ransomware, and it has grown exponentially over the last year.
- Nation States are foreign government entities looking to steal sensitive information from other governments or intellectual property from businesses. These entities will also conduct denial of service attacks and malicious virus attacks to disrupt another country’s operations and elections.
Methods and Targets
Now that we have an understanding of the various types of criminal groups, we need to know what they target and what methods they use to gain access and obtain the targeted information.
Brute Force Hacking – the most common attacks are probing and identifying a vulnerability in external facing systems such as websites or portals. Typically, hackers look for a known vulnerability that hasn’t been addressed or an open port that has not been shut down. Actions resulting from these types of attacks are Malware Injection, SQL Injection Attacks, Cross-site Scripting (XSS), Session Hacking, Man-in-the-Middle Attacks and Credential Reuse. These types of attacks usually happen over months or years, since it may take time to get into the system and then perform detailed reconnaissance to find valuable information without being detected.
Denial of Service Attacks – the main purpose of these attacks is to disrupt operations by overwhelming your external facing infrastructure to a point where one or more of those systems fail and the systems are no longer available. All four of the cybercriminal profiles utilize this type of attack. Typically, we see it happen to e-commerce and business to consumer as well as hosting and telecom businesses, but any business with an outside facing website or portal can be attacked this way. These also include the big social media companies, traditional media companies, banks, federal and state government sites and nonprofits/charities.
Social Engineering and Phishing Attacks are the most common attacks since humans are the weakest link in a security program. It is much easier to compromise a user by having them hand over their credentials than trying to use brute force on a mature security infrastructure. Credentials can easily be obtained simply with a phone conversation or through an email. Email phishing is the most common form of exploitation since users are typically not well-trained and naïvely assume that if the email says it is coming from a legitimate organization or person, then the email is legitimate. Once the person opens an attachment or clicks on a link, a number of things can happen.
- A keylogger will be installed on the user’s computer to eventually get the user’s credentials and monitor their activity.
- Malware installed on the user’s computer will replicate itself on all connected devices and servers.
- Ransomware loaded on the user’s computer will search out all connected devices and encrypt all data on all devices.
Social engineering is the main vehicle used for fraud activity on businesses by compromising emails systems and supply chains. These criminals take on the identity of a key executive or a supply chain partner to redirect payments to secure foreign bank account. According to contacts in the FBI and Secret Service, these activities increased significantly after the majority of business activities moved to remote operations due to the pandemic.
Steps to Protect Yourself and Your Company
How do you protect yourself and your company from these attacks? Here is a set of key steps that can help mitigate or prevent attacks from cybercriminals, if implemented:
- Educate Your Employees
Since more than 90% of all cyber events involve human error, security awareness training is critical. Training employees to recognize phishing attacks and not open any attachments or even emails from anyone they do not know should be at the top of your list. Secondly, implementing a two-step process when receiving emails or even phones call from management requesting a high dollar purchase. This can be as simple as requiring a direct call to the individual making the request to confirm its authenticity. This step can significantly reduce the chances of fraud.
- Segment Your Networks
Organizations can limit exposure to a breach by effective network segmentation. Once inside your network, cyberintruders will perform reconnaissance in order to ‘laterally” move to other devices connected within that segment. If they do not have authorization to move to another segment, you have effectively mitigated the exposure. Think of you network as a submarine. They have numerous compartmentalized areas – in the event one compartment is compromised, it does not compromise the whole submarine.
- Lock Down Your End Points
I am always amazed when I find end-user devices that allow the installation of unauthorized software. This is an easy fix and can prevent malicious software from installing payloads such as ransomware.
- Privileged Access Management
Implement a process or privileged access management (PAM) technology to monitor and manage privileged access accounts. Cybercriminals focus on finding these important accounts as they allow them to move through the network quickly and almost undetected.
- Implement Layers of Defenses
Do not rely on one device. At a minimum, security layers should include firewalls, intrusion detection/prevention, network access control, endpoint protection/EDR and adaptive security/deception technologies.
- Slow Down the Intruders
Once inside your network, malicious software moves laterally in seconds or sub-seconds. Humans cannot respond fast enough to prevent this movement. Implementing adaptive security or deception technology makes it more difficult for the attackers by automatically detecting an intrusion without giving any false positives and slowing down the attack, making it difficult for the attacker to find other real nodes to jump to. This gives your response team the needed time to respond to the attack and mitigate the damage.
- Monitor, Monitor, Monitor
If you are not continuously watching what is coming in and going out of your networks, you have probably already experienced a significant breach and may not even know it. Building out a security operation center and staffing a highly skilled security response team is expensive and could take a long time to implement. Most organizations have gone to or are considering contracting with managed security services providers to provide this function.
- Trust But Verify
Vet your third parties and vendors to ensure they are protecting your data according to industry standards and what is in your contract. If they are connecting to your network, ensure you are monitoring their access through access control and that they are using multi-factor authentication. You cannot assume they are good stewards of your data. “Trust but Verify.”
- Constantly Assess your Security, Compliance and Risk Programs
Make sure you are regularly evaluating your security, compliance and risk programs since threats, vulnerabilities and risks are dynamic and constantly changing. Point in time or annual reviews will give a false sense of security since each time you add or change a network, application, server or software program, you may have introduced a new vulnerability.
Organizations need to make security part of the company culture and every employee should understand their role in protecting the organization’s digital assets.
If you have questions about these steps or anything else covered in this article, please contact the author, Jeff Brown.