How Attackers Are Circumventing Your Best Defensive Measures
When ethical hackers such as Kevin Mitnick, Pablos Holman or Ruben van Vreeland take center stage at tech conferences and flex their cyber-talents by showcasing how easily they can infiltrate popular cloud ecosystems such Microsoft Office 365 with a few masterful keystrokes, uneasy attendees sit up and take notice.
It’s not that people are so enamored by the stealthy skills of the presenters — of course they are — but that nervous adrenaline that sweeps through the crowd is rooted in the realization that security as they know it will never be the same again.
Why I chose to be an ethical hacker | Ruben van Vreeland | TEDxEindhoven:
Recent news stories confirm that cyber attacks are on the rise for both businesses and the Managed Solution Providers (MSPs) that manage client IT systems.
Recent Cyber Attacks
- MSP Pays Hacker $150,000 to Unlock and Recover Data For Client
- Georgia Court System Attacked by Hackers
- 16,000 Redwood Eye Center Patients in California Impacted by Ransomware Breach at IT Lighthouse, the MSP Hosting the Server for Its Healthcare Client
- Florida City Will Pay Over $600,000 To Attackers
According to the 2019 Verizon Data Breach Investigations Report (DBIR), 69% of attacks on business organizations are perpetrated by outsiders, while 34% involved internal actors.1
What type attack actions are being utilized? According to Verizon:
- 52% of breaches featured Hacking
- 33% included Social attacks
- 28% involved Malware (24% of which were Ransomware)
- 15% were Misuse by authorized users
Verizon also claims that C-level executives were 12x more likely to be the target of social incidents and 9x more likely to be the target of social engineering breaches than in years past. Social engineering includes activities such as: phishing, pretexting, baiting, whaling attacks, quid pro quo and tailgating.
Social engineering is a technique used by attackers to trick users into revealing personal information. Impersonating an accountant and then soliciting an employee to make an emergency payment by clicking a link to a bogus supply chain app is one such example. Any data sent down this path can be used to gain access to other systems such as bank accounts or accounting systems to carry out criminal actions.
Popular defenses against hacker attacks, such as firewalls, endpoint security and antivirus software rarely slow attackers down, according to a Nuix Black report.2 88% of hackers can break into their desired system and get through cyber security defenses in 12 hours or less. It only takes an additional 12 hours for 81%of hackers to find and take valuable data.
For staff gone bad, many already have user login credentials to internal systems, so unauthorized intrusions or extractions are much easy to pull of — and much harder to detect.
No business is immune from attack According to Verizon, the following industries are the most susceptible:
- Educational Services
- Financial & Insurance
- Accommodation & Food Services
- Public Administration
- Information Technology
- Professional, Technical & Scientific Services
To understand the importance of security and how to stay two steps ahead of attackers, it can be useful to examine “dark activities” from a different perspective —an attacker trying to find their way into your organization. Attackers come in many forms, but for today’s discussion we’ll focus on two primary culprits: unethical hackers and disgruntled employees.
Unethical hackers are primarily motivated by cash. Some are driven more by ideology. Most are dangerous if left unchecked with the keys to your kingdom; aka your business.
Austin Thompson (aka DerpTrolling) the hacker who started the DDoS attacks on Sony, EA, and Steam six years ago, only recently was sentenced to 27 months in prison.3 The hacker is said to have justified his actions based on ideology, using outlandish excuses such as “to spoil everyone’s holiday,” and “to make people spend time with their families.”
According to Penny Hoelscher, writing for Infosec, nefarious hackers wear multiple titles, from Black Hats (criminals motivated by money) to Hacktivists (driven by a cause, e.g., politics, ideology or religion) to State-Sponsored Hackers (those supported by a government agency).4
“Understanding hackers’ motivations and traits can help an organization to identify their potential enemies,” writes Penny. “Armed with this knowledge, organizations can devise realistic attack scenarios against which to arm themselves. Understanding the criminal mind behind an incident can help to analyze the magnitude of a threat and how to resolve it.”
Armed with insights into likely attacker characteristics, a business could take preventative measures such as hiring a white hat consulting firm to test the firm’s security.
Unhappy (disgruntled) current or former employees are a bit different from unethical hackers — and are usually harmless — but in some cases they can be motivated by revenge (or ignorance) to inflict damage to a company’s reputation or steel its intellectual property for sabotage or profit.
For example, 2.9 million members of Canada’s Desjardins Group, North America’s biggest federal credit union, had their credit information exposed after the data was stolen by an employee.5
According to an article in SiliconANGLE about the Desjardins attack, “The motivation of the employee — and whether the data stolen was shared with others — is not clear. What is known is that he not only used his own employee credentials to gain access to the data but also tricked others at the credit union into providing theirs, overcoming built-in safeguards that the company designed to prevent any single employee having access to all data.”6
A Ponemon Institute survey showed that over 50% of employees surveyed felt that using competitive information taken from a previous employer was not a criminal act, reasoning that ownership of such information resides in its creator rather than the former employer. 40 percent of those employees surveyed admitted they intended to use the pilfered information in a new job.7
According to the Society of Resource Management (SHRM), there are several tell-tale signs of a disgruntled employee:8
- Poor on-the-job performance
- Absenteeism higher than average
- Poor attitude at work, such as negative co-worker conversations and attitudes
- Inability to get along with the team
Early detection of disgruntled staff is possible by focusing on these common traits — and action plans geared toward damage prevention of said rogue actors can help prevent common threats such as internal IP/data theft, espionage and other harmful activities from happening
Now that you know a little more about two types of attackers, disgruntled staff and unethical hackers, let’s talk a bit more about the methods they’re using to infiltrate, stalk, siphon, damage, hold hostage and steal.
As businesses continue to transition to more cost efficient cloud-based solutions such as G Suite and Office 365, their emails, attachments, calendars and tasks come with them. Attackers, always looking for the easiest path to success, have fine-tuned their tactics to locate, infiltrate and control the data they desire.
According to Webroot, 94% of data breaches originate from email, so for an unethical hacker, this is the primary way many of today’s worst actors pray on unsuspecting companies.9 Phishing scams are an example.
With 48% of malicious email attachments being Microsoft Office files, it’s clear that many hackers aren’t deploying sophisticated cyber attacks against hard-to-penetrate operating systems or remote servers — they’re simply focusing on a huge soft targets such as Microsoft Outlook email.
G Suite Gmail is another email system that rogue actors have in their crosshairs. Hackers have recently been successful in bypassing common forms of Google’s two-factor authentication (2FA), causing Google to heavily promote its Account Protection Program designed to “provide even stronger protection for those at risk of targeted attacks – like journalists, activists, business leaders, and political campaign teams.”,10
Worse yet, companies take about 197 days to identify and 69 days to contain a breach according to IBM.11 This means that a wide range of rogue activities can be taking place over a long period of time, undetected.
Kevin Mitnick Live Hacking:
According to Courtney Casey, Director of Marketing for Accent Computer Solutions, Inc., another common point of entry into business systems for attackers are mobile devices.
“Mobile devices are susceptible as breach points for a couple of unique reasons,” said Courtney. “First, many people do not have a password or any other security on their mobile devices. Second, mobile devices are more likely to get lost or stolen than corporate workstations. Finally, users generally don’t consider their mobile devices to be ‘real technology’ to the same degree as their laptop or desktop. This means that they are much more likely to load the latest games and apps available to their device. This increases risk considerably since many people don’t pay much attention to the source or what information an app is requesting access to before they download it.”12
Stealing passwords and gaining access to business systems has been elevated to art form. WhatIsMyIPAddress.com put together a list of common attack methods that rogue actors use to infiltrate, pillage and steal.13
- Back door: A secret pathway a hacker uses to gain entry to a computer system
- Buffer overflow: A method of attack where the hacker delivers malicious commands to a system by overrunning an application buffer.
- Denial-of-service attack: An attack designed to cripple the victim’s system by preventing it from handling its normal traffic, usually by flooding it with false traffic.
- Email worm: A virus-laden script or mini-program sent to an unsuspecting victim through a normal-looking email message.
- Root access: The highest level of access (and most desired by serious hackers) to a computer system, which can give them complete control over the system.
- Root kit: A set of tools used by an intruder to expand and disguise his control of the system.
- Script kiddie: A young or unsophisticated hacker who uses base hacker tools to try to act like a real hacker.
- Session hijacking: When a hacker is able to insert malicious data packets right into an actual data transmission over the Internet
The list of attack methods that hackers utilize to breach business organizations is long and ever-evolving. This poses significant challenges for businesses trying to stay one step ahead of the bad guys.
Defense Against Dark Actors
The growing number of cyber attacks and the statistics around how and why they’re happening raises the question: What can businesses do to prevent becoming a victim? While there is no silver bullet, defensive measures against dark actors can significantly reduce actual losses.
For example, insider threats can be monitored with behavioral analysis software, which flags unusual behavioral patterns. Unfortunately, many transgressions go unnoticed by these tools, especially for employees who have legitimate access to company data.
According to Sherri Davidoff, an MIT grad and one of the first female white-hat hackers who runs LMG Security, there are many things individuals and businesses can do to safeguard their data.14
Davidoff’s Top 3 Cybercrime Protection Tips:
- Think before you click
- Backup your data
- Enable two-factor authentication on every account/system
Verizon’s annual data breach report provides a plethora of stats, insights and antidotes on how to protect your business against the growing tide of dark actions. Here are six culled from their recent report.
Verizon’s Best Practices to Prevent Breaches:
- Clean security hygiene
- Maintain integrity monitoring
- Two-factor authenticate (2FA) everything
- Be wary of inside jobs by tracking insider behavior (see Insights BI)
- Scrub packets for (DDoS)
- Be socially aware of links and executables
For Office 365, the defensive approach is a bit more nuanced. Cloud distributor Pax8 recently outlined 8 Steps to Secure Microsoft Office 365 in an infographic they published.15
8 Steps to Secure Microsoft Office 365 by Pax8
- Enable built-in security features
- Put endpoint security in place
- Layer additional security on top of Office 365
- Enforce data protection and compliance
- Implement web and network security together
- Begin ongoing end user security training
- Add mobile security
- Create a backup and disaster recovery plan
Approaching cyber defenses with an attacker’s mindset can help organizations think differently to spot abnormalities that might otherwise go unnoticed. The only sure way to keep corporate data safe is to make it inaccessible to bad actors. Since no one threat detection method is 100% foolproof, businesses need to deploy a variety of tactics to train, deter, identify, extract, safeguard and even restore a firm’s digital information at all times. Defense against dark actors requires constant diligence with a dash of resilience.
- 2019 Verizon Data Breach Investigations Report
- Nuix Black Report
- BankInfoSecurity.com Article
- Infosec Article
- Bloomberg Article
- SilconANGLE Article
- Launch To Thrive Article Quoting Ponemon
- SHRM Article
- 2018 Webroot Threat Report
- ZNET Article on Bypassing 2FA Security in Gmail
- ZNET Article
- Courtney Casey Blog Post
- How Do Hackers Get Into Computer Systems?
- NBC News Article
- Pax8 Infographic