In cybersecurity, the word “Threat” gets thrown around in lots of different ways. When talking about security, a “threat” could refer to any one of the following:
- An Attack that can occur against your environment;
- An Actor that could be directing the attack against your environment;
- A Delivery Mechanism of the attack from the actor;
- A Defensive Technology that is incorrect, or out-of-place, that can fail; or,
- A Component of your Environment that is overly susceptible to attack or being taken advantage of.
Based on these varying entries it is pretty easy to understand how the term can be misused or used correctly in multiple ways at the same time.
With that in mind let’s walk through how we can discuss some common threats or sequences of threats we see in almost every environment. As we discuss the types, we will also point out some common defensive measures.
Let’s start with the most common and most effective delivery vector: Phishing.
Phishing can be broken down into two categories. Standard Phishing and Spear Phishing. Standard phishing or, just phishing, from this point forward, is not a target attack. It is an attack usually delivered via email that is a crafted note or that is attempted to direct the reader to take specific actions. They are sent in bulk to random email addresses, or to known email lists that have been compiled and used/sold on the dark web. The emails’ subjects are normally around login credentials or ironically are notifications of supposed exploitation of the credentials the attacker is actually trying to get.
Because they are sent in bulk and occasionally crafted by users for whom English is a second language, they are not sophisticated emails and usually contain spelling mistakes, grammatical issues, or just badly crafted emails due to the scripted nature of the attack.
Not all of them are poorly crafted. There are lots of examples of impressed websites and standard company email templates that are used and shared by attackers that look very clean.
Spear Phishing is a bit more complex. With it’s targeted nature they are usually cleaner and more effective than phishing emails, but they take longer to produce as the attacker needs to do some reconnaissance on the target before crafting the email. Reconnaissance is normally done via social media reviews, Linkedin, reverse web searches, company profiles or executive profiles, etc. The more of a digital presence the target has, the easier it is to craft something effective.
This reconnaissance can be used not just to target an executive or the person of interest, but can be used to impersonate them and target their co-workers and employees.
Phishing attempts try to impart a sense of Urgency either in their nature or literally in their subject line. The goal is to get something done quickly with the least amount of time taken to think about the possible effect of the action. This is one of the key reasons the Nigerian Prince is still trying to dole out some of the inheritance.
Technical defenses against phishing attacks start at the firewall, or the front door, and then move on to email filtering capabilities. Being able to block the connection based on where the email is originating from, or based on the sender domain and/or impressed details within the header or body of the email, are common detection capabilities. Even with the best detection tools phishing and spear phishing emails in particular, are still going to get through on occasion. It is HIGHLY recommended that a company-wide system for reporting suspicious emails is implemented, along with regular training for users to help them detect and report suspicious emails they may receive before they click.
User detection and security awareness training is becoming more and more critical due to expansions in the delivery of phishing attacks now via social media platforms, chat areas, SMS or text messages, and phone calls. Your users can be allies on the front-lines if they know what to do. If they get unauthorized or questionable messages that don’t match company policies or seem unusual, they should have a mechanism to report that to the security operations team.
Up next a typical reason for a successful threat: People
The End User
It is said the companies need to look at endpoint-based detection as it allows you to get closest to the problem. Technically, this is correct. But in actuality the Human User, your people, are the closest to the problem. They are the ones that click the links, open the file, or view the image. A successful phish isn’t successful until a user is fooled into taking action.
Users also make mistakes. They use production data in testing environments and systems. They copy confidential information to non-controlled systems and formats. They use simple passwords and find MFA (Multi-Factor Authentication) to be too complex. They question and complain about the stringent security controls and lack of access. We all do it. So, how can we help our users and more importantly ourselves when trying to protect the network from users?
As discussed in the phishing section, managing user risks requires security awareness training. With consistent training, users can understand why certain controls are in place, aiding in their compliance with security protocols. Don’t forget that security awareness training for employees also applies to their home computers, families, and friends. Critical thinking and a healthy dose of security-based paranoia can go a long way to protecting users.
The best training in the world needs backups, because people make mistakes. Managed Detection and Response (MDR) and Managed Endpoint Detection and Response (MEDR) services can work actively to reinforce your users by helping prevent, detect, and proactively hunt new and ongoing threats to
The most common threat package delivered by phishing: Ransomware
Hackers and malicious actors are out realistically for one thing, and one thing only. Money. Security is a business on both sides of the coin. Whether they can collect information to sell to the highest bidders on the dark web, or targeted information that can be sold to competitive groups or used by governments, the financial benefit to the hacker is the goal. Ransomware is an interesting market where hackers hit on the idea of selling your own information and systems back to you. This method is certainly faster and more effective than selling batches of credit numbers and social security numbers on Tortuga, Silk Road, Alphabay and other dark web exchanges (note: most of these have been decommissioned, but new ones have sprung up).
Ransomware started as encrypting identified data on computer systems and selling the password back to the user after a ransom was paid. It has of course now moved to network wide system encryption and even device destruction. Ransomware is also now running in hunting packs with multiple ransomware types and variants being used in coordinated attacks against a single target to find the chinks in the armor and cause the maximum amount of damage as quickly as possible.
Attacks against the supply chain via WannaCry, or the new favorite target of Healthcare, are based on hackers following the money, and finding the money they did. 2020 was a banner year for ransoms with a company being attacked every 11 seconds. In 2021 expected costs for ransomware are projected at $20 Billion.
Unfortunately paying ransoms doesn’t always bring systems and data back online. In lots of instances ransoms are paid, and systems are never unlocked or codes never provided. The best defense against a ransomware attack is looking at secure systems, conducting frequent backups of critical systems and data, and using virtualization technology for systemic resets. The ability to revert to the day or couple of hours before an attack can sometimes be the best option of proactive defense.
Cybersecurity Threats Are a Progression
Threats in cybersecurity are a daily and ever-changing situation, but they can be looked at and understood through their progression and thinking on how that could impact your business. Strategizing how you manage the risks associated with these threats is a solid approach to stopping the progression of the kill chain at any point along the way – from delivery to execution to impact.
Think through which area of progression you believe you or your company is the weakest at:
- Is it the detection of malicious deliveries?
- Is it the training of your people to identify bad things and limit execution?
- Is it in the business and data recovery in the event of a major problem?
Having a cybersecurity partner help you identify and understand these potential weaknesses or areas of concern is a great way to identify protective controls and build a vulnerability management program to handle these threats and more. deepwatch was built to provide valuable managed security operations services to help clients safeguard data, networks, and users, so that both you and your employees can have peace of mind around the clock.