To Defend Against Cyber Criminals, You Need to Think Like Them. Here is What You Need to Know

The global pandemic has seen a huge change in how people work, live, shop and communicate. We have seen businesses totally change how they interact with their customers.  Business to Consumer organizations have seen the biggest changes, but it has also impacted Business to Business organizations. Traditional approaches to basic business functions such as Sales, Marketing, Supply Chains, Customer Service needs to be reimagined and focused.  Many new developments and technologies that have come out of the Covid-19 era that will forever change how we do things. These changes have also created a new set of vulnerabilities for Cyber criminals to exploit. 

In the midst of the Pandemic we have seen a dramatic rise in the number of cyberattacks that have occurred over the last 9 months. Based on recent statistics cyberattacks tripled in the 2nd quarter of 2020 over the 1st quarter. Losses from cybercrime has increased by 50% over the last 12 months. Cybercriminals have taken this opportunity become more efficient at their craft by incorporating new technologies such as AI and Analytics as well as working together.

With Cyber crime growing fast as is the number businesses experiencing a critical cyber event, I am hearing more often folks asking, “Are we are losing the war on Cyber Crime?”. This is a good question and the answer is complex. We as an industry have made incredible advances in security detection, and monitoring technologies and businesses are purchasing these technologies at a record rate. Unfortunately, people look at security as a technology issue. It is not, security and privacy of your critical digital assets is a BUSINESS issue.

Sun Tsu in his writings, The Art of War, states in order to be successful you must (1) Know Your Self; (2) Know Your Enemy and (3) Know the Battlefield.

Knowing Your Self is fairly straight forward, you need to understand your current security posture and what threats and vulnerabilities exist.

Know Your Battlefield is understanding what you are protecting as well as the flow of sensitive data and who has access to the data including third party organizations that share your data. 

Know Your Enemy is about understanding the Cyber criminal, what they are after, how they think, what motivates them and understanding their strategy and approach to attacking your business. This is where most organizations are blind and do not really understand how these groups thinks and fail to adjust their strategies to account for it.

If you apply traditional military strategies concepts to Information Security, most companies have a defensive only strategy when it comes to their Security Infrastructure, building walls around the critical assets. If an opposing force is trying to breach the walls, an overwhelming opposing force will eventually breach the defenses. If the opposing force utilizes additional strategies such as Flanking or Feign(Deception), they can attack at known weaknesses in the defenses or even from the inside and will be successful. I will get more into defensive strategies later. Understanding how these groups think is critical in building an effective Security strategy.

Types of Cyber Criminals

Understanding the enemy is the first tool when defending and fighting against them.  Cyber criminals  are constantly exploring new ways of intrusion, looking for new vulnerabilities to exploit and not getting detected. In many cases the organizations being attacked do not detect the intrusion for months or even years. These criminal individuals and groups have more expertise as well as advanced tools and technologies at their disposal. 

To start we must understand the different types of “Hackers” and their motivations.

1.      Script Kiddies are typically young (teenage to mid-20s) that attempt to hack into for the challenge or for recognition from their peers.  Many of these kids have been involved in using hacking techniques as early as in their pre-teens. Unfortunately, in most cases there is little oversight from parents/guardians to give them context into the ethical and legal impacts of their actions.  Since sophisticated hacking and network tools are readily available a no or little cost, it is not surprising that many of these kids are graduating to one of other Cyber-criminal entities. I am going to include Cyber Stalking in this group since it is typically an individual with a grudge against a person bent on causing personal destruction mainly through social media. 

2.      Eco and Political Activists are focused in disrupting environmental organizations or businesses they view as opponents to their cause. Typically, their actions are to disrupt the operation, deface the website and embarrass the organization. 

3.      Cyber Criminal Organizations are focused on making money by stealing personal or financial information as well as intellectual property. Recently, the main focus has been holding a company hostage by encrypting all the businesses data and demanding payment in the form of a Ransom in exchange for release the information. The term for this is Ransomware and it has grown exponentially over the last year.

4.      Nation States are foreign government entities that are looking to steal sensitive information from other governments or intellectual property from businesses. These entities also will conduct denial of service attacks and malicious virus attacks to disruption operations and elections of another country.

Methods and Targets

Now that we have an understanding of the various types of criminal groups, we need to understand what they are targeting and what methods they are using to gain access and obtain the targeted information. 

Brute Force Hacking – the most common attacks are probing and identifying a vulnerability in their external facing systems such as websites or portals. Typically, they are looking for a known vulnerability that hasn’t been addressed or an open port that has not been shut down. Actions resulting from these types of attacks are Malware Injection, SQL Injection Attacks, Cross-site Scripting (XSS), Session Hacking, Man-in-the-Middle Attacks and Credential Reuse. These types of attacks usually happen over months or years since it may take time to get into the system and then perform detailed reconnaissance to find valuable information without being detected.

Denial of Service Attacks – the main purpose of these attacks is to disrupt operations by overwhelming your external facing infrastructure to a point where one or more of those systems fail and the systems are no longer available. All 4 of the Cybercriminal Profile utilize this type of attack. Typically, we see e-commerce and business to consumer business as well as hosting and telecom businesses but any business with an outside facing website or portal can be attacked this way. These also include the big social media companies, traditional media companies, banks, federal and state/federal government sites and non-profit/charities.

Social Engineering and Phishing Attacks are the most common attacks since humans are the weakest link in a Security Program. It is much easier compromise a user by having them hand over their credential than trying to Brute force a mature Security Infrastructure. Credentials can be obtained simply by a phone conversation or through an email.  Email Phishing is the most common form of exploitation since users are typically not well trained and na?ve assuming if the email says it is coming a legitimate organization or person then the email is legitimate. Once the person opens an attachment or clicks on a link a number of things can happen. 

1.      A keylogger will be installed in the user computer to eventual get the users credentials and monitor their activity.

2.      Malware can be installed on the user computer that will replicate itself on all connected devices and servers.

3.      Ransomware can be load to the user computers which will search out all devices connected and encrypt all data on all devices.

Social Engineering is the main vehicle used for fraud activity on businesses by compromising emails systems and supply chains. These criminals take on the identity of a key executive or a supply chain partner to re-direct payments to secure foreign bank account. According to contacts in the FBI and Secret Services these activities have increased significantly since most business activities has gone remote due to the Pandemic.

Steps to Protect Yourself and Your Company

So how do you protect yourself and your company from these attacks?  Here are a set of key steps that can help mitigate or prevent attacks from Cyber criminals, if implemented.

Educate Your Employees

Since more than 90% of all Cyber events involve human error, Security Awareness Training is critical. Training employees to be able to recognize Phishing attacks and not to open any attachments or even emails from anyone they do not know, should be on top of your list. Secondly, implementing a two-step process when receiving emails or even phones call from management requesting a high dollar Purchase Orders or to purchase a high dollar item. This can be as simple a requiring a direct call to the individual  making the request to confirm the authenticity of the request. This step can significantly reduce the chances of Fraud.

Segment Your Networks   

Organizations can limit exposure of a breach by effective network segmentation.  Breaches and Cyber Intruders once inside your network will perform reconnaissance in order to ‘laterally” move to other devices connected within that segment. If they do not have authorization to move to another segment you have effectively mitigated the exposure. Think of you network like a submarine. They have numerous compartmentalized areas in the event one compartment is compromised it does not compromise the whole submarine. 

Lock Down Your EndPoints

I am always amazed when I find end user devices that allow the ability to install unauthorized software. This is an easy fix and can prevent malicious software from installing payloads such as Ransomware.

Privileged Access Management

Implement a process or a Privileged Access Management(PAM) technology to monitor and management Privileged Access accounts. These is important accounts the Cybercriminals are focused on finding that allows them to move through the network quickly and almost undetected.

Implement Layers of Defenses

Do not rely on one device. At a minimum, Security Layers should include Firewalls, Intrusion Detection/Prevention, Network Access Control, EndPoint Protection/EDR and Adaptive Security/Deception technologies.

Slow Down the Intruders

Malicious software once inside your network laterally moves in seconds or sub-seconds. Humans can not respond fast enough to prevent this movement.  Implementing Adaptive Security or Deception technology makes it more difficult for the attackers by automatically detecting an intrusion without giving any false positives and slowing down the attack but making it difficult for the attacker to find other real nodes to jump to.  This gives your response team the needed time to respond to the attack and mitigate the damage.

Monitor, Monitor, Monitor

If you are not continuously watchngi what is coming in and going out of your networks, you have probably already experienced a significant breach and may not even know it. Building out a Security Operation Center and staffing a highly skilled security response team is expensive and could take a long time to implement. Most organizations have gone to or are considering contracting with Managed Security Services Providers to provide this function.

Trust But Verify

Vet your 3rd parties and vendors to ensure they are protecting your data according to industry standards or to what is in your contract.  If they are connecting to your network, ensure you are monitoring their access through access control and that they are using multi-factor authentication.  You cannot assume they are good stewards of your data. “Trust but Verify”.

Constantly Assess your Security, Compliance and Risk Programs

Make sure you are regularly evaluating your Security, Compliance and Risk programs since the threats, vulnerabilities and risks are dynamic and constantly changing. Point In time or annual reviews will give a false sense a security since each time you add or change a network, application, server, software program you may have introduced a new vulnerability.

Lastly, organizations need to make Security part of the company culture and every employee should understand their role in protecting the organizations digital assets.

For questions regarding these steps please contact me.

          Jeff Brown – [email protected]