You work in the financial department of your company and you just got an email from a C-level executive.
It tells you to pay an invoice of $78,000 before 1 p.m., and includes instructions for how to wire the money to your vendor’s bank.
You send the money, as requested, and it quickly moves to a number of small U.S. banks and then ultimately to an overseas account, where it is unlikely your company—or law enforcement—will be able to recover it.
This is how a hack works.
More specifically, this is how phishing works.
Today there are three levels of phishing, says G. Mark Hardy, CISSP, president, CardKill Inc. and National Security Corp. In general, a phishing attack arrives via email, casting a wide net, says Hardy, who has been providing information security expertise to government, military, and commercial clients for more than 30 years.
The second level of phishing is spear phishing, where the attackers know something about the victim, typically by studying social media such as Facebook or LinkedIn.
“For example,” says Hardy, “The attacker knows your daughter’s high school, and you receive an email saying your daughter is injured, please open this medical form so we can treat her. You open the infected pdf that launches an attack. You immediately get a follow-up email saying the high school has a new employee in the office and we’re sorry for the mistake. The victim thinks the problem went away, but the attacker established a pivot or compromised post inside the perimeter. Now they can move laterally through the network until they compromise something of high value.”
The third level of phishing is whaling, he says, where the attacker goes after a really big target. “The popular form right now is CEO fraud.”
Zack Schuler, founder and CEO of security awareness training company Ninjio LLC, says once a hacker get a set of credentials for a CEO, “they’re able to make their way into the CEO’s web-based email account like Office 365 or Gmail, and they’ll sit there for months and examine emails and learn about the company. At the right moment the hacker will create an invoice … The most common spear phishing is business email compromise, specifically wire fraud.”
Schuler says a variation of this attack, in which an attacker takes over a real estate escrow agent’s account and tricks a home buyer into wiring a down payment, “is an epidemic right now.”
According to Symantec’s 2016 Internet Security threat Report, spear-phishing campaigns targeting employees increased 55 percent in 2015, and ransomware increased 35 percent.
Ransomware and Malware
Malware is malicious software used to corrupt or access a system. Hardy says there has been a significant shift in malware toward ransomware. In a ransomware attack, the bad actor encrypts an organization’s files or data and the organization must pay a ransom, usually via bitcoin, to get them decrypted.
“Ransomware is malware that usually requires users cooperating—clicking on a link, downloading a file, opening an attachment or activating macros,” Hardy says. “Ransomware can also be served through legitimate websites using malvertising or malicious advertising; ads that take advantage of Adobe Flash weaknesses, for example.” Or, Hardy says an attacker may create a legitimate ad, serve up a site like Yahoo, “and swap it out at a later time. The host site can’t be checking every second. The attack usually works on an old or unpatched system.”
While cybersecurity is a moving target, the experts agree that companies need a combination of hardware and software, as well as security awareness training, to best protect against a hack. In addition, here are some other tips:
- “Central email and web traffic monitoring give you best bang for buck; those are where most of the hacks happening, so proxy service like Blue Coat,” says Ullrich
- “If you’re going for cloud solutions, two-factor authentication is a must-have,” says Ullrich.
- “If you make a business decision to pay ransom make sure you know in advance how to do it [buy bitcoins],” stresses Hardy.
- Encourage employees to report potential hack without fear of punishment, adds Hardy. Thank them for reporting, and if the incident is not a hack, explain why. “Now you’ve validated their response, so that employee remains on frontlines of defense.”
- Make security awareness training easy to understand, and keep it compelling, timely, and brief, says Schuler. “The issue is retention, and the way a hacker hacked a year ago is different than today.”
According to the FBI, “during 2015, law enforcement saw an increase in these types of cyber attacks, particularly against organizations because the payoffs are higher. And if the first three months of this year are any indication, the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016 if individuals and organizations don’t prepare for these attacks in advance.”
Ransomware “is all about money,” says Schuler. “I lock up your computer [files], you pay me in bitcoin, and I’ll unlock it for you. Or, you can [agree to] infect two other people and they will unlock you for free, which is a multilevel pyramid scheme.”
Hardy adds that while the majority of ransomware attacks are simply opportunistic and looking for cash, “Some criminals use ransomware as a cover for exfiltration, stealing files.” The ransomware acts as a distraction, he says. “The company believes the only problem is they’ve been ransomed, but in reality they’re fully compromised. It’s like starting a fight in the lobby of your building while someone empties the cash register.”
For cybercriminals, “the chances of getting caught are low, and getting prosecuted lower. A third of victims or more will pay the ransom,” Hardy says.
While many well-publicized breaches in the past involved personal data, “personal data is no longer of big interest [to cyber attackers],” says Johannes Ullrich, PhD, CTO of SANS Internet Storm Center and SANS senior instructor. “It’s too cheap—every social security number has already been leaked. Some are after credit card numbers, but other schemes are much more about money. It was about stealing data in the past; now it’s about encrypting data and selling it back to the owner. [Data] is still being sold but it’s really more of a lower-end attack.”
Ransomware attacks are expanding more quickly than other types of malware, Hardy says. “Other malware are all still there. But it’s like a health problem where there’s a massive flu epidemic—people will still get the mumps and the measles but a lot more will get the flu. It requires a reprioritization of defenses.”
In terms of ransomware, “The only effective defense is to have a solid backup where there’s no need to pay the ransom, or [the attack] doesn’t get through because you have effective security precautions, you’ve built layered defenses,” says Hardy.
However, says Ullrich, there is ongoing discussion around notification requirements for a ransomware attack. For example, he says, you may have paid the ransom but how do you know the attacker didn’t make a copy of your data? Or, the attacker may still be lurking on your system. “Just quietly paying ransom doesn’t make a compliance problem go away.”
Hardy notes that the U.S. Department of Health and Human Services issued new HIPAA guidance this past summer regarding ransomware and personal health information (PHI). According to the HHS press statement, “The guidance makes clear that a ransomware attack usually results in a ‘breach’ of healthcare information under the HIPAA Breach Notification Rule. Under the Rule, and as noted in the guidance, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach, HHS, and, in some cases, the media, unless the entity can demonstrate (and document) that there is a ‘low probability’ that the information was compromised.”
Distributed Denial of Service
Malware and ransomware can also play a role in another type of attack, distributed denial of service (DDoS).
In a DDoS attack, multiple compromised systems, sometimes hundreds of thousands, with unique IP addresses flood a targeted system, causing a denial of service. DDoS attacks are often distributed by botnets.
Eugene Tawiah, CISSP, a cybersecurity consultant and owner of Complex Technologies Corp., uses this analogy: With a DoS attack, it’s as if “I go to bank and chain myself to the door. The customers can’t get in, and the bank can’t do service. Or if I’m targeting a lumber company, I chain myself to a tree, so the lumber company won’t be taking any trees down.” With a DDoS, he says, you and your friends “go to all the locations where [the lumber] company is cutting trees, chaining yourselves in many locations and shutting down the business.”
Motivation for DDoS varies. It could be for bragging rights.
“You just did a Google search for some vulnerability in a product, find all the people still vulnerable, download the exploit, and just run it for practice,” says Tawaiah. “You verify [the site is] down, then take credit to your buddies.”
Or, he says, it might be a competitor trying to disrupt your business during a busy time, or a hacktivist who is politically or religiously motivated, or a state-sponsored cyberterrorist. “Or maybe they’re just trying to distract you, so while you’re looking right they’re working left; you’re not looking at your logs because you’re too busy trying to get back up.”
Even ransomware is a form of DoS. According to McAfee Labs’ 2017 Threats Predictions, November 2016, “‘Denial of service for ransom’ will become a common attack against cloud service providers and cloud-based organizations. Because one cloud can contain many tenants, there will be increased incentive to mount denial-of-service attacks against cloud service providers.”
What’s the Answer?
Cybercrime will not be halted any time soon, according to industry experts.
In the Forrester Research report Predictions 2017: Cybersecurity Risks Intensify, the predictions include: a Fortune 1000 company will fail because of a cyberattack, healthcare breaches will become as large and common as retail breaches, and more than half a million IoT devices will be compromised.
And according to the Webroot Quarterly Threat Update, Sept. 2016:
Although the number of phishing attacks and overall malware encounters are decreasing, these statistics can be deceiving. Many attacks appear, inflict, and disappear within hours, even minutes, having stolen user credentials, corporate documents, and other sensitive information; launched a ransomware encryption, or found other means to achieve financial gain.
Tawiah notes that many of the publicized hacks “are low-hanging fruit. For those that take security seriously or have security staff, what you see can be easily remediated, like doing sample phishing and probing of staff. Teach them if someone sends something unexpected, call John. With security awareness training you’d reduce phishing. And if you put in a content filter the likelihood of them going to click on a bad link is prevented. Even if they did click a bad link, because you have a content filter in place it won’t let them go there or it will ask, ‘Are you sure?’ And if you still go a manager gets an email, asking, ‘Do you want to allow this?’”
Defense in depth, or layered security, is key, he says. It’s important not to skimp when buying products like security cameras or firewalls—cheaper products may not be built with cybersecurity in mind—and stay up to date on patching.
According to Forrester’s Predictions 2017 report, there will be no “easy” button for security any time soon, and the report advises security executives to focus on skills development, strategic vendor selection, and optimizing their infosecurity programs.
As principal analyst, security and risk, and lead author on the report Amy DeMartine writes, “The new plan has to assume failure, strategize for resilience, and execute based on how detection, prevention, and response work together.”
Identify the cybersecurity risks that have the biggest impact on your firm, and spend time protecting the assets and systems that matter most, says DeMartine.
Ullrich agrees. “Identify the risks. It’s like retail shoplifting; you can’t eliminate it but you want to know the risk and how it changes if you change business behavior.” For example, he says, is it worth the risk putting the bargain bin outside the door, or keeping it inside the store where it can be better monitored?
“Protect the most important things, and know what behaviors are out there and what the technologies are.”
Check out this real life security breach:
Watch Season 2: Episode 1.
Learn more at: https://www.ninjio.com/