What hackers (now) want

Cybercriminals are a motivated bunch that continually change up their approaches to evade traditional detection-based security.

Rather than continuing the insane circle of identify and respond security, it’s time to flip your cyber script and focus on gaining situational awareness of the real risks your organisation actually faces.

Once you know what hackers are after and how they are getting in, you can shift your defenses accordingly. To that end, let’s take a look back on the first half of 2015.

In a new mid-year cybercrime report by SurfWatch Labs, data analysts looked at all of the CyberFacts, or evaluated cyber intelligence, collected from 1 January – 30 June, 2015. A CyberFact consists of an Actor - who conducted the attack, Target - what information/systems were targeted, Effect - what was the impact of the attack and Practice - what method was used, along with other key metadata and information such as the target industry sector.

The goal of the report was to take a more practical methodology for data analysis and provide meaningful insights that looked at the top avenues of approach used by cybercriminals in individual industries. In addition to the analysis of the evaluated intelligence, we wanted to provide practical preventative measures that organisations can take to reduce their cyber risk exposure.

First on the overall top 10 trending industry target list is the Anthem health insurance breach. Announced in February, hackers got away with information on more than 78 million people. Premera Blue Cross and CareFirst Blue Cross Blue Shield are also in the top 10, making the health insurance sector very active overall. While healthcare as a victim is nothing new, these notorious health insurance breaches that rose to the top were about the bad guys stealing personal information. Likewise, the most prevalent industry sector on the first half of 2015 top 10 list is government, taking up 5 of the top 10 spots. The Office of Personnel Management breach is number 2 overall and breaches at the IRS, Army, Central Command, White House and NSA round out the 5 government breaches. Again, the cybercriminals were after the personal information held by these organisations.

The top industry targets of the first half of 2015 shows an important shift when compared to the second half of 2014 when Point of Sale breaches at Home Depot, Staples, Dairy Queen and others took up 7 of the top 10 slots. In those instances, cybercriminals were going after credit card information which is very different from the personal information of patients, employees, partners and other individuals associated with the breached organisation.

Why are cybercriminals more interested in personal data today? With this information, cybercriminals can:

  • Generate revenue on the black market via storefront sales
  • Leverage it to propagate identity theft
  • Use it to defeat knowledge-based authentication
  • Deploy social engineering efforts
  • Use it for baiting purposes
  • Defeat help desk authentication

And, this kind of information allows cybercriminals to gain a greater fraud footprint - much more beyond simply selling credit card numbers on the Dark Web. If your organisation has personal data, it’s time to pay close attention.

Interestingly, 77 per cent of all cyber attacks in the first half of 2015 started at user interaction points with websites, applications, accounts and/or endpoints. While the mid-year report outlines differing avenues of approach for different industries, hackers overall are first targeting users for entry. This is different from the second half of 2014 where POS equipment was the leading avenue of approach. Why the shift?

Since last year, retail vendors have been upgrading their equipment for Chip and PIN, adding tokenization and more, which is creating a harder target for actors to penetrate. This creates a “Fraud Balloon” effect. If you hold a rubber balloon in your hand and squeeze it, the air will shift to the area not under restriction. This same effect occurs in the cybercrime space. As targets begin to harden their environment, the cybercriminals will shift to softer targets to continue their business - and they’ve chosen your users or, in some cases, the users of your partners.

Knowing the user environment is the most targeted, are your users effectively trained? Have you been proactive in monitoring the user environment? It’s certainly not an easy feat but it’s critically important to the overall security posture of your organisation.

If you would like more information on the hackers’ top avenues of approach specific to your industry, download the full report here.

Adam Meyer is chief security strategist at SurfWatch Labs