Mike Tyson has said, “Everybody has a plan until they get punched in the mouth.” When it comes to cybersecurity, he sure had it right. Once the bad guys get in to your network and you’re infected and vulnerable, it’s no fun. There are a lot of questions about how attacks go from being threats to breaches, with one of the biggest ones asking how do cybercriminals get into the network in the first place? The simplest answer is also the correct one - they go for the low hanging fruit: humans.
Unfortunately, our biggest corporate asset is also the biggest threat: our employees. They click on malware-infected links that look legitimate. They respond to emails that have been highly personalised to convince them the sender is a trusted source. And they follow through on requests from what they think is their senior management without asking “why” because they are diligent and want to do what the boss asks. It’s not unexpected – our employees are humans and make human mistakes. That’s why cybercriminals prey on them with sophisticated social engineering schemes that include both ransomware and phishing attacks.
It’s because social engineering tactics work that cybercriminals continue to use them. When you add in automation tactics like phishing bots and the intelligent scraping of social media to create hyper-personalised attacks, it makes it even harder to detect an attack. Let’s take a look at six trends I expect throughout 2018 so you can educate your team and help them stay safe.
1) Ransomware will continue to plague, especially the “As-a-Service” strains.
We heard a lot about ransomware – that fast-spreading attack vector that locks up your data until you pay a ransom – throughout 2017. It was literally everywhere – Petya and WannaCry ran rampant across the UK (and the world) seizing corporate assets and causing long-term financial damages for its victims. The long and short of it is ransomware isn’t going anywhere and will continue to be a force to be reckoned with in 2018. There will be exponential growth and we’ll see a rise in ransomware that exfiltrates data, widening the exposure an organisation faces. Ransomware-as-a-Service will continue to grow and be a significant source of attacks next year, while also providing a new class of hackers an easy way to get into the game.
While ransomware isn’t going anywhere, its deployment tactics and targets will change. We’ll see more custom-made ransomware attacks that focus on high-value targets such as hospitals that will pay higher ransoms to, literally, save patient lives. Point of sale systems will be new targets, as the prevention of cash coming in the door creates a motivated payer. And ransomware, which has relied heavily on email as its delivery mechanism (and always will), will evolve to find new ways to get into your network. These methods might include “smishing” (text) or vishing (voice).
2. Hybrid pseudo-ransomware attacks will distract organisations
What if your team is proficient at spotting an attempted ransomware breach? They could still be fooled. We’re finding that more multi-vector breaches are taking place at the same time, using familiar tactics like phishing or ransomware in order to confuse or distract a workforce. It goes like this: a phishing email comes in that looks like ransomware and acts like ransomware. While your IT and network teams are working to identify and prevent the ransomware attack from happening, the bad guys launch a different attack in the background, effectively using a fake ransomware attack as a distraction. We’ll see more “Smishing” and “Vishing” techniques being deployed in tandem with another type of threat.
3. Extortion scams will run for the long-term
Extortion such as ransomware isn’t new and victims generally experience a quick end to the problem. But, criminals continue to get smarter about the content they gain access to and the long-term benefit it can have to them.
Consider this: a ransomware attack hits and demands nude photos as payment. It’s not tough to imagine that the bad guy would have the victim on the hook for a long time with a payment like that. A circumstance in which the attacker has long-term leverage over the victim creates a blackmail situation. In a corporate environment this can consist of having to give up your customer database or customer credentials to get your data back, meaning both your data and your customer’s data would be exposed. Some organisations are more likely to be targeted with an extortion scheme; legal and accounting related organisations are prime targets that have both a legal and regulatory obligation to protect data.
4. Search results tampering will drive users to compromised sites
Every user in your organisation is using search engines to access information. It’s part of the day-to-day of running a business. It’s also exposing your employees to compromised websites.
Search result tampering – the process of producing search results that drop users onto a website that has been compromised with an exploit kit – isn’t new, but it will gain momentum over the coming year. Bad guys access data that lets them create a page on using black SEO techniques. The page they create are then ranked very high on Google and other search engines. When a user clicks what they think is a safe link, malware infects their machine and sends them to a bogus site with a fully loaded criminal call centre.
5. Mobile malware will lead to account take overs
No matter where you go, one things is consistent – hordes of people using their smartphones at any and all times. This mobile phenomenon is going to make 2018 a banner year for hacking smart phones, especially the 25 per cent of uses that conduct online banking via their mobile devices. Cyber criminals will use both previously successful and new malware families to steal users’ banking credentials in many creative ways.
6. Blame-ware and “false flag” operations will increase
In October of this year, EU member states drafted a diplomatic document saying, in essence, that serious cyber-attacks by a foreign country could be interpreted as an act of war. It’s a step intended to deter provocations from nation-states since the response to a cyber-attack could result in conventional warfare. An unintended outcome, however, will be the rise of more false flag operations, or more cyber propaganda operations. By falsely pointing the finger of an attack at a nation-state entity, cyber criminals can do serious harm: spark conflict, undermine democracy, and destabilise trust globally. We expect that false flag operations will reach fever pitch around election times.
What we know is that the industry that hackers have created isn’t going anywhere. It’s easier than ever to run a ransomware campaign thanks to Ransomware-as-a-Service operations, and the vast amounts of personal data available via social media and former successful breaches (such as Equifax) mean that social engineering programs are more personalised and more likely to be successful.
The big takeaway here is nothing new: attacks aren’t going to stop. We can do and should do is change is how we protect ourselves and our organisations.
Ensuring you have a layered security approach in place is imperative.
· First and foremost, train your employees. New-school security awareness training exists that’s effective, affordable and very good at teaching your team to recognise social engineering campaigns via email and other channels.
· Prevent CEO fraud by looking at your internal security Policies & Procedures – specifically those related to financial transactions – and ensure users involved in those transactions know what the policy entails. Anything outside of it needs to be questioned.
· Make sure your email- and web gateways are secure and include URL filtering (and that they are tuned properly).
· Your endpoints have to be religiously patched (including OS and third party apps) and they also have to have next-generation, frequently updated security layers.
· From there you have to ensure that employees that handle sensitive information are using two-factor authentication, and you have to check your firewall configuration to make sure no criminal network traffic is allowed out to command and control servers.
These steps are not a fail-safe, but they are good steps toward protecting your organisation and your users. Put them in place now and keep up with them throughout the entire year to keep social engineering and ransomware threats from becoming successful attacks.
Perry Carpenter, Chief Evangelist and Strategy Officer, KnowBe4
Image source: Shutterstock/wk1003mike