Sales and marketing. ROI. Quarterly performance statements. Reports to investors. And, salaries, bonuses, expense accounts, and petty cash for employee birthday parties. It's all part of the day-to-day running of a business – any business, including those in the hacking industry. And a big industry it is: Hacking “companies” can be worth many millions, and a good hacker can earn as much as $80,000 a month – nearly a cool million in a year! - if they've got the skills.
To pay out that kind of money, a hacker “company” needs financial backing – it needs investors who will front the cash to pay experts, who in turn will deliver the goods. You could imagine what a “Bad Guy Hackers Inc.” Board of Directors meeting looks like: “Guys, we got a big contract to get the medical records of the clients of X insurance company. The client wants it done by Y date, and they'll pay us a bonus if we deliver early. The project is going to cost Z dollars, do we have that, or do we have to go out and raise it?”
And so on. When a hacker group decides to take on a job, they look at the costs, the resources, the risks, and anything else a “regular” company would. And like any other organization, hacker “companies” will seek to maximize their profit and minimize their outlay – and they’ll do that by taking the path of least resistance.
For professional hackers, that means, among other things, developing ways to ensure that they can deliver their payload. In order for hackers to do their jobs – whether it’s stealing information from company databases, or inflicting malware on an unsuspecting target – they need to get their code onto the target's computers or servers. What's the best way to do that? Statistics show that phishing messages are the most efficient delivery method for malware. 91 percent of successful malware attacks in recent years arrived via e-mail that was opened by victims, enabling hackers to implant trojans that would later install malware.
Meanwhile, over 30 percent of all phishing messages were opened by targets, despite ongoing educational efforts by companies urging employees to avoid opening “suspicious” messages – meaning that hackers can rely on phishing messages (usually with a “touch” of social engineering provided by Bad Guy Hackers Inc.'s resident psychologist). Those statistics are what makes hacking such a lucrative career path; victims are so compliant in enabling hackers to spread their malware, that it's almost as easy as taking candy from a baby.
Now flip: We've gone over to the victims' side. Knowing what we do about how Bad Guy Hackers Inc. operates, it stands to reason that the number one way to protect ourselves from them is to cut off their access to our inboxes. If phishing and social engineering are so effective in enabling hackers to succeed, ensuring that they cannot reach targets is the best way to stop them.
How, then, should we defend ourselves? There are three basic methods that will prevent poison messages from hitting user inboxes; each has their advantages and disadvantages:
1. Antivirus/Filters: For years, signature-based filters and anti-virus programs have been the standard method of fighting malware. The system is very effective against known malware – but not as effective against zero-day attacks. In the first quarter of 2017, about 30 percent of all malware consisted of zero-day attacks – meaning that while e-mail filters may slow down hackers, it won't stop them. And what professional hacker worth his or her salt would use “off the shelf” code anyway?
2. Sandboxes: More sophisticated than anti-virus programs, sandboxes have the capability of examining messages before they get to users' inboxes, so they could be an effective method of preventing malware from infiltrating systems. If a message checks out, it is allowed to advance to a user's inbox; if not, it's trashed.
Unlike anti-virus programs, sandboxes don't require a signature file to work; if something seems anomalous, the sandbox will keep it out. But often malware comes attached to legitimate messages – and the sandbox, unable to differentiate between the elements of a message, will prevent the entire message from going through. As a result, the flow of work is interrupted. In addition, sandboxes are unable to examine VBA (Visual Basic for Applications) macro malware, often part of Word documents. If a message appears clean, and the attachment is a simple Word file, the sandbox will wave it through – with targets still providing hackers with opportunities to earn their pay.
3. Content Disarm and Reconstruction (CDR): A relatively new technology used by several vendors in the industry, keeps malware away by dissecting incoming messages, files, or links that try to make their way onto a server. Located in a buffer area before the company network, CDR systems examine all incoming files to their lowest data level – and check all files for any known threats. Thus, any malware, zero-day or otherwise, gets “arrested” before it finds its way to a user inbox – cutting off the hacker's “easy pass” entry into the network. Security analyst firms, including Gartner, have suggested that more and more organizations will need to add CDR into their arsenal of tools to protect against the ever-growing threat of cyberattacks as the effectiveness sandboxes once had in stopping hackers in their tracks has long dissipated. Now, highly paid hackers have to work a lot harder for their money – which means that they will probably seek their fortune on some other organization's servers. The next board meeting of Bad Guy Hackers Inc. is probably not going to be a pleasant one.
Itay Glick, CEO and Co-Founder of Votiro
Image Credit: Welcomia / Shutterstock