The Colonial Pipeline incident in May illustrates just how disruptive a successful ransomware attack can be. Even though the ransom – the equivalent of approximately $5m in Bitcoin – was paid, many schools, medical centers and communities were severely impacted before operations could be restored.
Sadly, ransomware is just the end of the attack chain. According to the Verizon 2021 Data Breach Investigations Report, 85% of breaches involve a human element, like phishing. Yet, too many people view phishing as an exclusively email issue. Hackers have moved beyond this to embrace smishing (text), vishing (phone) and social networking sites to exploit the weakest link in the cybersecurity chain – the human operator.
Given the rapid convergence of employees’ work and personal lives due to the COVID-19 pandemic, LinkedIn has become an especially attractive infection vector. It is easy to create a fake profile and target people. Such is its appeal that many nation-state actors are using LinkedIn and other social networks to propagate attacks. This was the case earlier this year when Google discovered a largescale cyber-attack that originated out of North Korea. It used fake blogs, email accounts and fake social media profiles to trick victims.
Countless Attack Paths
Phishing has also infiltrated ads, search engines, browser extensions and chat apps. The payloads include rogue browsers, scareware, fake virus alerts, banking fraud and more. HTML phishing can be delivered straight into browsers and apps. Essentially, phishing can bypass traditional defenses with more than an 80% success rate.
Hackers have also used legitimate infrastructure like Google, Dropbox or SharePoint to spread phishing attacks. Organizations have these services whitelisted, so having a phishing page hosted on the legitimate infrastructure becomes easy.
People erroneously assume that if a domain looks legitimate, the site can be trusted and safe to access. Unfortunately, most security training focuses on helping users identify phishing emails and neglects to teach employees what to watch for when it comes to other communication channels like text, phone calls and social network sites.
Trust No One
With many organizations still relying on traditional anti-virus and firewall defensive solutions, successful phishing has become easy. Teaching users about the threats and not to trust anything regardless of its source is part of a solution. Even then, we are only human, and the risk of a breach occurring increases daily.
This does not mean it is not essential to continue training employees to identify the signs of malware through phishing or other means. But this is not a silver bullet and must be done continuously as new threats emerge.
Bad actors have more tools available to them that they can easily combine with automation and legitimate infrastructure. This enables them to quickly spin up attacks inside Azure, Google or AWS. These can correlate user behavioral information on the dark web and become very targeted to specific individuals.
The best way to combat this is to fight machines with machines. But, unfortunately, the human resources and hours required to defend against these automated attacks are virtually impossible to meet – and attacks move too fast for human forensics to catch and protect against.
Follow Best Practices
Best practice begins with ensuring the organization has up-to-date host-based firewalls and other protections such as endpoint security products in place. This is especially important in a distributed working environment where people are using their personal devices. In addition, it is imperative to keep operating systems and applications current and updated on all computers and devices.
An anti-phishing solution that protects against all forms of human hacking becomes fundamental and an increasingly sophisticated defensive posture. It can perform analysis of cyber-attacks at a device level, so the data is not transferred back to the organizational network. This protects users’ privacy regarding their personal activity and introduces an additional safeguard not to have potential malicious data enter the company environment.
As mentioned, regular user training about cybersecurity, especially when new attack methods are being discovered so frequently, is critical. In addition, employees need to understand their personal risk as well as the risk to the organization.
Finally, if a cybersecurity event is detected, teams should work together quickly and thoroughly to understand the breadth and depth of the impact and begin the process of recovery. Communication is key – partners, oversight organizations, customers, investors and other stakeholders must be informed as soon as a breach has been identified and what the recovery plan will entail. There is nothing to be gained by keeping a security event quiet. Once the threat is isolated and the business has recovered data and assets, it must use the learnings to update policies and procedures to prepare them better.