15. 09. 16
“Cybercriminals to compromise company: business loses $56 million.” Do you find this headline familiar? Such front-page news and analysis of large-scale attacks hit us every day. In this article I don’t want to talk about them. I would rather explain the very common techniques that are often used and what lies behind the word ‘compromise’. Have you ever met Hitchcock’s electronic birds or sirens luring you into a trap?
How is cybercrime possible in this multi-layer security world? Money doesn’t buy everything. In 2015 the global cybersecurity market was valued at over $75 billion and yet not enough to protect many from basic malicious codes. In the modern world, every business gets compromised from time to time. It’s inevitable. No matter if the motivation is competition, an angry user or money-making, the only difference is how much the victims are going to lose.
So here it is, my top 7 attacks sorted by their strength which we measure with the criteria including ability to execute, potential impact, actual harm it causes in the real world and price/performance factor.
Source: The Hacker News
#1 Pharming: a Black Widow Spider’s Web
Strength ranking: 3/10
Pharming is intended to redirect a victim to a malicious website which looks identical to the original, legitimate one. There are different ways how to redirect people to a fake server, though the most dangerous one which does not require any access or control of the victim’s station uses DNS. Domain Name Service works by translating human readable names like google.com to an IP address, which then your computer uses to point at the desired target of the communication. A compromised DNS server or usage of an unauthorized DNS server are ways of how you can be easily redirected to a fraudulent version of your internet banking site you use every day, leaving your credentials to a criminal instead of finding out how much you spent last night. So why only a 3 out of 10 score? These attacks are more often directed at ordinary people rather than businesses and the overall harm they cause globally is negligible.
#2 Botnet: Hitchcock’s Birds
Strength Ranking: 5/10
Botnet is a number of compromised computers, not necessarily based in the same physical area, working as a team whilst being controlled by what is known as a Command & Control server. A single host alone wouldn't cause much harm. An army of machines/internet connected "things"can do the job much more efficiently. The more, the better. You never know, the very laptop or cellphone you are now using to read this article might be under someone's control. Botnets are generally used to create DDoS attacks, spread spam or different types of malware. However, it’s not only the target of the botnet which can experience its destructive nature. Botnets also collect sensitive data from their hosts and deliver them to their master!
#3 Spear Phishing: Sirens luring sailors into a trap
Strength ranking: 6/10
Together with hacking, spear phishing is the ultimate example of a targeted attack. When someone tailors this type of attack not only are they pursuing a specific result of cyberespionage or a financial gain, but they are bypassing the majority of all prevention systems by leveraging perhaps the most dangerous loophole - a human. Spear phishing is usually conducted by emailing a victim with a message that might say something like: “After upgrading our ERP to the latest version, we need to ask you to go to this link and confirm your admin password. Sincerely, your company’s support team”. And the beast is unleashed...
#4 Zero-day exploits: The Chimera
Strength Ranking: 7/10
Have you ever wondered why applications and operating systems ask you an awfully annoying question to confirm an update? Apart from new features, patches also cover human errors in the software code which might be used by hackers as a backdoor to the program and then potentially to the whole computer. Such attacks are called zero-day as they leave no time for administrators to fix the problem as usually they find out only after someone used it to crack in. These threats usually come hidden in simple utilities created overnight that have vast access to system core functions. So that it’s worth updating operating system and all applications, leaving less options for the bad guys.
#5 Malware: Sneaky tiger lying in wait
Strength ranking: 8/10
Malware, standing for malicious software, comes in different forms. Types that you might have already heard about are trojan horses, viruses, worms, ransomware or spyware. Especially contagious are worms which replicate themselves and autonomously travel from host to host. unlike their cousins - trojan horses and viruses. These are embedded or pinned to a program that pretends to be an ‘important system update’ or something like “Afobe Flash player”. These types of Malware are designed to perform different tasks from opening a backdoor to the system or to seek information uncovering different system exploits, crashing the system, deleting files or they can be used for executing pranks.
Do you remember hundreds of popup windows jumping at you with no possibility to stop them unless you turn off the computer? Far more lethal are those that steal sensitive data of a personal or confidential business character. Sometimes for misuse, sometimes for blackmailing and sometimes to have data to tailor a targeted attack to conduct cyberespionage.
Source: Yahoo News
Top cyberespionage campaigns are always tailored to the specific intents of the attacker. Let me provide a few examples:
Political - The Guardian reports: “The chair of the Democratic National Committee, Debbie Wasserman Schultz, has announced her resignation on the eve of the party’s convention... She has been forced to step aside after a leak of internal DNC emails showed officials actively favouring Hillary Clinton during the presidential primary and plotting against Clinton’s rival, Bernie Sanders.”
Economic - ESET ACAD/Medre.A report. 10000‘s of AutoCAD Designs Leaked in Suspected Industrial Espionage. “ACAD/Medre.A represents a serious case of possible industrial espionage. Every new design is sent automatically to the operator of this malware. Needless to say this can cost the legitimate owner of the intellectual property a lot of money as the cybercriminals have access to the designs even before they go into production. They may even have the guts to apply for patents on the product before the inventor has registered it at the patent office.”
#6 Ransomware: A Pack of Hyenas
Strength ranking: 8/10
As mentioned above, Ransomware is yet another type of malware. So why does it deserve its own bullet? Well, it’s because the popularity of Ransomware is growing much faster compared to other types of malware. And believe me, it’s a very depressing topic. Almost half of the security engineers in companies I meet every day tell me that they are experiencing Ransomware in their network. Just the other day one hospital said almost half of their visual documentation (CT scans) was encrypted by Ransomware and the attacker was asking almost $80k to supply a decryption key. They were lucky the encrypted data was still fresh enough to have it safely backed up. Ransomware tries to restrict access to your data and later blackmails you, asking for money or other type of compensation. I want to make one thing clear. And don’t take me wrong, let me stress that I highly urge everyone to use anti-X programs to decrease the risk of being infected, however still no money in the world can buy 100% protection. These programs work with a list of known ‘evil’ codes. Antivirus programs get their databases of signatures updated, usually on a daily basis although the time needed to discover a new type of Malware, describe it and create a new signature for it, which will be later distributed to your computer, may vary from hours to months! Until then, you are unaware of what’s going on under your fingertips.
Source: Tech Times
#7 DDoS: A Stampeding Herd of Buffalo
Strength ranking: 9/10
With volume comes power. DDoS is one of the most common attacks due to its simplicity, cost and mainly, effectiveness. DDoS or Denial of Service Attack strikes out of nowhere, and cannot be predicted or prevented. Masses of data such as simple attempts to establish a connection, often from a network of compromised stations called Botnet will overwhelm a server, or worse, fill up uplinks with the aim to cut off the whole organization from the internet. With the right supplier of the attack - yes I call it a supplier as the DDoS can be ordered from a range of public websites, paid online with a legal invoice issued - and with a few hundred dollars in the pocket, we can tear down a decent enterprise customer portal for an hour. And what is the average cost of an hour of downtime you ask? Over $54k! The ever-growing business with DDoS attacks (over 200% since last year) shoots up this bad boy to our first place.
Source: Krebs on Security
Relying on prevention is not enough
Not many haven’t heard about Stuxnet, Flame or Duqu or specific targeted attacks such as the one on Sony Pictures in November 2014. Needless to say, while such cases are headline news for the media they only represent the tip of the iceberg. What ordinary businesses should be worrying about are the common everyday attacks, the attacks that still have the potential to tremendously degrade productivity, reputation and revenue.
Only very important, often national level organizations are a desired target of these sophisticated attacks. The targets are large enterprises, governments or whoever possesses important or top-secret information. The techniques used to exfiltrate their sensitive data are a combination of the majority of the above named. These include social-engineering, traffic tapping/listening, password cracking, zero-day exploits, usage of different types of Malware or even physical hacking.
The Global Risks Report 2016 of World Economic Forum reports that cyberattacks are rated among the top major problems the human race faces after water-crisis or large scale involuntary migration. They also say: “Every future conflict will have a cyber element, and some may be fought entirely in cyberspace."
If there is one thing to remember from this article - do not rely on prevention. For majority of businesses this is not self-evident. As Gary Newe, F5’s director of systems engineering said: "Ninety percent of security budget is focused on the network perimeter, but only 25 percent of the attacks are focused on that point in the network." What happens if someone breaches your blocking system? Stay proactive, deploy lean-forward technologies, do not rely on signature based solutions, and finally and most importantly - make sure you have detection and response capabilities in place.