Cyberthreats continue to grow in scope and scale. Regardless of its size or industry, any organization faces the risk of a data breach or another security incident. In addition, the ongoing digitization of business processes, the explosion of big data, and the interconnected nature of business itself open up even more opportunities for cybercriminals.
The threat landscape always evolves, but some threats don't seem to abate. Here are the top three cybersecurity challenges that continue to impact every organization, as well as strategies for how to improve your security and enhance your ability to fight back.
Cybersecurity Threat Number 1: Ransomware
Ransomware attacks remain perhaps the strongest and most malicious of the cyberthreat trifecta.
A Brief History of Ransomware
Ransomware got its start in 1986 when two brothers, Basit and Amjad Farooq Alvi, created a special "ransom" message tied to software that instructed users to call them if they saw the warning. The goal at the time was to prevent piracy. However, hackers transformed the tactic into a devastating form of malware.
The first known case of malicious ransomware was disseminated in 1989 via floppy disks labeled "AIDS Information Introductory Diskette." The ransomware, called PC Cyborg/AIDS, would encrypt the C drive after you inserted the disk into the floppy drive. The victim was then prompted to send $189 to a post office box in Panama. Upon receipt of payment, the attackers would send an email instructing the person how to decrypt the files.
The same sort of trickery is used to spread ransomware today.
In a recent ransomware campaign, for instance, employees at targeted companies received phishing emails “confirming" a payroll deduction, with a link to a statement. The link redirected to a malicious Google doc with an executable file. This gave the attackers an initial foothold and the ability to move laterally through the system. This enabled them to eventually launch ransomware attacks.
Other strains of malware are embedded in malvertising, masquerade as browser updates, or exploit vulnerable remote desktop protocols. Some strains use macros, which automate certain functions in productivity software like Microsoft Word or Excel. An unsuspecting user may download a seemingly harmless document, run the macro, and then fall victim to an attack.
Why Ransomware Is a Prolific Threat
The conniving manner in which ransomware is disseminated—click-bait links and download schemes that infect machines—is by itself problematic, but what makes it worse is that there are few remedies once an infection has occurred.
Victims have three options:
- Pay the ransom—typically via cryptocurrency.
- Restore a backup—assuming they have one, and it's actually air-gapped from the network.
- Forfeit files forever.
For many people, especially in a bring-your-own-device (BYOD) environment, some of these files may even be personal documents or family photo albums. That means that ransomware can also impact employees mentally and emotionally.
Not to mention, there's very little honor among thieves. Paying a ransom won't necessarily ensure the safety of your files.
The newest ransomware variants are designed to also steal data. Some research shows that data exfiltration takes place in as many as half of ransomware attacks. This new capability has led to a new tactic, double extortion, in an effort to compel victims to pay up. Essentially, this means that not only will bad actors lock your data, but they will also threaten to release it to the outside world if the ransom isn’t paid. Cybersecurity researchers saw a spike in 2020 in double extortion, which has now been adopted by several cybercriminal rings.
Ransomware schemes continue to succeed every year, costing victims more than $123 million in 2020 alone by the IBM Security X-Force Threat Intelligence Index estimates. According to X-Force, ransomware was the most-popular type of attack in 2020.
One travel agency recently paid extortionists $4.5 million to have its files restored and stolen files deleted. This kind of payout may be on the higher end of the scale, but ransomware is among the most expensive threats to organizations.
The global average for a ransomware payout in 2020 was $761,106 and even higher (nearly $1 million) for U.S. companies with 1,000 or more employees. Other reports paint an even bleaker picture. For example, the annual 2020 Ponemon/IBM cost of data breach report estimates the average cost of ransomware attacks is $4.44 million, which tops the $3.86 million average cost of data breaches overall.
Even organizations able to avoid payments experience major disruption. Last year, ransomware crippled hospital operations (reducing healthcare workers to paper and pens), halted classroom instruction for schools, and was such a huge threat to both the public and private sectors that the Cybersecurity and Infrastructure Security Agency (CISA) launched an education campaign in early 2021 to help organizations reduce their risk.
How to Defend Against Ransomware
Despite its multiple attack vectors, the speed at which it can deploy, and the fact that employees typically wait too long before contacting IT, ransomware has an Achilles' heel.
"If you know what you're looking for, ransomware is very easy to spot as it comes into your organization," says Sam McLane, Chief Technical Services Officer at Arctic Wolf. "It will phone home and say, 'Hey, I need an encryption package' or, 'I need my security keys so we can unlock the data.' Those callouts are detectable if you're looking."
So, while ransomware is undoubtedly one of the top cybersecurity challenges organizations face and is so severe it could destroy your business, with the right security solution in place to detect ransomware early and respond to it immediately, you stand more than a fighting chance against this cyberthreat.
As McLane notes, ransomware can be easy to detect if you know what to look for—but you can also take steps to prevent it from entering your organization in the first place.
Here are some best practices to implement:
Conduct regular vulnerability scans to minimize your attack surface. This is especially important for all of your internet-facing devices and systems.
Do due diligence to ensure devices have the proper configurations, close unnecessary open ports, disable weak protocols, and use other security features that minimize the number of entry points.
Patch and update all your software and devices regularly, which will prevent attackers from exploiting security weaknesses.
Consider an intrusion detection system or other security tools that detect command-and-control activities.
Educate your users about phishing, social engineering, and other security practices that help defend against ransomware and other threats.
Cybersecurity Threat Number 2: Phishing
Encryption malware is one of the nastiest, most effective cyberattacks in circulation. And yet, ransomware's rise to infamy would have been all but impossible without the help of a very different kind of cyberthreat: phishing.
Banking on Current World Events
Social engineering is any tactic that strives to manipulate individuals into divulging authentication credentials, sensitive information, funds, and other valuable items. Phishing is a form of social engineering that occurs online, typically via email, and usually with the intent of stealing login credentials or getting a user to download malware or share sensitive information.
Phishing campaigns frequently take advantage of current events to lure potential victims. Last year, the COVID-19 pandemic presented many opportunities for cybercriminals. In one campaign, for example, bad actors sent phishing emails with fake offers of masks and other personal protective equipment. They used AgentTesla malware, a Trojan that steals data. They also targeted executives at Fortune 500 companies, among others.
One noteworthy aspect of this campaign is that cybercriminals changed their tactics, techniques, and procedures every 10 days to avoid detection.
In many cases, phishing is only the first stage of an attack. In one recent incident, a phishing email sent to a county employee in North Carolina contained a malicious attachment that enabled a ransomware attack. Although the county refused to pay the $2.4 million ransom, just one phishing click resulted in major disruption to operations, including access to email, phone, internet, and other systems.
Phishing Victims Pay Dearly
Phishing is the most prolific type of targeted attack and the costs to victims are severe. One phishing variant is business email compromise (BEC), a costly scheme that continues to plague businesses of all sizes. While BEC schemes have been used to steal sensitive data such as employee records, typically the fraudsters target high-level executives to get them to approve fake wire transfer requests.
In 2020, the average wire transfer amount during the fourth quarter was $75,000, up from $48,000 in Q 3, according to data from the Anti-Phishing Working Group (APWG). The report also found that phishing activity, in general, grew throughout the year.
The latest available FBI data shows that the agency received complaints about losses totaling $1.7 billion in 2019 alone. But what's most extraordinary is that those losses accounted for about half of the $3.5 billion total that victims lost that year to internet crimes.
Cybercriminals continue to innovate. The latest BEC scams take advantage of Microsoft Outlook's “out of office" autoresponders or read-receipts to subvert email filtering tools.
stat via: csoonline.com
Phishing schemes have advanced to an extraordinary level of sophistication that blindsides even the most vigilant, tech-savvy individuals. And the corporations getting sucked into these schemes aren't run by a bunch of out-of-touch Luddites. The victims are intelligent, often high-level employees who are just trying to do their jobs.
Consider how the following scams function:
In recent campaigns, links to different malware variants were sent via emails masquerading as typical corporate communication, from contracts and HR terminations to complaints. Many emails were highly personalized, with the victim's name and other details. After a machine was compromised, another payload delivered ransomware.
Messaging apps are also a favorite for cybercriminals. In one recent attack with the goal of stealing login credentials, at least 50,000 employees received an email notification saying they missed a chat from Microsoft Teams. The threat actors were clearly taking advantage of the scores of people who've had to work remotely due to the pandemic.
This type of malware hides within macros inside of Word Docs or Excel spreadsheets that are sent via email. Upon enabling the macro to run, the user is infected with any variety of malware strains. This scam is especially problematic for financial institutions.
The above are only a few of the clever schemes hackers use to wreak havoc on businesses and individual users alike. Getting ensnared by one of them isn't necessarily the result of carelessness or unsavory internet behavior. That’s why organizations must take proactive steps to fight these threats.
How to Defend Against Phishing Attacks
To counteract phishing attempts, organizations must have a methodology in place to detect phishing scams early. For example, is an unusual program trying to execute on a network computer? Can an email message that appears to be sent from a higher up be traceable to a suspect IP address or one that's in a foreign country? Has one of your users logged in recently from strange locations or on multiple machines at once?
Being able to spot these and other signals of phishing requires strong threat detection in your company's network. It might not keep you from falling prey to phishing scams altogether, but it will substantially curtail the potential for loss. A good place to start, says McLane, is teaching users how to spot potential threats. This might not prevent sophisticated phishing attacks, but it will nip a considerable number in the bud. An ongoing program should not only educate employees about recognizing and avoiding phishing, but also promote other secure behaviors.
There are several other things you can do:
Add mock phishing campaigns to your training program. In addition to creating awareness, conducting periodic real-world simulation exercises enables you to measure how well your program works.
Adopt multifactor authentication and other identity and access management tools. This will limit the attackers' access in the event of compromised credentials.
Use technology that filters email, blocks access to known malicious sites, detects viruses and malware, and works in other ways to thwart an attack.
Cybersecurity Threat Number 3: Data Breaches
Data breaches are somewhat unique in that the damage they cause to an organization isn’t as immediate. Rather, they operate in a more insidious manner, and they don't always have a concrete beginning, middle, or end.
Data Compromised Anywhere Can Come Back to Haunt You
Organizations may not detect a data breach for weeks, months, and in some cases years. By the time they do it's already too late because the data is likely on the dark web. And data breaches at one company can affect numerous unrelated organizations for years to come.
Consider last spring's example of the massive unemployment fraud scheme by a Nigerian crime ring. The fraudsters used stolen identities—probably found on the dark web from past data breaches—to file unemployment claims estimated to total $36 billion across the United States.
One of the earliest victims, Washington state, paid out $600 million in 122,000 known fraudulent claims (eventually recovering $351 million). Later, the state itself became the victim of data breach later after the state auditor's office investigated the unemployment fraud scheme. The security breach of a vendor Washington state used to transfer files in this investigation exposed the personally identifiable information (PII) of an estimated 1.6 million state residents who filed for unemployment claims last year. Now, the state will also pay for credit monitoring for those residents, not to mention other mitigation costs.
Washington's double-whammy case may be a bit unusual, but it shows that while ransomware and phishing scams are the most prolific and expensive, data breaches are the most silent and unpredictable. As the Nigerian unemployment scam proved, the long-term damage of a data breach goes far beyond immediate data loss and is not even limited to the organization that was originally breached.
The chief reason data breaches can cause so much long-term damage is that once a person's identity is compromised, guarding against fraud becomes very difficult. For instance, if an organization has its human resources department breached, resulting in thousands of compromised Social Security numbers, names, addresses, and contact information, these individuals could be at risk of having to deal with their PII floating around the dark web for many years to come.
As for the organization that experienced the breach, they may be responsible for identity protection, which is expensive, on top of mitigating any immediate effects associated with the incident.
The Difficulty of Detecting Breaches
Many high-profile breaches in the past few years were not one-and-done deals. It's not quite as simple as movies would have you believe—with hackers punching in some code, saying “we're in," punching in more code, and then having everything they need in a matter of minutes.
More often than not, cybercriminals live in the network that they compromise for quite some time, siphoning information when they think no one is looking, or conducting other activities to gain deeper access.
The unprecedented SolarWinds supply chain attack, which impacted numerous companies, including U.S. government agencies and large security vendors, is a case in point. Though technically no data was leaked, this breach had wide-reaching implications.
The hackers prowled inside the SolarWind's Microsoft Outlook email system for at least nine months, compromising at least one account by December 2019. But preparations began even earlier—the registration of a domain associated with the attack dates back to August 2019.
Even in cases of overt data theft where information is stolen over time, an organization will rarely catch the event the moment it happens. In fact, the average data breach takes 200 days or more to be discovered, says McLane. Sometimes, the breached organization won't catch the incident, but will be told by the FBI or another law enforcement agency that it occurred. In other cases, banks will notify a business that an unusually high number of credit card fraud victims can be traced back to the company.
The reason that data breaches are so difficult to detect is fairly simple. Unlike ransomware, the goal of a data breach is to get in and out quietly, and to leave no traces behind that might lead back to the perpetrators. The methods for achieving this vary wildly, and may include the use of phishing scams, malware, and other malicious tactics.
If there's a silver lining, it's that nothing that occurs on a network is invisible. All activity is traceable, and all of it is logged. At the end of the day, everything you need to beat a data breach is right in front of your nose. It's really just a matter of knowing how to interpret it, and being able to filter out the information that matters, so you can detect signs of malicious network activity before it can harm your business.
Getting Ahead of Top Cyberthreats
Defending against ransomware, phishing, and data breaches is a matter of having the right people, processes, and tools in place. But many organizations struggle with at least one, if not all, of those components.
Arctic Wolf can keep you stay safe from cyberthreats with 24x7, eyes-on-glass security delivered from our Concierge Security® Team. Leveraging the Arctic Wolf® Platform, which processes more than 65 billion daily events, the Concierge Security Team works with you on an ongoing basis to make your security operations more efficient and improve your security posture.
Learn more at arcticwolf.com.