Modern Cyber-Criminals Don't Hack in - They Log in

We may be almost three-quarters of the way through 2021, but the events of 2020 will continue to echo around the cybersecurity space for some time yet.

Cyber-criminals, galvanised by widespread disruption and remote teams, upped their efforts, hitting organisations with an arsenal of threats new and old. But whatever the tactic, most attacks shared a common trait — they were squarely targeted at people rather than infrastructure.

Ransomware attacks increased significantly last year, with email still commonly used as the point of entry. Meanwhile, another people-focused threat, credential phishing, was the most common type of attack, accounting for two-thirds of all malicious messages. Increasingly elaborate business email compromise (BEC) campaigns also emerged on the threat landscape.

There were new pretenders too. For example, steganography, the technique of hiding malicious payloads in pictures and audio files, was also wildly successful.

With so many common threats requiring human interaction, the modern cyber-criminal no longer needs to hack into an organisation. Much of the time, once they’ve gained access to the data they require, they can simply log in.

With this in mind, let’s review some of the most prevalent types of people-focused attacks right now and what you can do to defend against them. Ransomware on the Rise Ransomware attacks increased 300% last year, and in 2021, they’ve already hit some lofty targets that drove global news headlines for weeks.

The modern ransomware attack looks a little different today. Where once malicious payloads would drop into your inbox, they now often present as two-stage attacks.

Email remains a primary point of entry, however, so this is still very much an attack on your people. Today, the email delivers first-stage malware which acts as a backdoor for a further payload, usually delivered via a remote desktop protocol (RDP) and virtual private network (VPN) access.

As phishing and spam email is still the main gateway for ransomware distribution, it’s imperative that all organisations place a priority on securing inboxes with advanced filtering and threat detection. Your solution should detect and quarantine malicious attachments, documents and URLs before they reach the user.

Emboldened BEC BEC is nothing new. It was already firmly on the radar of the FBI back in 2016 when it was estimated to have cost global businesses around $3.1bn. Responsible for 44% of all cybercrime losses, it cost victims almost $2bn in reported losses last year alone.

This marked increase in estimated losses is indicative of a broader trend. Attacks are not necessarily increasing in volume, but they are becoming more focused — and targeting higher returns.

In more elaborate attacks, threat actors are spoofing C-level domain names to instruct victims to transfer vast sums of money. It only needs to work once to be a highly profitable endeavor.

Tackling payload-less threats like BEC requires visibility. It requires a broad and deep set of data and human threat expertise to train machine-learning models to accurately detect and stop bad messages without misidentifying and blocking good messages. You should look for a solution that combines machine learning with extensive threat data and threat analyst expertise to block targeted email fraud attacks as they continue to evolve.

Steganography Success

Steganography may not be a comparatively popular attack by volume, but few can beat it when it comes to success. More than one in three people targeted in steganography attack campaigns last year clicked the malicious payload.

That’s the highest of any attack technique and a click rate that any marketer would be proud of — let alone a cyber-criminal.

Organisations should look for a solution that combines machine learning with extensive threat data and threat analyst expertise

With payloads hidden in plain sight, in JPEGs, .wav files and the like, steganography attacks cannot be spotted with the naked eye. Avoiding this threat requires comprehensive analysis tools to scan messaging for anomalous and malicious data. And, of course, vigilance and caution on behalf of users. If it’s not imperative to your job role to click an image or audio file — don’t.

Building a People-Centric Security Culture

Just as people are at the heart of these increasingly common attacks, so too must they be at the center of any effective defense. Today, a robust cybersecurity posture requires a multi-pronged approach. One that combines people, process and technical controls.

Criminals are continually targeting humans to expose confidential data, compromise networks and even wire money. Through a technical combination of email gateway rules, advanced threat analysis, email authentication and visibility into cloud applications, we can block the majority of targeted attacks before they reach employees. But we can’t rely solely on technical controls because as we’ve seen, this is a people problem.

Security is a shared responsibility. At all levels within our organisations, we must empower people to understand security and the risky behaviors that can lead to breaches. Training and awareness programs are crucial, but one size does not fit all. Make sure your program is from the user's perspective — make it relevant to their work and personal lives.

We must also bring people into our security fold. Provide simple ways for users to report back to the security team. For example, single click buttons that automatically send potential phishing emails to the security team to analyse — in this case, false positives are a good problem to have.

Over 99% of cyber threats require human interaction to be successful. When your people are that vital to an attack, they need to be a vital part of your defense. Cyber-criminals spend day and night trying to penetrate your networks, systems and data. The least we can do is make them work a little harder.