Modern cybercriminals don’t hack – they go online
We may be almost three-quarters of the way to 2021, but the events of 2020 will continue to resonate in the cybersecurity space for some time to come.
Cybercriminals, galvanized by widespread disruption and distant teams, have stepped up their efforts, hitting organizations with an arsenal of new and old threats. But regardless of the tactic used, most of the attacks shared one common trait: they were aimed directly at people rather than infrastructure.
Ransomware attacks have increased dramatically over the past year, with email still being widely used as an entry point. Meanwhile, another people-centric threat, ID phishing, was the most common type of attack, accounting for two-thirds of all malicious messages. Increasingly sophisticated Business Email Compromise (BEC) campaigns have also emerged in the threat landscape.
There were also new contenders. For example, steganography, the technique of hiding malicious payloads in images and audio files, has also seen great success.
With so many common threats requiring human interaction, the modern cybercriminal no longer needs to hack into an organization. Most of the time, once they have access to the data they need, they can just go online.
With that in mind, let’s go over some of the most prevalent types of targeted attacks on people today, and what you can do to defend yourself against them.
Ransomware on the rise
Ransomware attacks increased 300% last year, and by 2021 they have already achieved lofty goals that have been in the headlines around the world for weeks.
The modern ransomware attack is a little different today. Where once malicious payloads fell in your inbox, they now often present themselves as two-step attacks.
However, email remains a primary entry point, so it’s still an attack on your staff. Today, the email delivers first-stage malware that acts as a backdoor for additional payload, typically delivered through Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) access. .
With phishing and spam still being the primary gateway for ransomware distribution, it is imperative that all organizations prioritize securing inboxes with advanced filtering and threat detection. Your solution should detect and quarantine malicious attachments, documents, and URLs before they reach the user.
BEC is not new. It was already firmly on the FBI’s radar in 2016, when it reportedly cost global businesses an estimated $ 3.1 billion. Responsible for 44% of all cybercrime losses, it has cost victims nearly $ 2 billion in reported losses last year alone.
This marked increase in estimated losses is indicative of a broader trend. Attacks don’t necessarily increase in volume, but they do become more targeted and aim for higher returns.
In more elaborate attacks, threat actors spoof C-level domain names to ask victims to transfer huge sums of money. It only needs to run once to be a very profitable business.
Tackling non-payload threats like BEC requires visibility. It requires a large and in-depth set of human threat data and expertise to train machine learning models to accurately detect and stop bad messages without misidentifying and blocking the right messages. You should look for a solution that combines machine learning with extensive threat data and threat analyst expertise to block targeted email fraud attacks as they continue to evolve.
Success of steganography
Steganography may not be a relatively popular attack by volume, but few can beat it in terms of success. More than one in three people targeted in steganographic attack campaigns last year clicked on the malicious payload.
It’s the highest attack technique and a click-through rate that any marketer would be proud of, let alone a cybercriminal.
With payloads hidden in plain sight, in JPEG files, .wav files and more, steganography attacks cannot be detected with the naked eye. Avoiding this threat requires comprehensive analysis tools to scan email for abnormal and malicious data. And, of course, vigilance and caution on the part of the users. If it is not imperative for your position to click on an image or audio file, then do not do so.
Building a people-centered safety culture
Just as people are at the heart of these increasingly common attacks, they must also be at the center of any effective defense. Today, a robust cybersecurity posture requires a multi-pronged approach. The one that combines people, processes and technical controls.
Criminals continually target humans to expose confidential data, compromise networks, and even wire money. With a technical combination of email gateway rules, advanced threat analysis, email authentication, and cloud application visibility, we can block the majority of targeted attacks before they reach the end of the spectrum. employees. But we can’t just rely on technical controls because, as we’ve seen, it’s a people issue.
Safety is a shared responsibility. At all levels within our organizations, we need to empower people to understand safety and risky behaviors that can lead to breaches. Training and awareness programs are crucial, but one size does not fit all. Make sure your program is from the user’s perspective – make it relevant to their work and personal life.
We also need to bring people into our safety fold. Provide easy ways for users to report back to the security team. For example, one-click buttons that automatically send potential phishing emails to the security team for analysis. In this case, false positives are a good problem.
Over 99% of cyber threats require human interaction to be successful. When your personnel are so vital to an attack, they must be an essential part of your defense. Cybercriminals spend day and night trying to break into your networks, systems and data. The least we can do is make them work a little harder.