Cyber-Criminals Only Have to Be Right Once? Not Quite

Written by

If you have worked in the world of cybersecurity for any length of time, you’ll be familiar with the adage: “Cyber-criminals only have to be right once. We have to get it right every time.” 

There is some logic to this way of thinking. One successful breach of our perimeters would understandably constitute a successful cyber-attack. But the reality is far more complex in the modern threat landscape, where cyber-criminals continuously develop new and sophisticated ways to evade our protections and inflict maximum damage.

Organizations increasingly view cyber-attacks as a matter of when, not if, and building in-depth resilience strategies in response. In this new world, a single compromise should not have such catastrophic outcomes. That leaves cyber-criminals needing to ‘get it right’ time and time again before they can inflict widespread devastation.

A Long Con Means Missed Opportunities

Very few, if any, successful grifts are a one-and-done affair. Frank Abagnale spent years forging credibility to carry out his most audacious scams, even allegedly going so far as to pass the Louisiana bar exam. Similarly, by its very nature, Charles Ponzi’s eponymous scheme requires the successful duping of numerous victims.

But perhaps the closest comparison to the repeated cons, successful escalation and lateral movement required of modern cyber-criminals is the case of Friedrich Wilhelm Voigt, as outlined by Tim Harford.  

In the early 1900s, Voight purchased a second-hand military uniform and began posing as a Prussian military officer. Before long, he had convinced several soldiers to work under his command, took control of a local city hall, and arrested the legitimate mayor before seizing thousands of German marks from the treasury.

There is no shortage of similarities between Voight’s attack chain and those followed by today’s threat actors. He relied on social engineering in his initial compromise, escalated his privileges before the final payoff and benefitted from an increasing air of legitimacy with each step.

But, most crucially, he had to pull off several successful cons before making off with the marks. And, just like a successful cyber-attack, this presented those on the receiving end with multiple opportunities to stop him in his tracks before any significant damage was done.

This sequence of events echoes the 2021 ransomware attack on Ireland’s Health Service Executive (HSE). Just as an official-looking uniform duped several soldiers, a HSE employee was convinced to open a malicious link, paving the way for a malware infection.

Next, like Voight, the attacker continued under the veil of legitimacy to compromise and abuse privileged accounts and servers, moving laterally to other networks. Finally, having successfully navigated several stages of the attack chain, the ransomware payload was detonated months after the initial compromise.

But while Voight was apprehended within days of his theft, the ransomware was not detected or contained for several months, leading to widespread disruption. Ireland’s HSE could not decrypt and restore all servers and applications affected by the attack for over four months, during which time patient care was severely interrupted, and sensitive data was posted on the dark web.

Frustrating Threats at Every Turn

In the case of the HSE ransomware attack, and many others like it, the perpetrators had to ‘be right’ not once but at least five times.

First, the email had to get into the recipient’s inbox. It then needed to be convincing enough to dupe the reader into opening, reading, and clicking on the malicious attachment within. Once inside initial defenses, the cyber-criminals behind the attack had to successfully navigate their way through systems and networks, infecting more devices without causing suspicion.

Had any malicious activity been spotted by this stage, security teams may have been able to contain the threat before a major impact on its services or reputation. Instead, its attackers could exfiltrate patient data without triggering any alerts before initiating the ransomware.

This multi-stage attack chain is undoubtedly bad news when it works, potentially inflicting much more damage than a standalone cyber-attack. But, on the positive side, it presents security teams with numerous opportunities to detect and deter malicious activity before any significant damage is inflicted.

So, to stand a chance of keeping these kinds of attacks at bay, organizations must build a security posture and culture capable of thwarting cyber-criminals at every turn.

This means putting protections in place to detect and quarantine malicious messaging before it hits the inbox, plus simple blocking and reporting features to allow your people to deter any that gets through.

Breaking the next link in the attack chain requires advanced tools to spot suspicious activity, disrupt lateral movement and impede privilege escalation. But, as always, tools and technology are not enough on their own. For any defense to be effective against these kinds of attacks, it must be enhanced by comprehensive security awareness training.

Cyber-criminals are targeting your identities, and to stand any chance of keeping them at bay, the people behind those identities must know how to spot and nullify any potential threats.

Protect Your Identities. Break the Attack Chain

When we break cyber-attacks into individual stages, it quickly becomes evident that we need to rethink what we consider a perimeter. Gone are the days when we could put a ring of steel around anything important and hope it stood firm.

Today, your perimeter is your people, or rather, their identities – and they require a new set of tools to keep them safe. Fundamentally, organizations must implement a defense-in-depth strategy, combining people, processes and technology.

First and foremost, the best way to avoid employees falling victim to email-borne threats is to block them from reaching inboxes in the first place. Organizations must recognize the need for strong email security – as most attacks start here.

They must customize their protection around their people not only before an attack but also during and after. Should the initial layer of defense be successfully compromised, organizations must have the tools to respond instantly and remediate quickly. The key here is resilience. You may not be able to stop every threat, but you can make it as difficult as possible for an attack to reach its intended end goal.

Your people have a huge part to play here. The more they know about the attacks they are likely to face and what to do when they face them, the more likely they are to block them on sight.

When these layers of protection are combined, we can turn the tables on cyber-criminals. Now, they have to be right time and time again. Your defenses only need to be right once.

What’s hot on Infosecurity Magazine?