There is a shift in the way cyber-criminals are targeting organizations. The methods of mass phishing and hacking are making way for more directed and personalized attacks. They carefully select their targets and craft convincing messages. However, that takes much more time and preparation. To make up for that, they now use automated techniques to carry out attacks. How can you protect your organization from this emerging threat?
The New Kind of Hacker
The age of automation started over a century ago, offering many business opportunities for organizations. Unfortunately, the cybercrime world has now followed suit. In the past, hackers were highly-skilled enthusiasts, making for a small community. They did their own extensive research and wrote their own tools and code, taking days to implement a successful attack.
Nowadays, the entry barrier is lower, making the cyber-criminal community larger. Instead of each hacker creating their own tools, software and frameworks are now shared and (ab)used by more hackers.
The new kind of hacker uses publicly available information (also known as OSINT = Open Source Intelligence) to create a profile of their target. Examples are information taken from the company website, third party websites, social media, news platforms, powerful search engines, publicly available presentations such as Prezi, etc. This is used during the reconnaissance phase of an attack, or to impersonate an organization’s VIP, for example. The tools used to collect (scrape) the necessary intel have become more powerful and efficient, and many more are available.
Automating these processes delivers structured overviews of an organization’s vulnerabilities. All steps of the cyber kill chain can be automated, letting script hack by itself. Collected information can also be used to create highly convincing profiles of organizations’ VIPs. The more convincing a profile is, the more likely victims are going to fall for it. The days of the Nigerian prince scams are coming to an end.
How Can it Affect You?
What are the practical uses of automated hacking, and how can it affect your organization? Using tools such as Shodan, hackers generate an extensive overview of internet-connected devices such as your webservers, but also security cameras, webcams or printers.
For example, In Sweden, someone used automated hacking tools to discover public webcams near a harbor. With that footage, they could monitor and identify submarines going in and out of the port. They could calculate how long the submarines had been deployed, what their range would be and where they could have gone. This doesn’t take a team of IT specialists but can be done by anyone.
Though your organization probably doesn’t lease submarines, it is likely to have security cameras at the entrance and wireless printers. These devices can be mapped and potentially accessed remotely. It’s not anyone’s business who enters your office or who you meet with; that information belongs to you.
Phishing, Spear Phishing & Whaling
As mentioned above, cyber-attacks are increasingly targeting specific individuals. This is called spear phishing. Instead of solely hoping unobservant people click on the phishing message, cyber-criminals are now trying their best to convince their targets that they should transfer sums of money. Fake profiles, email addresses, web sites and brand and communication styles are developed to impersonate a third party or company executive. When a high-level CxO is targeted, it’s also known as ‘whaling.’
To build a compelling message, cyber-criminals’ first step is reconnaissance. Which customers does the target organization have, how many employees, do they use a specific email template, what are their vulnerabilities? Rather than going through publicly available information manually, they use automated resources. This makes their method more detailed and faster, with higher success rates.
Using Automated Hacking as a Security Measure
Know that repairing an incident is much more expensive than investing in proper counter measures. An average data breach costs a US company up to $7.9m, next to the reputational damage. On the other hand, treating every incoming incident as a severe threat can result in false positives and incorrect assessments, hindering productivity.
You need to know what you must protect and how you should protect it. What is the scale of your digital attack surface? Which vulnerabilities appear? You can prevent attacks using automated tools that detect and assess your digital footprint – not only your own websites and digital assets, also those belonging to third party vendors. All are related to your brand and could seriously harm your reputation when hacked by cyber-attackers.
You can’t prevent everything, but proactive detection and mitigation of your risks goes a long way. Make your invisible vulnerabilities visible – before hackers exploit them.
