Safeguarding the Crown Jewels from Cyber-Attack

Written by

Organized criminal gangs (OCGs) are becoming increasingly adept at exploiting human weaknesses in order to break into corporate IT systems.

Attacks typically coincide with periods such as the tax season or the school summer holidays when finance departments are most likely to be overstretched and undermanned.

Standard phishing and spear-phishing attacks target members of staff and trick them into downloading malware or giving away their credentials; but cyber-criminals are now becoming increasingly ambitious and targeting chief executives and chief finance officers (CFOs), a process known as ‘whaling’.

The widespread adoption of social media has enabled OCGs to plan new ways of targeting senior staff. Social engineers mine online social networks for personal information about a target before going spear phishing or whaling.

Threat actors’ techniques and motives are changing daily; new tools that bypass standard security controls are released every day which makes the older generation of signature-based, security controls irrelevant. Furthermore, we're seeing two distinct new trends in attack types which include file-less attacks, where the payload is distributed via other means (like a link or an image) and a distinct move to digital channels as the attack vector. 

Phishing has become so sophisticated these days that OCGs even manage to catch the most savvy of employees off guard. Threat actors do this by using techniques such as spoofing (sending an email as a co-worker) and using sub-domain take over techniques to use the company’s very own domain as part of the phishing campaign.

These are possible for two reasons: spoofing is possible when the controls needed to identify spoofed emails and mitigate them are not in place. DomainKeys Identified Mail (DKIM) and Security Policy Framework (SPF) were introduced to do just that, however 50% of Alexa top 500 websites still do not implement them - meaning they are spoofable domains.

Sub-domain takeover is made possible by using weaknesses in cloud service providers that companies use to host various services. When the service becomes irrelevant, the DNS forwarding used for the service still exists and attackers use this for taking over the sub domain.

Although most executives and senior staff are wary not to open email attachments from untrusted sources, many are still too cavalier when it comes to clicking on Twitter links. Research carried out by CyberInt (PDF) reveals that almost two per cent of social media comments and postings with an embedded URL are malicious. Popular techniques include cross-site scripting (XSS), where malicious code is injected into a trusted website and 'click-jacking', concealing hyperlinks beneath legitimate clickable content which, when clicked, causes a user to unknowingly perform actions such as downloading malware.

The groups providing the malware used by OCGs to break into finance departments’ IT systems now employ increasingly sophisticated business models frequently offering help desk support for the deployment of the latest malware and some even offer money-back guarantees. This process has been termed the 'industrialization' of cybercrime.

As well as routine precautions such as training staff to treat social media with caution, updating patches (something the vast number of companies hit by WannaCry had somehow neglected to do) and regular red teaming exercises, companies should also hire third parties make use of threat intelligence.

“Threat intelligence” are some of the most overused couple of words in the cybersecurity industry, but the judicious use of threat intelligence could easily have averted the global spread of the Recent WannaCry ransomware attack; by the time Shadow Brokers released a vulnerability called EternalBlue in Microsoft’s data transport protocol Server Message Block (SMB), both the vulnerability and its patch had already been disclosed weeks before the attack.

Another option that is gaining popularity is the use of an MDR for support - MDRs (Managed Detection and Response service providers) allow companies to augment their current security capabilities by detecting and responding to complex attacks which may go unnoticed by standard controls. Furthermore, these provide additional responses capabilities which is usually an issue with in-house resources.

With the summer holiday season fast approaching, it is essential that companies ring fence their financial and mission critical data by taking a clear and dispassionate look at their cybersecurity protocols, focusing on plugging any glaring gaps in their cyber-defenses while doing their best to anticipate the most likely attack vectors and also impressing on staff the need for constant caution when using electronic communications of all kinds.

What’s hot on Infosecurity Magazine?