Ransomware and phishing scams: as the attacks get more aggressive, so too must your security systems and vigilance

How your biggest strength can also become your biggest weakness

Almost every day we are greeted with the ominous news that another organization was the victim of hacking or another city has fallen prey to ransomware. Sometimes it’s a big headline, and, at other times, we get a letter in the mail that our personal information might have been compromised.

If it seems that cyberattacks are more frequent, more brazen, and bigger, you are right. Since the beginning of the Covid-19 lockdown, we have seen a 238% surge in cyberattacks. In a survey of CIOs at major financial institutions, 80% of those surveyed confirmed more cyberattacks over the last 12 months.

Data suggests that close to a third of all cyberattacks target either banks or healthcare institutions. I guess it’s the old adage, robbers go where the money is. 82% of CIOs reported that along with the spike, the techniques appear to be improving, including the use of social engineering that targets human factors. 

Gone are the days when the hacker was a teenager sitting in their basement looking to score a gift card or to brag to his friends. Most of the cyberattacks being perpetrated nowadays are done not by an individual but by extremely sophisticated cybercriminal organizations or nation-states which recruit top hackers for the job. These hackers have a plan and are not looking for a quick buck. They send literally hundreds of thousands of phishing emails a day to employees of targeted organizations and continue to repeat the process until accidentally someone clicks on the infected document. 

Inside the mind of a hacker: leaving no trace to trigger no alerts

Once inside the network, hackers intelligently avoid auditable events and error messages and know to avoid traffic congestions and service disruptions which might trigger alerts and cause them to be discovered. They even go about covering their tracks, cleaning up logs and erasing their trace. These hackers are not interested in slices of data, they want to harvest the entire database and are willing to take their time to do it. 

In 2020, according to an IBM report, the dwell time (the average time hackers spend inside the network before being discovered) was over 206 days.

In the case of Target, the hackers spent over 4 months siphoning credit card data in small batches to avoid intrusion detection. Meanwhile, we all heard about the Target breach, but less attention was paid to other significant breaches, including 1.1 million credit cards stolen from Neiman Marcus, 7 million credit cards stolen from PF Chang’s, and, not to mention 2200 stores breached at Home Depot. The list of companies and organizations that have been hacked is long and probably distinguished.

While the types of companies that are breached vary, there is one point of commonality—most, if not all, of the above breaches happened due to an associate of the company accidentally clicking on a phishing email in their work or personal email accounts. 

Unless an organization can guarantee that none of their employees will ever make a mistake (and let’s face it, mistakes are likely, especially with the increasing sophistication of phishing scams), it’s a statistical certainty that sooner or later one of your employees or associates will accidentally click on one of these emails, resulting in the exposure of your organization.

Breach prevention and what we can do

Risk assessment and mitigation teaches us that we should assume that our organization has already been breached and act accordingly. While perimeter defense and intrusion prevention systems are necessary, you should assume that those have failed and that hackers are in your system. At this point, behavior-based intrusion detection (IDS) is the key. 

Lessons learnt teach us that we should look for security tools that perform behavior-based analysis of traffic patterns and tools that don’t depend on logs and other sources of data that can be edited or deleted by hackers.

In most cases, the existing tools at the aforementioned hacked companies had an alert to anomalous behavior that might have detected the breach, but the alert got lost in the thousands of daily alerts that are received by the security team. So it’s really important that false alerts be eliminated and that alerts are categorized and analyzed diligently.

Nefarious actors will continue to inundate our email boxes with phishing emails—we cannot escape. These actors need to succeed only one out of thousands of attempts (and perhaps these thousands of users are all at your large enterprise). However, our systems and processes have to succeed every time or the organization will suffer a cyber breach. 

Ask any CEO or entrepreneur about their biggest strength and the answer is universal, “our people are our strength” or some iteration of that statement. However, when it comes to cyberthreats, your people are also your biggest weakness.

When it comes to increasing IT security protection, it’s all about the data!

Next-gen, behavior-based IDS solutions require complete and precise data, not partial, sampled data. The single source of truth for any IT environment is network traffic. If any network access occurs or any malicious behavior takes place, it can be shown in the traffic and data. 

To provide strong threat and illicit behavior detection, 100% of the transactions traversing the network must be analyzed for complete visibility. Within that scope, all of the pertinent network layers must be examined to achieve that goal. Skylight delivers on that promise.