Security Experts:

News or Ruse? How Cyber Situational Awareness Can Help You to Distinguish

Whether you follow politics, healthcare, or sports, there’s a lot happening in the world right now and a lot to keep up with. Attackers are taking advantage of this flurry of activity and your quest for information to launch a new round of scams.

The Brexit is just the latest example in which we’ve seen a surge in malicious emails within hours of the referendum result. Promising to protect individuals from financial market upheaval, the ploy lures users to open an email and an infected attachment, or click on a link that goes to a malicious website. Subject lines like “Brexit causes historic market drop” are designed to create the sense of urgency so that targets click before they think.

Cybercriminals act fast to capitalize on the confusion and time-sensitivity that surrounds breaking news. They quickly register domain names that sound official and create fake sites. Techniques like typosquatting or URL squatting to spoof the names of legitimate sites, and SEO poisoning to inflate search engine ratings, make it extremely difficult for a typical user to identify when they are being duped.

Attackers then devise their scheme for engaging targets. They may use malware delivered through an email to damage files, collect personal information or to hijack systems that will serve as a launching pad for other mechanized attacks. Or, they may use phishing scams to lure targets to their bogus sites, posing as a legitimate sender and pointing users to a website where they input personal financial data.

Situational Awareness

While many of these techniques are not new, what is new is the speed and specificity with which these campaigns are launched and the combination of methods used. Most front-line defenses can’t protect against these types of attacks. So what can you do to help reduce the odds of a click that exposes your organization to risk?

Education is an important first step. Despite the fact that most of us are familiar with phishing, it remains problematic. Verizon’s 2016 Data Breach Investigations Report found that in phishing tests, the number of people who opened phishing emails rose from 23 percent to 30 percent, an increase researchers attribute to more skillful attackers. Reminding users not to open attachments or click on links they don’t recognize or haven’t requested and quickly deleting these types of emails can prevent many attacks from being successful.

But humans make errors.

What’s needed is greater threat intelligence, specifically cyber situational awareness – the ability to look at your environment through the eyes of an attacker to detect the threats and vulnerabilities relevant to your organization. If security professionals can see that same picture of their own organizations they can use it to better secure their business, mitigating risk associated with the attack surface, which includes people.

To gain an attacker’s eye view you need to think like an attacker. You need to approach your organization from the outside using the same techniques as attackers – social engineering, long-term reconnaissance and data mining over time to discover information relevant to the organization from a business, personal and asset perspective. With a picture of what your organization looks like digitally to the outside world, you can conduct threat mitigation which often starts with basic patching and reconfiguration. The Verizon 2016 DBIR revealed that the vast majority of exploited vulnerabilities compromised were more than a year old and that the top 10 vulnerabilities accounted for 85 percent of successful exploit traffic.

While patching is critically important, cyber situational awareness can offer even greater insights. It can help security professionals identify typosquatted domains used for phishing, business email compromise, fraud and other nefarious activity. And by monitoring the dark web – Tor, the Invisible Internet Project (I2P), paste and criminal sites – it can help organizations find personally identifiable information or intellectual property that has been leaked as well as discover where this data is leaking from and who is seeking to exploit it. These revelations can provide organizations that have fallen prey to these scams with greater context and insights to better understand a threat actor’s tactics, techniques and procedures (TTPs). They can prioritize threat protection and policies based on the threat environment and their strengths and weaknesses and make better decisions about future investments in defensive measures.

There’s a lot you can do to distinguish between news and ruse and better protect your organization from opportunistic attackers. With a clear picture of your online exposure, you gain a greater understanding of how to mitigate risk to your organization.

view counter
Alastair Paterson is CEO and Co-Founder of Digital Shadows. Alastair has worked for over a decade advising secure government and FTSE 100 clients on large-scale data analytics for risk and intelligence. Before founding Digital Shadows in 2011, Alastair was International Propositions Manager at BAE Systems Detica working with clients in the Gulf, Europe and Australasia. He holds a first class MEng in Computer Science from the University of Bristol.