You don’t have to look very far for evidence of just how widespread cybercrime has become. Unfortunately, many of us don’t even have to look beyond our own inboxes. And sadly, the situation is getting worse. It is now bad enough that in April, the U.S. proposed a bipartisan lawmaker group form a “Civilian Cybersecurity Reserve,” to create a surge capacity of cyber expertise, patterned after the National Guard, that would respond to incidents affecting government networks.
Outside the federal government in the U.S., one of the most frequent and lucrative cyberattacks – which typically begins with a successful phishing scam – is ransomware. In addition to cash-rich corporations and financial institutions, ransom attack victims have included hospitals, schools, universities, local governments, and police departments, as well as utility and industrial companies. And, borrowing a page from the blackmailer’s playbook, some criminals even threaten to publicly release the organization’s most sensitive data unless they pay up, typically in cryptocurrency.
In February, Nichole Perlroth, who covers cybersecurity and digital espionage for The New York Times, dolefully observed: “Everything worth taking has already been intercepted: Our personal data, intellectual property, voter rolls, medical records, even our own cyberweaponry. Individuals just decided that access and convenience, and in governments’ case, the opportunities for espionage, were worth leaving windows open, when we would have all been better off slamming them shut1.”
The inside story
As a result, anecdotes about outrageous cyberattacks can be found everywhere. But to systematically get behind them and formulate recommendations for securing private data, Keysight Technology’s Application and Threat Intelligence Research Center, or ATI, examined the most critical areas of concern to network security. In addition to drawing on its own in-depth experience with network security testing and cloud visibility, ATI’s research included international databases of exploits, the Dark Web, security news alerts, crowdsourcing, social media feeds, and honeypots strategically placed worldwide to lure in and learn more about cybercriminals.
During 2020, of the more than 100,000 ransomware attacks studied by ATI, phishing attacks – often the precursor to devastating network incursions – increased by 62 percent in just one year. Social engineering attacks linked to the pandemic were prominent among them, particularly in the spring of 2020. Healthcare facilities, which frequently lack the high levels of security found in the financial and defense industries, were major targets, and attacks were made worse by adding the particularly cruel twist of holding information hostage which can be essential to vulnerable patients’ survival. Healthcare, however, is not alone; ransomware victims can be discovered in essentially all industries. And while attacks promulgated through a company’s supply chain have been taking place for some time, the nesting of malware into the code of trusted software suppliers like Solar Winds, was a new and ominous development.
What strategic insights are we able to glean from those attack patterns?
The first is that people need to recognize social engineering scams and avoid them. Bad actors target personally identifiable information (PII) that they can use to propagate future attacks, particularly from PII-rich healthcare and government sources. Periodic updates to staff on phishing tactics can help to keep awareness of deception high.
The second is that the business models and social engineering scams used by attackers to hold the victim’s data hostage for ransom, continue to mutate, and so does the malicious software itself. Therefore, it’s critical to keep enterprise threat detection systems up to date with the most recent fraud signatures and behavior patterns. Since ransomware builders are getting better at avoiding detection, network security teams need to be kept apprised of evolving exploitation methods. But industry best practices aren’t always perfect. As the SolarWinds hack taught us, if the source has been compromised, there’s even risk in keeping your system’s software up to date.
The third is that every organization uses outside vendors. They can include those providing materials that go into building a product, business software the organization uses on its networks, or supplies that keep the company’s facility running smoothly. But third parties in an organization’s supply chain are also frequently used as conduits into its core business files. Network security, as a result, needs to consider not only the risks inherent in their own system, but also the risks associated with every vendor, consultant, partner, or customer that touches the organization’s IT.
Fourth, be frugal in extending trust when it comes to accessing your network. In fact, the zero-trust model, which is growing in acceptance, considers trust to be a vulnerability, not an asset. Once a person is on the network, anyone – including malicious actors – is free to retrieve and remove accessible data. And the initial point of an attacker’s infiltration is frequently different, and often less well defended, than the attacker’s primary target. Our recommendation is to implement a zero-trust protocol and to limit qualified users to just those resources they absolutely need.
Finally, it is a good idea to assume that your network has already been breached, even if no overtly malicious notifications have surfaced. To know what anomalies may be hiding in the network – whether it is on-premises, in a cloud, or with a remote user – you need to see what’s going on with those resources. Investing in software that provides continuous visibility into your organization’s network – software that allows your IT teams to spot potential mischief and respond before it becomes a disaster – is money well spent.