In the age of AI, cryptomining and IoT, security leaders have a seemingly endless stream of new cyberthreats to defend against, so why are the old threat actors still coming back to haunt them? Bharat Mistry, Principal Security Strategist, Trend Micro, discusses the things that go bump on the Internet and the skeletons in the closet that are still haunting CISOs.
With Halloween just around the corner, now might be a good time for CISOs to face their biggest cybersecurity fears head on. But what exactly are they? While the more eye-catching breaking threats might catch the eye and make for better headlines, the reality on the ground is more mundane. It’s arguably the tried-and-tested attack techniques like phishing and social engineering that continue to cause the most pain. This makes layered security, including a renewed focus on training and awareness, an essential response to the darker side of the online world.
Things that go bump
Of course, it’s easy to be distracted by the latest emerging threats. Whether it’s sophisticated digital skimming attacks harvesting customer card data from websites, cryptojacking campaigns or fileless malware – there’s certainly plenty to be concerned about. Trend Micro recorded an increase in fileless detections in every month of the first half of 2018 bar June, peaking at nearly 40,000, while cryptocurrency mining detections jumped a staggering 955% from the first six months of 2017.
However, while these emerging threats are important, the ghost of malware we thought had been banished years ago continues to stalk organisations around the globe. Just take Conficker – it’s still spreading and remains one of the most prominent threats on the Internet, despite being over a decade old.
Other classics are arguably even more dangerous. Phishing has been around longer than Conficker, but is more popular today than ever. Attackers need only persuade one employee to click and their campaign is a success. Those aren’t good odds for the CISO. Perhaps unsurprisingly, phishing was responsible for 93% of all data breaches analysed by Verizon over the past year. But it’s not just information stealing that could result: that misplaced click could lead to ransomware infection, cryptojacking, a banking trojan or other malware.
Targeting the supposed weakest link in your organisation, its employees, via social engineering is also at the heart of Business Email Compromise (BEC). It’s a tactic that has netted cybercriminals more than US$12.5bn globally since 2013, according to the FBI. Crucially, it works usually without malware, relying on a sense of urgency and possibly a spoofed domain, or maybe even a hijacked CEO account, to convince the recipient to make a major corporate fund transfer. In August we found most attacks (38%) spoofed the CEO and targeted CFOs, followed by lower-down finance bosses.
Taking a stand
It’s therefore more important than ever that CISOs take a stand against the dark side of cyberspace. But that may require a fresh approach combining people, process and technology. The first part is often paid only lip service. This can result in threats not being properly explained to users, communicated in overly complex terminology, or else it’s assumed that they’re already aware what to do.
In reality, effective end user training and awareness programmes are vital to turn that weakest link into a formidable bulwark against shadowy threats. There are even free tools available which will help you run phishing awareness courses. Just make sure you are able to provide real-world exercises, communicated in short training sessions, with the ability to close the feedback loop with analysis of each employee’s performance. These should be extended to all staff, including part-timers and contractors.
Next, it’s important to enforce policy via layered cybersecurity controls. These can help you to analyse emails to spot malicious links and attachments, thus removing phishing and other attacks before they’ve even been introduced to the end user. AI tools can also help combat social engineering, for example by learning the writing style of CEO and other executives, so that it’s easier to spot attempts to spoof them via BEC. Combine these technologies with app control, DLP, behavioural and sandbox analysis and more, and you have the basis of an effective response.
It’s important to remember that there’s no silver bullet here – some techniques will be better served to tackle specific threats. It’s all about applying the right technique at the right time and ensuring all disparate tools share a common underlying intelligence platform to optimise protection.
That should clear away the cobwebs and put you in a far stronger position to keep the black hats at bay.
Click below to share this article
