The Cyber Security war continues to be very asymmetric. Attackers are relentless with the speed and volume of their threats. And mostly choose email as a vehicle to launch their malicious attacks. Most Cyber-criminals target people, not infrastructure: More than 99% of emails distributing malware from 2018 into 2019 required human interaction to click links, open documents, accept security warnings, or complete other tasks to effectively compromise an organization. Instead of targeting systems, criminals focus on people, their roles, and data they can access. But as long as we don’t act on any suspicious emails, we are fairly safe. I am confident to say that Nearly all successful email-based Cyber-attacks require the target to open files, click on links, or carry out some other action. The vast majority of email and phishing attacks require some level of human input to execute. These interactions can also enable macros, so malicious code can be run on your system to steal your credentials, data and information.
Sometimes it seems easy to blame users for falling victim to phishing attacks, but cyber criminals are becoming increasingly sophisticated. It’s often difficult to distinguish a malicious email from a regular one. Most cyber-attacks rely on human interaction to work—making individual users the last line of defense. To significantly reduce risk, organizations need a holistic people-eccentric Cyber Security approach that includes effective security awareness training and layered defenses that provide visibility into their most attacked users. At Connectis Group we provide a full cycle of Cyber Security Awareness Training making sure your employees understand the mechanisms of spam, phishing, spear-phishing, malware and social engineering and can apply this knowledge in their day-to-day job.
This Social Engineering is the key element in conducting campaigns. The Cyber Criminals are mimicking the routines of businesses to ensure the best chance of success. For example, a user might be suspicious of an email claiming to come from a colleague that arrived in the middle of the night, but one which arrives in the middle of the working day is more likely to be treated as a legitimate email, with the potential for the victim to accidentally set the ball rolling for an attack. Recently, a voice deepfake was used to scam a CEO out of $243K, this shows how smart Cyber Criminals are getting.
Phishing is one of the cheapest, easiest Cyber-attacks for criminals to deploy – but the reason it remains a cornerstone of hacking campaigns is because, put simply, phishing works. While many Phishing attacks are designed to look highly legitimate, there are ways to identify what could potentially be a malicious attack. For example, unexpected emails that are based around a sense of urgency could be viewed as suspicious. If a user is in doubt, they could contact the supposed sender of the message to see if it is a legitimate message. It’s also worth noting that cloud service providers like Microsoft and Google won’t ask users to click through unexpected links to enter login credentials and other information. If a user is suspicious of a supposed login URL, they can bypass the link by going direct to the provider itself and entering their details there.
Organizations should also ensure that software updates and security patches are regularly applied, so in the case of someone accidentally clicking a link, malware that relies on known vulnerabilities can’t operate.
As I would personally point out that the attacker could be right just once, and has the advantage of time to find the weakest link/point in an enterprise. In contrast, the security defender must defend all points of attack in very complicated enterprise environments. We need to ensure everyone is doing basic, critical security hygiene, but we must also look to security products–augmented by advanced AI like deep learning–to keep up with the speed and volume of attacks. As Cyber-security experts, we ensure that the solutions we provide deliver accurate threat verdicts with high efficacy, and are not introducing more false positive alerts that require humans to devote precious time and attention to triage.
Stay tuned for another blog next week about the growing cyber threat called Ransomware, a type of malware that locks up a victim’s files and denies access to a computer system until money is paid with a digital currency that is hard to trace.