As a consultant, one of the biggest security problems I see is perception: The threats companies think they face are often vastly different than the threats that pose the greatest risk. For example, they hire me to deploy state-of-the-art public key infrastructure (PKI) or an enterprise-wide intrusion detection system when really what they need is better patching.
The fact is most companies face the same threats -- and should be doing their utmost to counteract those risks. Here are the five most common (and successful) types of cyber attack.
1. Socially engineered malware
Socially engineered malware, lately often led by data-encrypting ransomware, provides the No. 1 method of attack (not a buffer overflow, misconfiguration or advanced exploit). An end-user is somehow tricked into running a Trojan horse program, often from a website they trust and visit often. The otherwise innocent website is temporarily compromised to deliver malware instead of the normal website coding.
The maligned website tells the user to install some new piece of software in order to access the website, run fake antivirus software, or run some other “critical” piece of software that is unnecessary and malicious. The user is often instructed to click past any security warnings emanating from their browser or operating system and to disable any pesky defenses that might get in the way.
Sometimes the Trojan program pretends to do something legitimate and other times it fades away into the background to start doing its rogue actions. Socially engineered malware programs are responsible for hundreds of millions of successful hacks each year. Against those numbers, all other hacking types are just noise.
Countermeasure: Social engineered malware programs are best handled through ongoing end-user education that covers today's threats (such as trusted websites prompting users to run surprise software). Enterprises can further protect themselves by not allowing users to surf the web or answer email using elevated credentials. An up-to-date anti-malware program is a necessary evil, but strong end-user education provides better bang for the buck.
2. Password phishing attacks
Coming a close second are password phishing attacks. Approximately 60 to 70 percent of email is spam, and much of that is phishing attacks looking to trick users out of their logon credentials. Fortunately, anti-spam vendors and services have made great strides, so most of us have reasonably clean inboxes. Nonetheless, I get several spam emails each day, and a least a few of them each week are darned good phishing replicas of legitimate emails.
I think of an effective phishing email as a corrupted work of art: Everything looks great; it even warns the reader not to fall for fraudulent emails. The only thing that gives it away is the rogue link asking for confidential information.
Countermeasure: The primary countermeasure to password phishing attacks is to have logons that can’t be given away. This means two-factor authentication (2FA), smartcards, biometrics and other out-of-the-band (e.g., phone call or SMS message) authentication methods. If you can enable something other than simple logon name/password combinations for your logons, and require only the stronger methods, then you’ve beat the password-phishing game.
If you’re stuck with simple logon name/password combinations for one or more systems, make sure you use accurate-as-can-be anti-phishing products or services, and decrease the risk through better end-user education. I also love browsers that highlight the true domain name of a host in a URL string. That way windowsupdate.microsoft.com.malware.com, for example, is more obvious.
3. Unpatched software
Coming in close behind socially engineered malware and phishing is software with (available but) unpatched vulnerabilities. The most common unpatched and exploited programs are browser add-in programs like Adobe Reader and other programs people often use to make surfing the web easier. It's been this way for many years now, but strangely, not a single company I've ever audited has ever had perfectly patched software. It’s usually not even close. I just don't get it.
Countermeasure: Stop what you're doing right now and make sure your patching is perfect. If you can't, make sure it's perfect around the most exploited products, whatever they happen to be in a given time period. Everyone knows that better patching is a great way to decrease risk. Become one of the few organizations that actually does it. Better yet, make sure that you’re 100 percent patched on the programs most likely to be exploited versus trying unsuccessfully to be fully patched on all software programs.
4. Social media threats
Our online world is a social world led by Facebook, Twitter, LinkedIn or their country-popular counterparts. Social media threats usually arrive as a rogue friend or application install request. If you’re unlucky enough to accept the request, you’re often giving up way more access to your social media account than you bargained for. Corporate hackers love exploiting corporate social media accounts for the embarrassment factor to glean passwords that might be shared between the social media site and the corporate network. Many of today’s worst hacks started out as simple social media hacking. Don’t underestimate the potential.
Countermeasure: End-user education about social media threats is a must. Also make sure that your users know not to share their corporate passwords with any other foreign website. Here’s where using more sophisticated 2FA logons can also help. Lastly, make sure all social media users know how to report a hijacked social media account, on their own behalf, or someone else’s. Sometimes it is their friends who notice something is amiss first.
5. Advanced persistent threats
I know of only one major corporation that has not suffered a major compromise due to an advanced persistent threat (APT) stealing intellectual property. APTs usually gain a foothold using socially engineered Trojans or phishing attacks.
A very popular method is for APT attackers to send a specific phishing campaign -- known as spearphishing -- to multiple employee email addresses. The phishing email contains a Trojan attachment, which at least one employee is tricked into running. After the initial execution and first computer takeover, APT attackers can compromise an entire enterprise in a matter of hours. It's easy to accomplish, but a royal pain to clean up.
Countermeasure: Detecting and preventing an APT can be difficult, especially in the face of a determined adversary. All the previous advice applies, but you must also learn to understand the legitimate network traffic patterns in your network and alert on unexpected flows. An APT doesn't understand which computers normally talk to which other computers, but you do. Take the time now to start tracking your network flows and get a good handle of what traffic should going from where to where. An APT will mess up and attempt to copy large amounts of data from a server to some other computer where that server does not normally communicate. When they do, you can catch them.
Other popular attack types such as SQL injection, cross-site scripting, pass-the-hash and password guessing aren't seen nearly at the same high levels as the five listed here. Protect yourself against the top five threats and you'll go a long way to decreasing risk in your environment.
More than anything, I strongly encourage every enterprise to make sure its defenses and mitigations are aligned with the top threats. Don't be one of those companies that spends money on high-dollar, high-visibility projects while the bad guys continue to sneak in using routes that could have easily been blocked.
Lastly, avail yourself of a product or service that specializes in detecting APT-style attacks. These products or services either run on all your computers, like a host-based intrusion detection service, or collate your event logs looking for signs of maliciousness. Long gone are the days where you’ll have a hard time detecting APT. Myriad vendors have now filled the earlier void and are waiting to sell you protection.
Overall, figure out what your enterprise’s most like threats will be and prepare for those the most. Too many companies waste resources concentrating on the wrong, less likely scenarios. Use their threat intelligence as compared to your environment’s make up and vulnerabilities, and determine what you should be preparing for the most.