Today's onslaught of cyberattacks can be difficult to analyze, let alone take immediate action to prevent data exfiltration. Larry Jaffee reports.
You receive an email from your CEO to “wire $80,000 from this account immediately.”
Forensic analyses show most cyberattacks come via social-engineering trickery, as employees unwittingly leave their organizations susceptible to severe damage. Adversaries usurp pertinent information from company websites and LinkedIn.
“We get five or six a week of those CEO or accounts payable schemes,” Marshall Wolf, senior IT officer for Gigamon, a Santa Clara, Calif. networking company, whose solutions are deployed across vertical markets including over 75 percent of the Fortune 100.
“It's not just malware, riskware and the constant barrage of known threat hackers from China and Russia; it's your own people potentially doing harm to your network without [their] knowledge,” Wolf says.
Timothy Ryan, principal of EY Fraud Investigation and Dispute Services, and a former FBI agent, in early August tracked a massive intrusion using compromised credentials. The attacker moved around the tool-laden system unheeded because there was no malware involved.
“These guys are learning to live off the land,” says Ryan, who suggests organizations educate employees to use “out-of-band communication,” such as picking up the phone or sending a text to a cellphone, to confirm a colleague sent a suspicious-looking email instead of responding electronically to possibly the disguised hacker.
Alphonzo Albright, VP, Abilis Solutions
Phishing often is a prelude to something far more sinister. “After gaining access to an enterprise, I've seen adversaries then drop ransomware on servers, locking all the machines up,” says Ryan, who typically investigates “an unmitigated, unreported, unescalated smaller breach that led to a massive breach. In the vast majority of the cases, somebody in the company knew about it.”
Raj Samani, vice president and CTO for Intel Security, agrees that the current spate of ransomware attacks is “particularly nasty.” Whereas small-to-medium sized companies were targeted, now it's vertical-specific,” he notes.
Ransomware takes less effort and delivers quicker payoff for hackers compared with stealing and selling data on the black market, notes Jeff Schilling, chief of operations and security for Richardson, Tex.-based cyber security firm Armor, which services 1,200 clients in 40 countries from five data centers.
Last spring it tracked ransomware actors going after servers running [Java application] JBoss, taking advantage of a vulnerability that very few users were patching. “Once they gained access to the application with privileges, they'd lock it up,” says Schilling, a retired colonel who until 2012 had been director of the U.S. Army's global security operations center under Cyber Command.