working at night

Security is no longer an afterthought but a major component to a business’s success. This means that chief information security officers need a spot at the executive table to ensure IT security plans align with business objectives.

The ramification of being connected to the internet is that we all inhabit a large ecosystem. Anything happening with one company now affects many others, ranging from direct business partners along with even the most remote organisation. When a breach occurs, often personally identifiable information is stolen, which cannot only be sold for identify fraud, but also for much more believable phishing attacks. The more information an attacker has about you, the more they can make that email look real, enticing you to click it.

Many techniques used today haven’t changed from a few years ago - they involve compromising weak passwords, phishing attacks and malware downloads from browsing infected websites or advertisement sites. However, we are increasingly seeing methods which enable the attackers to deliver their exploit more effectively and stealthier.

Everyone today uses some form of social media along with online dating sites. Because of this, attackers are shifting their entry points into users’ devices via social engineering and preying on human emotions. Social engineering concepts are the same, but the attack vector or surface has changed. Next are evasion techniques where the attacker conceals themselves. Because of this, just having traditional anti-virus is no longer enough.

Amongst new hacking techniques identified by cyber security experts, phishing attacks are most likely the number one way to gain unauthorised access to company networks. A phishing email will attach a piece of malware or a malicious link, and is created to look legitimate so users click the link.

Another technique is the drive-by attack where attackers compromise a website and install a malicious java script to redirect an unsuspecting user to another website containing malicious payload (malware) which then downloads to the user’s device in the background. In a targeted attack, the attackers may spend months researching websites that companies or industries will frequent and infect those websites.

The next technique used is malvertising, which is similar to drive-by attacks except the attacker will focus on infecting advertising sites. An attacker can infect one ad site which in turn could infect thousands of other websites.

Last but not least is the mobile attack. Many attacks against mobile devices follow the above techniques, but target the mobile device. Malware can also be delivered through SMS messages or through specific apps.

Once the attacker has successfully breached a network and is sitting on a user’s device, they then need to download more malware and tools to complete their mission. Usually the data they want is not on the workstations but on the servers and databases. The following are high-level steps an attacker will take when inside the network:

  1. They will download other tools and malware for further network compromise.
  2. They will map the network to find other servers to find the data they are looking for. They will also look for the active directory server which contains all the usernames and passwords. If they can crack that then they have keys to the kingdom.
  3. Once they find the data they will usually find a staging server to copy it. The ideal server for this will be one that is stable and has access to the internet.
  4. That data will slowly be sent back to the attackers’ servers which are often on a cloud server making it harder to block the source.
If the cybercriminals are inside the network for long, they will be able to obtain any type of information that is available. Most company data is stored electronically. The longer they are in the more of a chance they have in learning your business processes and data flow. An example of this is the Carbanak attack. In this attack, they tracked down the video surveillance cameras and recorded every last detail of the bank tellers’ process which they then mimicked to transfer money out through their own systems.

The usual entry point into the network is through users clicking on malicious links. Once the user device is compromised, the attackers will start moving around the network to find the data they are looking for. This is where network segmentation becomes extremely important. It helps reduce the impact of the breach since a company can isolate the breach to a specific location while not affecting the rest of the network. It allows for sensitive data to be zoned in a higher security area which will give the bad guys a tougher time to exfiltrate data. It’s important to remember you can’t protect and monitor everything within your networks. Networks are large and complex, so find the critical data, isolate it and put more granular focus on monitoring the avenues of approach to that data.

By Anthony Giandomenico, Senior Security Strategist, FortiGuard Labs, Fortinet