OpSec Security recently sat down with their very own Luge Pravda, Director of Global AntiFraud Sales. We discussed the current climate of online fraud – specifically cyber risks – and how to address the evolving threats that continue to beleaguer our most vital services provided by federal governments and multi-billion dollar companies.
OpSec Security: What is the top one or two cyber risks to companies right now?
Luge Pravda: Undoubtedly top of mind for both CISO – and cyber journalists – is the increasing threat [of] when, not if, a ransomware attack against organizations of all shapes and sizes will occur. 2021 has witnessed ransomware attacks against infrastructure, Colonial Pipeline, and the food supply chain, JB meatpacking. Ransomware can completely shut down an organization, with the knock-on effect to their customers. Consequently, many organizations are choosing to pay the demanded ransom to minimize day-to-day business disruption, at great cost to the business. Reported by DarkReading, “the average ransomware payment is up 82% in the first half of 2021, coming in at a record $570,000, according to a new report from Palo Alto Networks’ Unit 42.”
Unfortunately, many ransomware attacks start with a phishing attack targeting critical employees – a near costless exercise as phishing-as-a-service unfortunately becomes more accessible to those willing to venture into cybercrime.
How do bad actors exploit the risk(s)? What techniques do they use?
Bad actors frequently target the weakest link in an organization’s security layers: the employees. As Work From Home rapidly became the pandemic norm, bad actors leveraged online security gaps and often poor personal cyber hygiene. Social engineering preying on emotions such curiosity, fear, greed often with ‘urgent’ calls to action. This continues with the Return to Work, COVID vaccination mandates and the like as bad actors take advantage of an ever changing real-world and online workplace. As with these inbound spear phishing/business email compromise (“BEC”) attacks, consumer phishing relies on the same techniques to capture personal login data, to steal money, data or very often to launch even more devastating attacks and scams against higher value targets.
Phishing persists – and is most certainly not going away anytime soon – because, unless our entire perception of trust fundamentally shifts and is supported by commensurate technology advances, it works. Plain and simple. Expect to see the popularization, growth, and eventual dominance of Zero Trust security models in the future, as a way of mitigating the weakest human link.
How can organizations protect against the risk(s), both with technology and staff education?
Organizations will never be able to control human behavior, but they can impact what their staff sees online and receive in their often bloated inboxes. Internal detection layers must be combined with external intelligence to limit what an employee sees, augmented by training to help staff recognize fraud should the cleverest, socially engineered, examples slip through the cracks.
HR departments can play a crucial role, and it behooves organizations to recognize a multi-disciplinary approach is required. According to Human Resource Executive, “HR has a critical role to play in breaking this cycle. Unlike the role IT plays, where leaders are often focused on business-critical systems and the tech stack, HR leaders have a holistic view of the organization and the people and processes that power it. As such, HR is in a unique position to effect change. From developing and implementing company-wide training programs and formal collaborations with IT to revamping hiring and security policies, HR leaders can work proactively to help the organization prevent phishing, ransomware and other attacks.”
Even the most basic training – how to spot a phish email, by reviewing the URL, the sending email address – can make a difference. And maybe prevent a ransomware attack! As if to stress the point, Verizon recently point out in their 2021 Data Breach Investigations Report (DBIR) stating that “85 percent of breaches involved a human element, 36 percent involved phishing (11 percent more than the previous year), and 10 percent of breaches involved ransomware – double the rate of the previous year.”
How do you see the risk(s) evolving in the coming years?
Bad actors will always adapt their techniques as they play cat-and-mouse with cybersecurity professionals, attempting to evade and bypass sophisticated email filters. Expect to see increasing use of hacked legitimate domains to bypass domain blocklists, and obfuscate URLs. And beware ‘Email Thread Hijacking’, the use of stolen email body text, subject lines, and address books to reply to emails containing malware messages, when the bad actor has stolen email network data from most likely a previous phish using malware. Microsoft has reported at length the prevalence of attacks using ‘open redirects’, a common marketing tool. But what if phishing attacks ditched the URL altogether, and redirected the potential victim to the old-fashioned phone, or coerced them to try to ‘guess’ the malicious URL through a variety of well-crafted hints? Yes, that is already happening.
Trying to stay one step ahead of the bad actor is a never-ending challenge. Organizations will need to adapt their technology stack in parallel with keeping their staff informed of the latest trends, in such a way that does not lead to cyber-training fatigue. A delicate balancing act.