Evolution of threats and phishing25 October 2019
Treating threats as though they’re human – three blips on the threat radar and what you can do about them
Ever more complex.
A landscape evolving at break-neck speed.
OK, let’s put a pause on the hyperbolic arms race around cyber threats for just a teeny tiny moment.
Because the threats themselves aren’t really evolving. The threats we face today are no different than those we faced yesterday, last year, or a decade ago. Even a millennium ago.
After all, a threat must have agency and that agent is us.
The nature of the threat really is as old as homo sapiens. Technology may continue to innovate and disrupt, at a seemingly exponential pace. But from a human behaviour point-of-view, the song remains the same. Deceit, manipulation and coercion have simply become easier in a world ever more digitally connected and socially atomised.
It is our adaptation (or maladaptation) to the relentless disruption of the information age that leaves us so exposed to exploitation. And threat actors are quicker at leveraging the opportunities on that interface than we are at securing it. No wonder. That’s where they run their hustle and earn their keep. For us, securing it is just a chore.
So, to truly understand the evolving nature of threat actions, you need to follow the money.
Let’s pick out three golden threads of socio-techno evolution that offer threat actors promising returns, and us more than a little concern.
A threat must have agency…
…and that agent is us.
Turning a digital coin these days is almost like shaking the magical money tree. So, no surprise that an asset increasingly sought after isn’t our information. It’s our GPUs. The rise of cryptocurrencies like Etherum and Monero has brought your users’ PCs and devices back into scope for host-based miners. Symantec reported a four-fold increase in cryptojacking events in 2019.
In particular, those with top-end computing platforms are much sought after by the cryptojacking community. It takes a lot of computing power to generate cryptocurrency, so roping in other people’s devices increases return without increasing expenditure.
Simply phish the end-user and slip in the mining malware. And it’s no surprise that those most targeted are creatives piled high with Macs. They often have the least defensive infrastructure and lowest staff awareness.
Worried? Make sure you’re working your SIEM to its full potential (you have got an SIEM?) and upskill your staff in identifying and reporting phishing attempts.
Easy monetisation is behind the switch to cryptojacking. It’s also behind the 50% rise in BEC (business email compromise) seen last year. Threat actors have racked up $26 billion for themselves this way over the last 3 years, according to the FBI.
What works so well for them here is their ability to play on simple human instincts – to help, to comply with authority, to gain a reward – without even needing malware deployment. Top of their targets are those with a deep and diverse supply chain, such as construction or manufacturing companies.
Mitigation in this case need not be hard. Training for high-risk users is vital, but so is bolstering your authentication mechanisms – whether it’s deploying digital signatures (especially for third-party suppliers) or simply calling the person to ask, “Was this you?”.
Coercion last year might have meant ransomware threats. But what’s trending ominously today is the heftier presence of the nation-state. They were involved in 23% of breaches according to this year’s Verizon DBIR. And although nation-state actors may not have you directly in their crosshairs, remember ‘collateral damage’ can include us all. Just ask Maersk, Merck or Mondelez.
One trend of real concern here is the re-emergence of IoT botnets. With their DDoS capabilities already proven, and the attack surface of IoT as wide and open as the prairies, the temptation for nation-state affiliates is obvious. The Internet of Things is a network without significant monitoring, and new variants of botnet malware come ready-equipped with powerful capabilities to disrupt.
Throw in the recent trend for nation-state temper tantrums, and the risk is obvious. How to tamp it down? Securing the interactions of your IoT inventory is tricky – security is hardly by design here – but essential. So, too, is staff awareness around the risks they themselves may bring in, when they’re procuring (and connecting) internet-enabled equipment.
Change is the only constant
So yes, the change is constant. The evolution of threats is ever more complex. And sometimes the speed can make you a little nauseous.
But a little forethought and awareness can go a long way to soothe.
And perhaps the ultimate mitigation strategy against the big bad world of threats is simpler: consider slowing things down a little.
See our Insights and Measurements page for more on how The Security Company can help you understand better your information security threats and risk landscape.