When two major security flaws located in the microprocessors driving most of the world’s computers became public earlier this year, it was big news. Those vulnerabilities—Spectre and Meltdown—could enable hackers to access the entire memories of most PCs, mobile devices, and servers in use. Although the specific techniques that cyber-adversaries deploy against their targets and the openings they take advantage of to do so are constantly evolving, the basic types of attacks that companies are likely to experience tend to remain the same.
Phishing, for example, remains one of the most common ways for bad actors to breach an organization’s security. More than a third of companies (76 percent) experienced phishing attacks in 2017, according to Wombat Security’s State of the Phish 2018. Nearly all respondents reported that such attacks were either increasing or staying the same. Early phishing attacks would simply ask the user for information. As companies educated users to refuse such requests, attackers upped their game. They started including malicious files as attachments for the user to open. Some then chose to send document files, which exploited vulnerabilities in systems’ software to install a malicious payload.
“These are all the same overall tactic—phishing—but with different specific techniques that allowed them to be successful,” observed Ryan Olson, director of Palo Alto Networks’ threat intelligence team. “This is a constant cat-and-mouse game. We adapt, and they adapt.”
While it is important for information security professionals to keep up with the tooling used by attackers, “it’s even more important to understand attack types to get an idea of the basic principles of the [malefactors’] methods to generalize your approaches to stopping them,” said Yonathan Klijnsma, a threat researcher with RiskIQ.
Five of the more common and, unfortunately, effective cyber-attack types are:
Phishing. Email is one of the main avenues for attackers to enter a network, and phishing attempts are just “getting better and better and better,” said Victor Danevich, vice president of worldwide field engineering for Infoblox. Phishing can take many forms—from fake emails sent from known email addresses, or a bogus call from IT support purporting to fix a computer problem, to a phony rebate offer from a known brand. “Exploiting a well-guarded server connected to the Internet is difficult, but tricking a user into opening a file or clicking a link is easy,” said Olson.
Email is a necessary tool for most organizations; it can’t be eliminated. Information-security leaders, instead, can ensure that users remain educated and up-to-date on this evolving approach and deploy technology to help safeguard them. Phishing can also take the form of “vishing” (via voice calls) or “smishing” (via text message). Users, therefore, should understand that email, phone, and text are—in essence—untrusted systems and be highly skeptical of unsolicited or unexpected messages or calls.
Credential Theft and Reuse. “Attackers love to steal passwords, as they grant them access to more systems and more information,” said Olson. What’s more, users are terrible at choosing, remembering, and defending their passwords. They use the same password repeatedly, they choose passwords that are easily guessed, and they can be reckless in providing their passwords to others.
“We need to give users tools to help keep them safe,” Olson explained. Information-security leaders can encourage the use of password managers that generate and securely store strong passwords. They may also employ multifactor authentication in as many places as possible to limit the utility of stolen passwords.
Web Services Exploits. These attacks on web services beyond an organization’s perimeter “change over time, depending on what is available in terms of exploits or what works against a victim’s specific setup,” said Danevich. SQL injection attacks are a popular way to exploit websites and the programming language to communicate with databases. Attackers take advantage of known vulnerabilities to run malicious code that causes the server to divulge information, which can be especially damaging when it stores sensitive customer data, such as credit-card numbers, social security numbers, usernames, and passwords.
“Exploitation of third-party services, such as the Apache struts framework [a software toolkit for creating Java-based web applications]—which can be hacked upstream to give attackers access to organizations’ web properties—will continue to be big,” predicted Klijnsma. “Often, these components are on organizations’ properties without their knowledge.” The Equifax breach is believed to have resulted from failure to patch a known Apache Struts vulnerability.
An intelligent security platform capable of delivering a real-time view of an organization’s Internet-exposed attack service can enable information-security teams to uncover previously unknown assets to verify their security, said Klijnsma.
Water Holing. A water hole attack uncovers specific websites that are frequently visited by a victim or a particular group and then infects those sites with malware. While this is a less common attack type, it can quickly spread among members of a targeted group. The Bad Rabbit campaign, which came to light in 2017 after it hit a number of high-profile Russian and Eastern European targets, was a typical watering hole attack. It employed several compromised sites to convince visitors to install a fake Flash installer, which then dropped malicious files as part of a targeted ransomware attack against corporate networks.
Business E-mail Compromise. BEC, as it’s known, is a hybrid of phishing and credential theft. It’s emerged as an enormous problem particularly for small to medium-sized businesses, said Olson. In the last five years, criminal groups have targeted companies and organizations in every U.S. state and more than 100 countries around the world, from non-profits and well-known corporations to churches and school systems, according to the FBI.
One common technique involves gaining access to a company’s network through a phishing attack and then gathering information on an organization’s vendors, billing systems, and the CEO or other corporate leader’s communications. At an opportune time (perhaps when the targeted executive is away), the fraudsters pen a phony e-mail from the CEO to a targeted employee in the finance office, requesting a wire transfer to a trusted vendor. However the account numbers are slightly off, and the money is sent to an account controlled by the criminal group.
The best way to protect against BEC is to verify the authenticity of all transfer requests in person, suggests the FBI. Organizations can also put in place detection-system rules:
- Flag emails with extensions that are similar to company e-mail
- Create an e-mail rule to flag e-mail communications in which the “reply” e-mail address is different from the “from” email address
- Color-code virtual correspondence, so emails from employees are a different color than those from external accounts
- Institute two-factor authentication for vendor payments.