In today’s increasingly digital world, the primary threats that aim to disrupt your business and the business of your client’s can come from a variety of sources and malicious applications. Below are the five biggest cyber threats I’ve identified from my work on RelativityOne that could impact your business along with how you can protect yourself from each.
Phishing is arguably the most important threat vector to worry about. Your people are already inside your perimeter, behind your firewall and have access to your resources and protected assets. This is why phishing attacks are the way most malware gets into organizations—download because an internal user clicked on a link or attachment in a phishing email. Wombat Security has said that 76 percent of businesses have been a victim of a phishing attack within the last year and SANS Institute reported that 95 percent of all attacks on enterprise networks are the result of successful spear phishing.
Training on how to detect a phishing email remains the best defense but it isn’t a one-and-done approach, training needs to be repeated multiple times per year, and it is recommended that you phish your own people at regular intervals to spot check and provide constructive feedback. Verizon has reported that 30 percent of phishing messages get opened by targeted users and 12 percent of those users click the malicious attachment or link. Sophisticated phishing attacks are designed to look real—that’s why people are fooled into clicking with devastating results.
2. Crypto-currency mining
Crypto currency mining malware has become a hot topic in 2018. Criminals have found the way to immediately profit from criminal activity without having to sell information or extort the money—just use up your resources to mine it. The top three cryptocurrencies, by market capitalization, are Bitcoin (BTC) trading at over $7,000 USD each, Ethereum (ETH) trading at almost $300 USD each, and Ripple (XRP) trading at $0.34 USD each. Why Ripple? Because it’s being used as a real-time gross settlement system enabling near instant and direct transfer of money between two parties.
One might think that one of these would be the most mined crypto currencies, but in fact it is number 11 on the list—Monero (XMR) trading at just over $100 USD each. The reason is the computation power required to mine for the coin and the value obtained vs. the work performed. A higher return on mining effort is available from Monero than other cryptocurrencies. Malware is the delivery tool, often through phishing, to drop the payload of a Monero miner on victim computers. Whether in the cloud or on-prem, once the miner software is loaded it begins to work on finding coins for the attacker and depositing them into their collection pools and wallets. The more of your computers they can infect, the bigger the payday. It’s a direct payout for the attackers who have to do nothing further.
The concerns are that you are losing resources that you can’t use for the reason you purchased them—serving web pages, developing software, etc.—enabling your business. Even more insidious is that you now have software under the control of attackers on your network. They can add additional malware, like ransomware, Trojans, RATs, or anything they like really, at any time. The solution is the same for any malware, a defense-in-depth strategy to find and eliminate threats at as many levels in your architecture as possible. Firewalls at the perimeter all the way down to host-based AV and EDR solution on the endpoint.
Ransomware is malicious software (malware) that infects your machine and begins by quietly encrypting files. Once it has done its work, it presents you with a ransom note that to see your files again, you’re going to have to pay. The price is always in a cryptocurrency, usually Bitcoin (BTC) per machine to decrypt your files. The attackers are willing to decrypt a few files for free in most cases, to prove they can, and have even taken to negotiating with companies who try to lower the extortion payment.
Paying that ransom is the wrong move unless you have no other option available. You’re directly funding the crime and the criminals if you pay, which will only encourage them to continue doing it. Further, you’re now in the list of people who pay when extorted, so you can almost guarantee to pay again in the future. The solution to ransomware is a well-defined and executed disaster recovery/backup and restore program. You should be backing up your assets at regular intervals and frequently testing restore and recoverability. If you can restore your organization from backup, why pay a ransom?
4. Nation state/APT actors
Nation state Actors, also known as advanced persistent threat (APT) actors, are a concern of larger organizations. Primarily the reasons a nation-state would target your organization are to steal intellectual property, influence political decisions, or to cause damage, physical or monetary. These are often the “unknown unknowns” of threats. There are things you know, things you know you don’t know, and this other category: what you don’t know that you don’t know. These scare people more than anything else—and really they shouldn’t be at the very top of your list if you’re doing security the right way.
Honestly, a persistent actor who goes after something relentlessly will eventually get it. They’re trying to do it quietly and covertly, but if that fails, a smash and grab will work just as well. Implementing a security program with a defense-in-depth strategy is your best defense. Hunting teams have uncovering unknown unknowns as part of their charter. No one can be the “abnormality” on your network and be completely silent. It is your diligence that will let you find these threats sooner, minimize losses, and may even help you avoid the loss altogether.
5. Insider threat
The final category in the top five cyber threats list is the insider threat. These generically come in two flavors: the unintentional and the intentional. Most of your security policy and program focuses around prevention of unintentional losses from your employees. It’s the intentional criminal you have to hunt down. Why do your employees become an intentional threat actor? Many do it to steal property or information for personal gain or to benefit another organization or country. Most of the reported cases of insider threat (>80%) to date have been done during working hours, with the activity planned beforehand, and financial gain as the motive. Revenge and having real financial difficulties have not shown to be a majority of the reasons in insider threat cases to date.
This is the hardest type of attacker to find. It requires forensic examination of your network and assets to uncover. There are many things you can do to lessen the impact of an insider threat. Physical security of employee devices can help mitigate losses in cases of insider threat; a well-implemented asset management solution can prevent lost or stolen devices from giving attackers valuable information. Connection to insecure networks, particularly unsecured wireless networks, is another preventative measure to help loss from unintentional insider threats. Your best overall protection is still a fully developed and implemented security program. Remember, security isn’t a product or something you buy, it’s what you do every day.
Darian Lewis is the Lead Threat Intelligence Analyst in Relativity’s security group, Calder7. In his role, Darian leads a team in charge of assessing and responding to threats that could impact the security of Relativity’s SaaS product, RelativityOne.