If You Don’t Like This Minute's Newsworthy Cyberattack, Wait a Few There Will be Another One
In the last few days there has been no shortage of notable cyberattacks. The so called Google Docs attack, the Gannet phishing attack, and just before that the Netflix/Dark Overlord supply chain attack. There are a bunch of lessons that can be drawn from these and the many other newsworthy attacks that will no doubt come tomorrow and the day after and the day after that. But probably not the lessons you expect!
If you are a security professional that is tasked with protecting your organization and you are spending more than a few minutes – and not primarily for entertainment purposes – studying these attacks, you almost certainly are wasting your time. This is for multiple reasons. For one, the attacks that garner significant publicity rarely do because they are truly threatening to a large number of organizations. They garner wide publicity because they involve big name companies, like Google or Netflix, or they involve a large number of potentially breached records for that organization. Or they involve some deep and mysterious attack group, such as Dark Overlord. The more ominous sounding the better! Trying to learn how to improve your defenses from these stories is kind of like trying to deeply understand the news by reading certain magazines at the grocery checkout aisle.
Secondly, to say that these “newsworthy” attacks represent just the tip of the iceberg of active attacks, is way understating the number and type of attacks that are active out there. Of course, no one really knows the actual number of attackers or attacker campaigns that are ongoing or the number of victims that are being targeted at any moment, but let me provide some stats from the Mimecast email security service to give you a feel for how big the problem might be.
In the month of March 2017 alone the Mimecast service blocked nearly 10M inbound & outbound emails because they included “known” malware samples – that is malware for which a signature exists or a simple static scan can detect. But more notably in the same month, different parts of the Mimecast email security service blocked more than 200K user clicks to malicious Web sites or emails that had “unknown” malware samples – that is malware for which no signature exists. And finally, the service blocked, quarantined, or flagged 4M emails in March that contained no malware or hosted bad URL clicks, but were likely attempts at impersonating or spoofing the sender for reasons such as getting that fraudulent wire transfer done or invoice paid.
The lesson here is if you are being run ragged trying to address the latest newsworthy attack just because that is what people are chattering about, you potentially are taking your eye off the threats that could do real damage to your organization.
What is the moral of this story? By all means, be entertained by these “newsworthy” stories, but don’t be distracted by them. Make sure you are spending your time and money on knowing your critical digital assets and systems, applying appropriate security controls and processes to them, training your people to be aware of threats, and helping your organization to stop panicking about what they just read in the news.