We should welcome the move by Obama’s administration to go after more funding – defending the nation from the growing threat of cyberattacks has to be a priority for any world government.
The focus on more money for improving private, public and international collaboration is particularly important. The threat we face, after all, is universal and international, like the Internet itself: a threat on private companies is a threat on the economy, an attack on the public sector will impact the private. We should all hope his call is heard and acted on by Congress, too – cybersecurity of national infrastructure, and the public and private sector, is too important to be a victim of partisan politics.
The OPM, FBI, State Department and Whitehouse hacks when combined with Sony, Target, Anthem and the many others show us that cybercriminals are making significant progress against our best traditional defences.
2016 is an election year, so the danger is that Obama’s successor is likely to want to just build a bigger wall around whatever needs protecting, and while that might be reassuring for voters, it’s a representation of how we’ve classically thought about the security of our assets. But, it’s 2016 and the wall, perimeter, LAN and the defences we used to rely on are all DOA today. The breaches we see every day show they are clearly not protecting us well enough. We need to see a strategy rethink. Many organizations are not updating their spending patterns for cybersecurity to fit with the modern threats they face – that can be very damaging.
If you needed a letter from the President to get budget prioritized for cybersecurity projects, chances are, you’re way behind the security curve and are likely going to be spending on remediation rather than protection.
Cybersecurity has become the issue of 2015 and 2016; there’s enough evidence out there that the government, large corporations and consumers have been dramatically hurt by hacks and cybercrime. The OPM, FBI, State Department and Whitehouse hacks when combined with Sony, Target, Anthem and the many others show us that cybercriminals are making significant progress against our best traditional defences.
If you’re only now waking up to the issues of cybercrime, cyber warfare and hacking because of Obama’s political promises, then it’s likely you’re already being badly burned both organizationally and personally. Even if you don’t know it yet.
The enormity of the threat should not be new to us, should it? We’re several decades on from the invention of the first technologies that gave us viruses, Trojans and polymorphic files. We’re coming up to the fifth anniversary of the ground-zero hack for enterprises through email – the RSA Security hack of 2011 – yet we’re still seeing our corporate and personal lives affected by cyber-nefariousness.
I’m constantly hearing from CISOs and IT Managers: “We’ve just updated our security ‘a couple of years ago’ so we’re doing just fine.” This is their defence for not changing strategy, asking their executives for additional budget or modernizing a security solution. And, this worries me – here’s why: First, because anything that ends in “doing just fine” usually means you’re not fine, or you’re about to find out the hard way. And, second, when you look at how advanced the cyber-threat landscape has become (and how quickly it moves), over the last two years, anything you added to your security stack a few months ago could already be out of date.
So, if it was a letter from the President you needed to motivate you to deliver up-to-date protection for your network, now you have one. There should be no more excuses. Get it done. It’s your civic and corporate duty. Modernizing your cybersecurity protections, updating your processes and educating your people is a necessity you cannot delay any longer. Unless, of course, you fancy being the next organization in the headlines or explaining a breach to your bosses.
Protecting yourself from cyber-attack used to be about technology. But I have heard it repeated time and time again this week at the industry’s annual go-to security event, RSA Conference in San Francisco, that this is not enough.
Spear-phishing in its various guises, and specifically now CEO Fraud or whaling attacks, are the new frontline we need to defend.
Sure, you need the right technology, but attacks can’t be completely repelled with technology alone. You need to turn your employees into a new line of defense – something we have often called your Human Firewall.
Why? Well, today it makes much more ‘economic’ sense if you are an attacker to go after people.
For years now, most organizations have invested heavily on perimeter defenses, and as time passes, the historic security loopholes or open doors in the products we rely on have been closed and the defenses toughened – making it a harder job for attackers to go after your network. Not impossible, but harder. Requiring more skill, effort, resources and persistence.
Meanwhile, at the same time, we have put more and more technology into the hands of our employees and connected them to the outside world in multiple ways: email, social media, cloud services, mobile. We actively encourage our people to connect with customers, colleagues, contacts and prospects. It’s a part of being a modern organization.
So, an attacker has a choice to make about what strategy to apply, and they are going to look for the path of least resistance – the ‘return on investment’ business case for attacks on people are just too compelling. Because people are, after all, “only human.” For all our great qualities, from a security perspective, we are fallible. Prone to being tricked, scammed or bamboozled. As Admiral Rogers of the NSA said this week at RSA about employees and their role in cyber security: “… every individual we have given access to a keyboard is a potential opportunity or a threat.”
And, right at the center of all this sits email. Behind every email address is a person. Guaranteed. Sending an email cost next to nothing. Sending thousands of emails cost next to nothing. And if you invest a little time in social engineering to improve the targeting of your attack, just a few minutes on LinkedIn should do it, research suggests you are almost guaranteed to get a hit.
So, if you are an attacker what do you do? Buy hacking toolkits, invest in people resources, get heavy duty computing power, persistently attack a target over days, weeks or even months or find the CFO or CEO’s assistant’s name, fake an email address to look like their boss and then start an email dialogue?
Spear-phishing in its various guises, and specifically now CEO Fraud or whaling attacks, are the new frontline we need to defend. And, defense requires new technology, employee security training and culture change.
That’s why our Targeted Threat Protection service combines comprehensive technology protection with user awareness capabilities. You need to do both to effectively protect against attacks using malicious URLs, weaponized attachments and now non-malware emails used for whaling. With Mimecast, when you click on a malicious link we don’t just scan it, we tell you what we are doing so the employee sees the risk they are potentially putting the organization under and learns for next time. Receive an email that looks like it comes from the CEO, but in fact is from a spoofed domain name (even if it looks like your own) - we make that clear to the employee with an alert. And, receive an attachment – we convert it to a safe format before delivering it to you so any potential malicious payload is disabled and we explain why.
In recent months we have seen a growth in a new form of targeted attack in email specifically aimed at defrauding CEOs and CFOs, and duping their teams into wiring cash to cyber-criminals and hackers. These Business Email Compromise (BEC) or so-called ‘whaling’ or ‘CEO fraud’ emails are becoming widespread impacting organizations of all sizes.
The criminals are not stealing petty cash either - this can be a multi-million dollar fraud. Just ask aerospace component manufacturer FACC that admitted a massive fraud of $55 million in January. The FBI’s Internet Crime Center of IC3 reported in August last year that attacks were growing – an increase of 270% in victims since the beginning of the year. They reported complaints from over 8000 victims globally representing a potential loss of nearly $800m. They estimate that when you add in cases reported by international law enforcement agencies the total is over $1.2 billion. The FT then went on to report that losses in the last six months were accelerating and another $800m had been reported stolen.
The crime isn’t limited to the U.S. either of course. The 2015 official Crime Survey of England and Wales included ‘CEO fraud’ (or whaling) for the first time with over 5.1m cases. Now these frauds do also include attacks on credit cards or over the phone but online is only set to grow as the favored, and largely anonymous and hard to police, attack of choice.
In fact, Mimecast’s own research in December showed that 55% of the respondents of the 442-company survey had seen an increase in whaling attacks in just the last three months of 2015.
And this fraud is not just grabbing press headlines. World governments are prioritizing tackling it. In the last week alone the British Government has announced a new multi-agency fraud taskforce to look at this and other fraud attacks.
But success here is not just about law enforcement and email security.
New technical defenses are needed and there is a significant education effort to do. Whaling is just another form of targeted email attacks. Highly targeted but still designed to exploit your greatest security weakness – your people.
So, how does it work? Disturbingly simple, really. An email is sent to a target individual (often with a spoofed or similar sounding domain name) pretending to come from the CEO or CFO and usually to someone in the finance team asking them to make a wire transfer. The emails will be very convincing and use relevant information gained through extensive research of the target. They are the product of considerable effort – they will look right, they will sound right, and they will be carefully targeted and tailored. And ultimately they rely on our obedience to hierarchy, particularly our discomfort challenging our bosses and perhaps most disgustingly, our inherent desire to help others. Cyber-criminals will often place a telephone call to their victim too, for added authenticity and persuasion.
Research from Verizon’s Data Breach Investigation Report in 2015 tells us that a traditional phishing email attack will dupe 23% of people who receive it and 11% of those will go on to open a link or attachment. A concerted ‘campaign’ of attack emails will be even more successful – 10 emails will have a 90% chance of hooking at least one victim. These numbers show us that any social engineering- based attack using email is likely to be successful.
And remember, these figures are for attacks that are not highly targeted at an individual employee. So it is safe to assume the hit rate for a highly targeted email purporting to come from the CEO is going to be much more successful – and potentially damaging.
So, what can you do about it? We have written about this in more detail before here but in summary:
Technology can help – we announced a new capability this week for Mimecast Targeted Threat Protection called Impersonation Protect that gives you protection against whaling attacks and you can find out more here. You can also use email stationary that marks external email to make it obvious to the recipient that the email originated from the outside world. Register all available top-level domains (TLDs) you can that are direct or ‘near’ in name to your own to make it harder to spoof you. Subscribe to domain registration services so you get an alert when someone is creating one that might resemble yours.
Education is key – remember this is largely an attack on people not technology. So educate senior management, or those perceived to be ‘at risk’ (finance, HR, IT) about this specific attack. Help them to recognize its characteristics. Review your finance standard operating procedures to take into account this new type of attack. Then test your team. Conduct regular fake attacks to learn from your mistakes.
The incidents of these attacks are only set to grow. They are relatively easy for the criminals to conduct. They are hard to protect against just using traditional security technologies. They work and the pay day is very tempting.
It doesn’t matter how experienced or senior you are – you are still likely to fall for a well-crafted targeted attack. So assume you and your team will be duped, and plan accordingly.
Just before Christmas, half of the residents of the Ukrainian Ivano-Frankivsk region were left without electricity for hours.
According to the Ukrainian news media outlet TSN, the cause of the blackout was a “hacker attack” utilizing a “virus” to compromise email security across the network. Cybersecurity researchers at ESET believe it to be the first-known instance of power stations being disabled by hackers.
Attackers used the BlackEnergy malware with a modification to include an SSH backdoor to plant the destructive KillDisk component onto the targeted computers to make them unbootable.
It later emerged that attackers used the BlackEnergy malware with a modification to include an SSH backdoor to plant the destructive KillDisk component onto the targeted computers to make them unbootable.
The attack used a spear phishing attack in the form of a business email that contains a weaponized attachment which uses a VBA macro to download a malicious payload to the victim’s computer. The Ukrainian security company CyS Centrum have published screenshots of the spear-phishing emails used in BlackEnergy campaigns, where the attackers spoofed the sender address to appear to be one belonging to Rada (the Ukrainian parliament). The document itself contains social engineering that tries to convince the victim to run the macro in the document. This attack is an example of a malware-less attack that relies on social engineering to trick the user into compromising themselves, instead of a spear-phishing URL, or classic email attachment malware. When the victims are tricked into opening the attachment and enabling the macros, they end up infected with the BlackEnergy Lite trojan.
Destructive malware is not new – the BlackEnergy Trojan was developed in 2007. However, cyber criminals can take a piece of destructive code and easily introduce it into BlackEnergy and mutate it. The new malicious code could then be tailored to theoretically control pipelines, water purification systems, power generators and other Internet connected critical infrastructure. In short, it could be catastrophic for utilities and organizations that own a significant, so called, Internet of Things estate of devices.
The risk to public sector services due to ‘normal’ or maliciously-induced downtime is something I highlighted in this blog last year.
I firmly believe this attack will be remembered as a seminal event in the world of cyber security – it’s a publicly recognized and successful attack on a critical public infrastructure service. We’re sure to see more of this type of attack in the future. The Achilles heel for organizations affected by these hacks seems to be email and weaponized email attachments each time. It’s time for both the private and public sector to recognize the threat of these weaponized attachments appearing in both small and large file emails and take necessary steps to protect companies and critical public services before the lights go out or the tap runs dry (again).
If you’d like more information about how you can protect your organization, you can read more on our site here.