December 6, 2016The end of a year is often a time of reflection as organizations focus on what they might do differently in the year to come, how they might align themselves against their competitors, and up their game. As organizations think through their cybersecurity strategy for the coming year the challenge they face is how to plan for success.
This past year we’ve seen how cybercriminals continue to become more sophisticated and insidious by constantly revising, updating and re-inventing their tactics and technologies to launch attacks. We’ve seen our share of DDoS attacks, key political figures emails hacked, and ransomware attacks. Recently, we saw cybercriminals target the San Francisco Municipal Transportation Authority with a ransomware attack. Free rides for all! And, that wasn’t San Francisco offering an early holiday gift to locals.
Knowing 100 percent protection against today’s cyber threats is not realistic - cyber resilience becomes the name of the game. Building a cyber resilience strategy that layers state-of-the-art preventative systems, point-in-time recovery measures, and a means to maintain continuity during an attack can make a significant difference in fending off the myriad of sophisticated threats. We can’t predict all the attacks coming but we can build in cyber resilience and learn from what we have already seen.
Although we may not know all the answers of what’s to come, based on what we’ve seen over the year here are a few attacks that we, at Mimecast, think will rise up 2017:
- The Rise of Cyber Gangs - The past year has been rampant with attacks, and it’s only going to get worse. Not just in the number of attacks, but the sophistication. Attackers have been getting smarter, their data gathering techniques more sophisticated, and they’re becoming more organized. In 2017, we’ll likely see growing groups of attackers, as well as a network of shared information they’ve stolen. These groups will also likely clash, and we’ll see attackers going after each other as well as these virtual gangs grow, gain resources, and fight over territories in the digital landscape. As we all know everyone needs to protect against these threats, by taking a layered approach and ensure they have a proper cyber resilience strategy in place to combat these threats. But that can sometimes be out of reach for many organizations as they are always strapped for resources, budget and then management of said layers. Thus the massive shift of organizations moving to a cloud security strategy where you can get advanced security capabilities that would be out of reach to try and build on premise.
- Ransomware Continues to Evolve yet don’t take your eye off other threats - Ransomware will explode to become one of the biggest threats, fuelled by smaller ‘opportunist’ attackers using off-the-shelf kits to deploy malware. This is an easy and cheap attack method that produces fruitful results. Few organizations have effective defenses against this type of malware and now with bitcoins enabling the perpetrators to increase the distance from their victims further, it has never been so easy to get away with it. In the coming year, we should also expect more crypto-lockers and evolving forms of ransomware that deny access to desktops, network drives, and cloud services. And just as you focus your attention on ransomware issues you can’t be caught off guard by adversaries impersonating the CEO to transfer thousands of dollars to an offshore account or by basic phishing attacks that will cause employees to launch attacks on your organization.
Focus on Data Mining - One theme that is still overlooked is that it’s not just about wire transfers. Attackers aren’t just focused on money, they’re focusing on data mining and will use the data they gather in more advanced attacks to gather important data to be either sold on the Dark Web or used in future attacks. (Remember the W-2 fraud uptick earlier this year? We’re heading into tax season and can expect to see this again.) While Wire Transfer fraud is and will be an issue in the future, organizations need to also think about where else they’re susceptible and ensure they have the appropriate protective measures in place. Backups are essential, but the evolution of ransomware is staggering and organizations need to ensure their gateway, firewall, endpoint and other security solutions are consistently up-to-date.
- Cyber Espionage to Cause More Political Disruption - Nation states and their sponsored operatives will use cyber espionage more and more to cause political shifts, disruption, and to gain economic advantage. This will involve, but will not be limited to, email hacking and disclosure of other forms of intercepted private communications, disruption of and interference with critical national infrastructures (Stuxnet 2).
- Reigning-in Data Residency and Governance – The impending GDPR will focus European organizations on improving their security and privacy programs significantly in 2017. And, at the same time increased state-sponsored attacks will lead to more stringent rules around data residency and governance, as well as state firewalls being considered to mitigate threats and allow a regional business activity to continue. Advancements in managing internet traffic from different geographies may also become a focus as global trade landscape changes.
- Impersonation Attacks in the Spotlight - 2016 has been the year of ransomware and it’s no secret that social engineering attacks, like phishing, spear-phishing, and domain spoofing have grown from being a nuisance to a huge problem. However, one of the lesser publicized problems is impersonation attacks. Whaling attacks can cost organizations millions in financial losses. In fact, according to the U.S. Federal Bureau of Investigation, whaling attacks led to more than $2.3 billion in losses over the last three years. We expect to see whaling attacks as the next “it” attack flooding the media.
- Macro Malware Still in the Game – Once thought of as a thing of the past, macro malware has reared its ugly head into the ring of attack methods cybercriminals are using. While most organizations choose to block executable attachments at the gateway by default, they must still allow files, such Microsoft Office documents, to pass freely if employees are to be productive. Attackers exploit this by weaponizing files in these common formats. According to our own research, we found that 50% of firms have seen email attacks that use macros in attachments increase over the last year. Why? Well, it’s such a simple tactic with little proactive AV detection, and that’s why we’ll continue to see waves of Macro malware into next year and beyond.
Taking the time to reflect on all the ups and downs we’ve seen in cybersecurity over the last year, offered me greater clarity into what we may expect to see in 2017. Stay safe this holiday season, as it’s unlikely that attackers will all be taking the holidays off…
What do you think the New Year may bring? Voice your comments below.
What often impacts more than 100,000 computers a day, and can cost you thousands of dollars in remediation, downtime, and cleanup cost? Ransomware.
In a ransomware attack, you are literally held hostage and denied access to critical productivity tools and data like file servers, email, databases and more.
How’s an organization supposed to cope? Start with protecting the most prevalent ransomware delivery system - your email. Download this infographic to learn about the only cloud solution that combines prevention, business continuity and replication for email in a single solution.
Don’t wait. Protect your organization from ransomware now.
In a brief warning alert last week, US-CERT urged individuals and organizations to proactively secure systems against an increase in malware spread via macros. Mimecast is today offering new guidance to help organizations combat this threat.
Our own research also points to resurgence in this attack technique. We found that:
- 50% of firms have seen email attacks that use macros in attachments increase
- 44% saw increase in attacks with social engineering asking users to enable macros
- 67% are not confident employees would spot this combined attack
These findings came from a recent Mimecast security survey of 436 IT experts at organizations in the US, UK, South Africa and Australia in March 2016.
While most organizations choose to block executable attachments at the gateway by default, they must still allow files such Microsoft Office documents to pass freely if employees are to be productive. Attackers exploit this by weaponizing files in these common formats.
Here’s a recent targeted attack email we saw containing a weaponized attachment:
Mimecast Email Security Guide to Stop Malicious Macros
Here are five recommendations to help you stop weaponized attachments and macro-enabled malware:
- Ensure macros are not enabled by default across your Microsoft Office application estate, and that ‘Protected View’ is enabled at all times
- Consider disabling macros and VBA code in all but essential applications
- Ensure all email attachments are sandboxed by an appropriately advanced email security gateway. Remember non-sandboxing gateways are not able to recognize or signature macros, as the code is not a viral payload
- Consider a secure email gateway that offers the capability to neutralize weaponized attachments, or strip active code from all inbound Office documents
- Train and educate end users to the changing nature of threats in email. Ensure they understand the risks presented to their inboxes, and how to handle unexpected email and attachments. Ensure they understand the hacker’s tactics and how to recognize simple social engineering attacks
You can see more examples in my recent security advisory on macro threats.
Cyber insurance uptake is growing quickly but a lack of employee training on the latest email attacks is leaving organizations at great risk of breaking policy terms. These new social-engineering and impersonation attacks could leave leaving firms of all sizes at risk of taking the full financial brunt of crime.
Waves of high-profile breaches and new breach notification legislation is setting the scene for a huge growth in cyber insurance take-up. But while insurers often pay for clean-up fees after a breach, it is important that organizations check that their policies protect them if an employee is tricked into sending a large amount of money to a fraudulent account.
Whaling (CEO fraud) attacks have been growing rapidly in volume and in scale. Mimecast revealed in April that 67% of firms have seen an increase. Then only last month, Austrian aerospace manufacturer FACC sacked its CEO after his apparent mistakes led to the firm being defrauded out of €50 million ($55.8m) in a whaling attack.
Attacks where employees are tricked into sending personal data or intellectual property are even less likely to be fully covered. For example, how would an insurer decide compensation if a set of W-2 tax forms were stolen compared to the secret plans for a new and theoretical product? What about hacks that compromise the integrity of data rather than stealing it? Can insurance ever really fully provide coverage for these data-specific use cases?
One other concern for insurers is that it can be difficult to separate real crime from potential insurance fraud.
As part of Mimecast’s research into cyber insurance policies, Mimecast questioned 436 IT experts at organizations in the US, UK, South Africa and Australia. The research revealed that:
- 45% of firms with cyber insurance are unsure if their policy is up-to-date for covering new cyber social engineering attacks, and only 10% believe it is completely up-to-date
- 43% of firms with cyber insurance are confident that their policies would pay out for whaling financial transactions
- 64% of firms don’t have any cyber insurance at all
One example of this growing risk is the legal proceeding between Texas-based AFGlobal Corp and Federal Insurance Co., a division of insurance giant Chubb Group. AFGlobal maintains that the policy it held provided coverage for both computer fraud and funds transfer fraud, but insurer denied a claim when scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire $480,000 to a bank in China.
The rise of whaling has created an attack climate where many insured organizations may not be protected from fraudulent transactions because they fall outside of the coverage scope of when their policies were originally signed.
Mimecast research also found that:
- 58% of organizations have seen an increase in untargeted phishing emails
- 65% have seen targeted phishing attacks grow
- 50% said they have seen social engineering attacks that utilize malicious macros in attachments increase
A survey of risk managers by The Hartford Steam Boiler Inspection and Insurance Co. (HSB) highlighted the primary reasons for not buying coverage. Perceived complexity (44 percent), lack of a sufficient threat (34 percent) and cost (22 percent) were cited.
With the cybersecurity landscape constantly evolving, cyber insurers will have great difficulty keeping their coverage up-to-date. CEO fraud is a prime example how quickly an attack can grow morph. Tomorrow’s threats will almost always comes as a surprise.
Mimecast is recommending that all organisations review their cyber insurance policies regularly. A comprehensive cyber resilience strategy is only effective alongside regular employee training on the latest threats combined with appropriate technology fail-safes.
*Mimecast will be exhibiting at Infosecurity Europe, 7-9 June, at stand #G100. Mimecast security experts will discuss the top email attack strategies being used against millions of organizations around the world today.