[BreachExchange] The 5 types of cyber attack you're most likely to face

[Destry Winant]

https://www.csoonline.com/article/2616316/data-protection/the-5-types-of-cyber-attack-youre-most-likely-to-face.html#tk.rss_securityadviser

As a consultant, one of the biggest security problems I see is
perception: The threats companies think they face are often vastly
different than the threats that pose the greatest risk. For example,
they hire me to deploy state-of-the-art public key infrastructure
(PKI) or an enterprise-wide intrusion detection system when really
what they need is better patching.

The fact is most companies face the same threats -- and should be
doing their utmost to counteract those risks. Here are the five most
common (and successful) types of cyber attack.

1. Socially engineered malware

Socially engineered malware, lately often led by data-encrypting
ransomware, provides the No. 1 method of attack (not a buffer
overflow, misconfiguration or advanced exploit). An end-user is
somehow tricked into running a Trojan horse program, often from a
website they trust and visit often. The otherwise innocent website is
temporarily compromised to deliver malware instead of the normal
website coding.

The maligned website tells the user to install some new piece of
software in order to access the website, run fake antivirus software,
or run some other “critical” piece of software that is unnecessary and
malicious. The user is often instructed to click past any security
warnings emanating from their browser or operating system and to
disable any pesky defenses that might get in the way.

Sometimes the Trojan program pretends to do something legitimate and
other times it fades away into the background to start doing its rogue
actions. Socially engineered malware programs are responsible for
hundreds of millions of successful hacks each year. Against those
numbers, all other hacking types are just noise.

Countermeasure: Social engineered malware programs are best handled
through ongoing end-user education that covers today's threats (such
as trusted websites prompting users to run surprise software).
Enterprises can further protect themselves by not allowing users to
surf the web or answer email using elevated credentials. An up-to-date
anti-malware program is a necessary evil, but strong end-user
education provides better bang for the buck.

2. Password phishing attacks

Coming a close second are password phishing attacks. Approximately 60
to 70 percent of email is spam, and much of that is phishing attacks
looking to trick users out of their logon credentials. Fortunately,
anti-spam vendors and services have made great strides, so most of us
have reasonably clean inboxes. Nonetheless, I get several spam emails
each day, and a least a few of them each week are darned good phishing
replicas of legitimate emails.

I think of an effective phishing email as a corrupted work of art:
Everything looks great; it even warns the reader not to fall for
fraudulent emails. The only thing that gives it away is the rogue link
asking for confidential information.

Countermeasure: The primary countermeasure to password phishing
attacks is to have logons that can’t be given away. This means
two-factor authentication (2FA), smartcards, biometrics and other
out-of-the-band (e.g., phone call or SMS message) authentication
methods. If you can enable something other than simple logon
name/password combinations for your logons, and require only the
stronger methods, then you’ve beat the password-phishing game.

If you’re stuck with simple logon name/password combinations for one
or more systems, make sure you use accurate-as-can-be anti-phishing
products or services, and decrease the risk through better end-user
education. I also love browsers that highlight the true domain name of
a host in a URL string. That way
windowsupdate.microsoft.com.malware.com, for example, is more obvious.

3. Unpatched software

Coming in close behind socially engineered malware and phishing is
software with (available but) unpatched vulnerabilities. The most
common unpatched and exploited programs are browser add-in programs
like Adobe Reader and other programs people often use to make surfing
the web easier. It's been this way for many years now, but strangely,
not a single company I've ever audited has ever had perfectly patched
software. It’s usually not even close. I just don't get it.

Countermeasure: Stop what you're doing right now and make sure your
patching is perfect. If you can't, make sure it's perfect around the
most exploited products, whatever they happen to be in a given time
period. Everyone knows that better patching is a great way to decrease
risk. Become one of the few organizations that actually does it.
Better yet, make sure that you’re 100 percent patched on the programs
most likely to be exploited versus trying unsuccessfully to be fully
patched on all software programs.

4. Social media threats

Our online world is a social world led by Facebook, Twitter, LinkedIn
or their country-popular counterparts. Social media threats usually
arrive as a rogue friend or application install request. If you’re
unlucky enough to accept the request, you’re often giving up way more
access to your social media account than you bargained for. Corporate
hackers love exploiting corporate social media accounts for the
embarrassment factor to glean passwords that might be shared between
the social media site and the corporate network. Many of today’s worst
hacks started out as simple social media hacking. Don’t underestimate
the potential.

Countermeasure: End-user education about social media threats is a
must. Also make sure that your users know not to share their corporate
passwords with any other foreign website. Here’s where using more
sophisticated 2FA logons can also help. Lastly, make sure all social
media users know how to report a hijacked social media account, on
their own behalf, or someone else’s. Sometimes it is their friends who
notice something is amiss first.

5. Advanced persistent threats

I know of only one major corporation that has not suffered a major
compromise due to an advanced persistent threat (APT) stealing
intellectual property. APTs usually gain a foothold using socially
engineered Trojans or phishing attacks.

A very popular method is for APT attackers to send a specific phishing
campaign -- known as spearphishing -- to multiple employee email
addresses. The phishing email contains a Trojan attachment, which at
least one employee is tricked into running. After the initial
execution and first computer takeover, APT attackers can compromise an
entire enterprise in a matter of hours. It's easy to accomplish, but a
royal pain to clean up.

Countermeasure: Detecting and preventing an APT can be difficult,
especially in the face of a determined adversary. All the previous
advice applies, but you must also learn to understand the legitimate
network traffic patterns in your network and alert on unexpected
flows. An APT doesn't understand which computers normally talk to
which other computers, but you do. Take the time now to start tracking
your network flows and get a good handle of what traffic should going
from where to where. An APT will mess up and attempt to copy large
amounts of data from a server to some other computer where that server
does not normally communicate. When they do, you can catch them.

Other popular attack types such as SQL injection, cross-site
scripting, pass-the-hash and password guessing aren't seen nearly at
the same high levels as the five listed here. Protect yourself against
the top five threats and you'll go a long way to decreasing risk in
your environment.

More than anything, I strongly encourage every enterprise to make sure
its defenses and mitigations are aligned with the top threats. Don't
be one of those companies that spends money on high-dollar,
high-visibility projects while the bad guys continue to sneak in using
routes that could have easily been blocked.

Lastly, avail yourself of a product or service that specializes in
detecting APT-style attacks. These products or services either run on
all your computers, like a host-based intrusion detection service, or
collate your event logs looking for signs of maliciousness. Long gone
are the days where you’ll have a hard time detecting APT. Myriad
vendors have now filled the earlier void and are waiting to sell you
protection.

Overall, figure out what your enterprise’s most like threats will be
and prepare for those the most. Too many companies waste resources
concentrating on the wrong, less likely scenarios. Use their threat
intelligence as compared to your environment’s make up and
vulnerabilities, and determine what you should be preparing for the
most.