During her keynote at #LEAP22, Paula Januszkewicz (Founder and CEO at CQURE) pointed to a staggering 1318% increase in ransomware attacks in the financial industry, and noted that 94% of malware is delivered by email. And across industries, ransomware attacks are getting more serious.
So far this year, for example, hackers have breached a government network in Bernalillo County, New Mexico, accessing a prison’s camera feeds and trapping inmates by disabling automatic door mechanisms. The sports manufacturer Puma suffered a data breach in January as a result of a ransomware attack against one of its workforce management solutions providers, and personal information was stolen from 6,632 employees. And Hensoldt, a multinational defence contractor, was breached by ransomware group Lorenz — the ransom is listed by Lorenz as ‘paid’, but it remains unclear whether Hensoldt paid it, or if another criminal group bought the exposed data.
Januszkewicz is a respected penetration tester. Companies use her to test their systems by doing as a hacker would do: hacking. And she outlined three goals to focus on this year in order to keep your business (and your employees and customers) safe.
Are major attacks really delivered by email?
We’re all used to receiving (and ignoring) comical phishing emails, and to many of us, it seems ridiculous that they could ever work. Who would click on the link to enter their bank details after Mrs. Pennington Friddlemick (yes, we made that one up) emailed to say she wanted to donate the trillion-dollar-savings-of-her-late-husband’s-very-kind-uncle to us?
But not all phishing emails are so obvious. And what many people don’t know is that it only takes one misplaced click to fall prey.
In a common type of malware hack, called a kill chain attack, a user opens up an attachment — which in the example Januszkewicz described was an excel sheet. And there’s a big green button that doesn’t look like a button, and if the user clicks anywhere on that green area, it will connect directly to the hacker.
“The user doesn’t even know it’s happening,” Januszkewicz said, but the hacker is instantly able to download information from their system as a text file before converting it into an executable. In doing so, the hacker essentially becomes the user — and can then escalate their controls to the level of a privileged account (as opposed to a limited account) by penetrating misconfigurations in the user’s script with malicious code.
When the hacker then restarts the user’s computer, they gain a full set of privileges and access to that user’s device and network. What they do then is the next stage of the attack, and their options depend on the access their target (the user) has to a deeper infrastructure. When a hacker is able to access the full list of processes operating on a user’s account, with the only precondition being that they’re in that network, acting as that user…well, it’s a good position for a hacker to be in.
So a seemingly simple phishing email becomes the catalyst for a large-scale cybersecurity attack. And attacks like this don’t cost very much to implement: “Whenever we’re seeking for a lead — a target to attack,” Januszkewicz said, “that one lead costs approximately 13 cents. Other hackers are selling leads on the dark web. You pay for example from $500 to $3000 in order to earn a couple of million dollars.”
The 2019 Verizon Data Breach Investigation Report confirmed that almost one third of all cybersecurity breaches involved phishing (and for cyber-espionage attacks, that number increased to 78%). But the pandemic accelerated the rise of phishing attacks — 83% of organisations reported they experienced phishing in 2021 according to a study by Proofpoint, and six billion attacks are expected to occur in 2022. Recent reports estimate that more than 3.4 billion phishing emails are sent every day in 2022.
The three aspects of effective cybersecurity in 2022
The problem with an attack like this is that it doesn’t rely on faults or issues in a user’s system to gain access. Instead, it relies “on protocols that we use, it relies on solutions that we use, and it’s not a vulnerability. That’s just how it is. And the thing is that currently when we think about the challenges that we’ve got in cybersecurity we have to combine many technologies all together.”
Revising and combining those different technologies to create a coherent and efficient security plan is Januszkewicz’s goal for 2022. And there are three elements to consider.
Firstly, organisations need efficient monitoring that is capable of gathering logs from every single device and server on a network, and intelligently recognising a thread.
Secondly, now is the time to review and update pen testing goals. When investing in the skill of a penetration tester like Januszkewicz to check conditions and vulnerabilities of a network, “it’s not just about getting into the site and infrastructure,” she said; now, it’s also about reviewing all of the identities within that infrastructure, and every device that is used to connect.
And thirdly, it’s necessary to review incident response plans — so that everyone knows the steps to take when an attack is detected. In any company or organisation, “we need to have a well-designed incident response plan where we’re able to execute it with appropriate levels of knowledge and appropriate tools on board.”
At the core of a cybersecurity plan like this is knowledge and education. It’s necessary to understand that protecting a network in 2022 is complex, and that as of right now, no network is impenetrable. Because when hackers can turn a network’s own protocols against it to gain access, it’s not just a case of fixing faults. It’s a case of watching; testing; and responding when inevitable attacks do appear in a system.