Despite evolutions in technology, hackers are still using the same old tricks, though sometimes in a more evolved way.
The hacker mentality is to want to grab the low-hanging fruit, or go after the easiest target, explained Sivan Rauscher, co-founder and CEO of SAM, a network security company.
For attackers trying to find those low-hanging fruits, the explosion of IoT devices is providing a large attack surface. “With the fact that your life becomes more and more connected and there are so many devices and so many endpoints in your home, statistically, some of the attacks will get to you,” said Rauscher. “And because those IoT devices are lacking a security layer like authentication, encryption, all of those classic basic security layers, it’s so easy to hack them. They are the low-hanging fruit, and that’s why it’s so easy to target IoT.”
In the past few years, Rauscher has seen a lot of repeating attack methods, such as phishing attacks and ransomware. According to F5 Labs’ December 2017 report, “Lessons Learned from a Decade of Data Breaches,” the root cause of 48 percent of the data breach cases it looked at was phishing.
Every year SAM see more attacks of those types because they’re easy and can be pushed out to a large number of people all at once, Rauscher said.
For example, the WannaCry ransomware attack in 2017 affected thousands of computers in a short period of time and spread incredibly fast because of specific vulnerabilities in Windows computers, anti-virus provider Symantec explained. Another example of a widespread attack that same year is the Mirai botnet, which used hundreds of thousands of IoT devices to conduct DDoS attacks that brought down major websites, Cloudflare explained.
These attacks happen so frequently because attackers know that it is easier to send something to thousands of people than to go after specific targets.
“That’s how attackers think, that’s how they manipulate inside a network and infect the other devices to gain more access and gain more data. And phishing and ransomware is a way to lure the end user to press on something and just extract data and extract your bank account, extract your social security number, and that’s how they do it,” said Rauscher.
The bottom line is that phishing still is a very common attack method, not just for enterprise, but for end users, Rauscher explained.
Attackers can use social media to create more specialized attacks
On the other hand, many attackers are getting more and more specialized. According to Sash Sunkara, co-founder and CEO of cloud management platform provider RackWare, the emergence of social media has led to more sophisticated attacks. Hackers can look at a person’s social media and create targeted phishing emails that will look believable. They can look at your social media profiles and determine who you are connected to at work, and use that to create highly specialized attacks.
“Maybe your assistant opens something and all of a sudden the attacker has access to your network and they have access to your data,” said Sunkara, who explained that often, these phishing emails do look very real, even to smart users.
“They’re going to use methods that we were thinking were non-threatening that now are going to become threatening,” said Sunkara. “Before, you could really tell when a fake request was coming in. But nowadays it’s so well-disguised that it’s hard to tell even for the sophisticated user. And I think that’s going to continue to escalate as far as the next year.”
Sunkara explained that at RackWare, the company sends alerts on almost a daily basis warning employees not to click on specific emails, and she estimated that they’ve seen triple the number of fake emails than usual in the last few months.
The emergence of these more sophisticated attacks has led to more of a need for education within companies. First, employees need to be educated on how requests should come through and things to watch out for. They should know what the red flags are for fake emails.
And in addition, securing your network can ensure that if an attack does get through, your data is protected.
“There has to be education, protection, and warnings on the front end, but there has to be protection on the back end in case any of these things get through and they get access to critical information,” said Sunkara.
Protecting the network ensures that having access to an IoT device doesn’t compromise your network, Rauscher explained.
DevOps created a much broader attack surface
According to Chris Wallace, security liaison engineer at telecommunications company Vonage, the emergence of DevOps has also significantly increased the available attack surface. “Hackers no longer just target the deployed software but also the tools used to automate our deployment pipeline,” Wallace said. “New attack surfaces including Github repositories, containers as well as automation and orchestration tools provide new opportunities to infiltrate a system and maintain a persistent presence while eluding detection.”
Wallace warned that a misdirected DevOps team can be vulnerable, just as an improperly configured server could be. Often, shortcuts are taken when implementing DevOps, resulting in “misconfigured environments, vulnerable servers open to the internet, a lack of appropriate separation of duties and no access control or segmentation of the network environment,” Wallace said.
Credential phishing plays on our basic human nature to be helpful
Though phishing is not necessarily a new type of attack, hackers are using credential phishing more and more, and the method is growing.
In Menlo Security’s report, Understanding a Growing Threat: Credential Phishing, it defines credential phishing as “an attempt by malicious individuals to steal user credentials and personally identifiable information (PII) by tricking users into voluntarily giving up their login information through a phony or compromised login page.”
According to Menlo Security, credential phishing attacks are often the start of a much bigger attack. “Phishing emails are simply the way a threat actor gains access to the network before stealing information, making a ransom demand or simply creating havoc,” Menlo Security wrote in the report.
These attacks succeed because they play on an organization’s weakest link: the user. “Human nature is trusting. It’s curious. It’s willing to follow directions from a seemingly authoritative figure,” the report stated. “Attackers know very well how to manipulate human nature and emotions to steal or infiltrate what they want. They use email messages that induce fear, a sense of urgency, curiosity, reward and validation, an emotionally charged response by their victims or simply something that is entertaining and a distraction to convince, cajole or concern even seasoned users into opening a phishing email.”
According to the report, 12 percent of users open phishing emails and 4 percent always click on a link within a phishing email. Enterprise users tend to be a bit better at identifying phishing emails, but not by much, Menlo Security explained.
According to Menlo Security, the only way to 100 percent prevent credential phishing from succeeding is by implementing web isolation, which “physically prevents users from entering their credentials into a bogus web form,” Menlo Security explained.
What’s the deal with nation-state attacks?
According to the Menlo Security report, nation-state sponsored groups and advanced persistent threats (APTs) often use credential phishing in order to execute attacks against high-profile targets, such as political campaign websites, think tanks, political national committees, and more.
An infamous example of a nation-state attack that used credential phishing is the attack against John Podesta, chairman of Hillary Clinton’s 2016 presidential campaign, by a Russian hacking group, the report stated.
According to David “Moose” Wolpoff, CTO of security company Randori, people often confuse nation-state sponsored attacks with APTs. “A lot of times people ask me about nation-state attacks, and they’re really asking about APT or advanced attacks, or they’ve got something in their brain about technical sophistication,” he said. “I think that’s maybe a little misleading, as I haven’t seen a lot of evidence of what I would consider highly sophisticated attacks in international conflicts… And I typically don’t think of spearphishing or phishing as an advanced attack. It just happens that it’s still pretty effective.”
Wolpoff explained that nation-state attacks occur all the time against a large range of targets, from individual lawmakers to nongovernmental organizations (NGOs).
According to Wolpoff, companies should prepare against nation-state attacks the same way they would normal attacks. “I wouldn’t necessarily think that a company needs to do something different to prepare for being attacked by a nation as opposed to being attacked by a common hacker, but I think the question is really, what’s the level of determination that an adversary is going to bring against you and what’s the impact to you if they’re successful? And you have to pair your reasoned response based on what that looks like.”
Wolpoff believes that nation-state attacks will continue to utilize spearphishing in the years to come. He believes we will see a blending of information warfare, economic warfare, and social interaction. “The vast majority of the attacks we see — I think every year that I’ve ever been tracking — are socially connected attacks. People want to be helpful. Hackers know that people want to be helpful, even a nation-state level Russian hacker knows that people want to be helpful.”
Find more Software Security Articles on our Security topic center.