It’s impossible to ignore the evolving pace and sophistication of cyber breaches. Even the most tech savvy businesses continue to be breached. Many are unaware of the breach for months, writes Tony Marques, pictured, Cyber Security Consultant, Encode Group.
Cyber breach methods (i.e. attack vectors) range from remotely probing a target’s Internet facing perimeter through to covert physical tapping of IT Infrastructure. In between, there are phishing attacks and insider abuse that attempt to evade perimeter controls by exploiting end user rights to launch embedded links and the End User Device (EUD) vulnerability to execute malware.
Attack by opportunist hackers using ‘off-the-shelf’ tools exploiting weak perimeter defences is not the major problem facing digital businesses, unless of course best practice defences are neglected.
Social engineering
Phishing aims to “socially engineer” users to click emailed links to download and/or execute embedded malware which compromises their privileged access to EUDs. These Cyber attacks are opportunist in that they are usually “fire and forget”, where anyone can be the victim.
Perimeter evasion
Apart from insider abuse, Phishing attacks represent a greater threat to an organisation. They attempt to evade perimeter defences such as Firewalls and Intrusion detection & prevention controls (IDS/IPS) by exploiting user privileges through socially engineering a user and EUD vulnerability to run malware.
EUD Infection – payload delivery
An attacker usually has no way of knowing if malware ie. ‘Payload’ attachment or link to external webserver will execute on the end user’s EUD. Most phishing attacks target desktop EUDs and laptops.
Command and Control (C2)
Successfully executed malware will need to, as a next step, establish a command and control (C2) channel through a corporate’s perimeter defence. Only weak and poorly configured environments fall victim to this kind of attack.
Spear phishing
A spear phishing attack is a targeted and customised version of a phishing email to socially engineer specific users or user groups- in a corporate or consumer context. These Cyber attacks are more deliberate in nature and usually customised to the victim’s anticipated circumstances and financial/corporate relationships. Typically emails appear to originate from known associates with context familiar to the victim thus minimising the chance of raising suspicion.
Profiling victims using Open Source Intelligence (OSI)
An attack involves assembling a corporate digital profile to discover context that‘s familiar, relevant and current for a given user or group of users. Profiles are assembled by motivated Threat Actors with time, skill and resources conducting research from OSI. The profile is used to prepare an email or series of emails to lure targeted victims to activate embedded links or documents thereby unwittingly executing malware- unbeknown to the victim.
Perimeter Evasion, EUD Infection and Command and Control (C2)
Spear phishing fundamentally has the same goals as ‘Phishing’ attacks as far as perimeter security evasion and C2 establishment ie. ‘foothold’ is concerned.
Corporate measures
Corporates should reduce publicly available information on staff, roles, internal associations and technologies in the workplace. Job vacancies are usually an excellent source of IT estate information. Social Networking is a primary source of information about individuals, their colleagues and professional associations.
Spear phishing
Spear phishing is also a crucial phase of a far more threatening cyber attack scenario – that of An Advanced Persistent Threat (APT). APTs are usually executed to covertly gather intelligence, stealing IP, customer information and financial data such as credit card details.
An APT attack is arguably the most potent Cyber threat today. APT attacks are targeted, strategic and goal driven. They leverage a victim’s organisation, staff and IT Estate complexity to evade perimeter and signature based defences and establish persistent access- sometimes many months undetected. Defence against an APT attack requires adding layers.
The primary defence against APT based attacks is an effective Detect, Respond and Contain capability such as a Security Incident and Event Management (SIEM) solution with built-in security intelligence and forensics capabilities. Assume perimeter defences will be breached- the emphasis is on detecting and containing a breach early before serious damage is caused.
