Cybercriminals are continually upping the complexity and severity of their attacks. Hackers have now baked agility into their DNA in an endless drive to evolve tactics and throw ever more nasty surprises at unsuspecting victims and defenders alike.
Today, the hackers’ efforts and attack methods are increasingly targeted and complex, meaning awareness, vigilance, and education are vital weapons and our most critical line of defense. Every day 450,000 new pieces of malware are detected, and 3.4 billion phishing emails hit inboxes. Attacks of this nature have become all the more prevalent, more sophisticated and harder to detect. Commonplace in nature, these are the attack types that have commanded media attention and rallied calls for targeted and coordinated plans to stop hackers dead in their tracks.
But while these key techniques in the hacker skill set like malware, phishing and SQL injection are ever present year after year, other techniques come fresh out of the box designed to catch us –and even our best defense measures- completely off guard.
If recent years have any key message to teach us, it’s that threats will keep diversifying as hackers keep turning up the heat with bolder attacks. Old mottos like ‘fail to prepare and you’re preparing to fail and ‘hope for the best and prepare for the worst” both apply here.
Ultimately, if we’re to shore up the best defences in an ‘always on’ hacker world it’s vital we stay ahead of the curve and keep shape shifting the approach whatever the threat. Here’s a look at the techniques that have sustained relevance, what’s coming next this year and what key actions we can take now to prepare.
John Pescatore is Director of Emerging Security Trends at SANS Institute.
1. Living off the cloud
Seeing as how the cloud has become part of our everyday lives, adversaries are targeting cloud environments more than ever. While living off the land attack tactics continue to be in use, our cloudy present state has drawn adversaries up into the clouds as well.
Bad actors target cloud environments with these attacks because this tactic is cheap and easy to set up, deceives users and defenders by blending in with legitimate cloud services, and more easily bypasses firewalls and proxies. Adversaries know that users recognize cloud infrastructure. To detect and respond to these attack methods, adopt a mindset of “Know normal, find evil.” In other words, know what is normal for your environment so that when something anomalous occurs, it’s easier to identify as a potential incident. Other approaches that will help you get ahead of these attacks include putting more resources into user education and working with cloud providers by reporting abuse of their platforms and brands.
2. MFA “bypass”
There is continued movement away from using multiple use passwords and towards adopting multifactor authentication (MFA), passkeys, FIDO 2 authentication and other additional layers of security. Companies like Apple and Google are also developing their own authentication token systems.
This will all lead to a badly needed increase in security but also result in an explosion of attacks that aim to bypass such MFA approaches, including using stalkerware to take advantage of company executives and board of directors’ use of mobile phones to record their keystrokes and interactions.
With an MFA bypass technique, a likely scenario is that an adversary gains access to a user account that wasn’t properly disabled and re-enrolls their illegitimate device so that they can bypass multi-factor authentication.
But despite concerns we should keep using MFA. Just like the first technique, key to getting ahead of this cyber-attack tactic is to channel that same “Know normal, find evil” mindset. Counter-measures involve monitoring for unusual user behaviors and login sources as well as ensuring that all inactive accounts are disabled uniformly on Active Directory and MFA systems.
3. “Ghost backup” attack
Our third most dangerous attack technique is something that we refer to as the spooky sounding “Ghost Backup” attacks.
With this approach, an attacker first breaches a backup system or controller, then adds a malicious backup job that exfiltrates data to their own attacker-controlled storage. This allows the hacker to reconfigure your backup software to either steal particular files or to configure their own backup destination, so they have access to all of your files. The attacker may also use the same cloud infrastructure which makes detection extremely challenging especially if a high volume of files are not pulled.
Practicing good backup security includes:
- Performing regular inventorying where your backups are, monitoring as closely as the other software you are managing
- Implementing data retention policies
- Ensuring there is a plan in place to patch agents
- Securing access to the central management console
- Deploying end-to-end encryption, including encryption at rest, in particular for off-site backups
4. Stalkerware – same methods, greater access
“How stalkable are you?” It’s a scary question to ask but vital if we want to track and control the personal data we’re putting out online. We’re human so of course we can all make simple mistakes like reusing passwords or all too willingly sharing sensitive information through seemingly innocent social media quizzes – like a pet’s name, mother’s maiden name- all things which can be used to answer security questions to get access to our accounts. The sad reality is that so much of the information used to attack us comes from information we’ve put out there into the universe.
We all deserve to enjoy privacy and full peace of mind across our online lives so it's important to ensure our computers, phones and internet devices are free from prying eyes. The scourge of stalkerware - software, apps and devices that facilitate cyberstalking- is by no means a new tactic but this form of malware is on the rise and risking very serious real world outcomes.
While mobile phones are more secure than desktops, we will also see a greater volume of stalkerware included in downloaded apps that target consumers. Pegasus is a key example of this threat, which can install itself on iOS and Android devices with zero clicks. Hackers are also creating malicious stalkerware apps and hiding them in app stores. As people become more accustomed to downloading family tracking software and giving away app permissions, the risk of having their keystrokes, locations, voice, and even photos and videos recorded for financial theft and other nefarious purposes will also increase.
Consider sophisticated mobile malware that self-installs and self-destructs. Zero-click exploits for iOS and Android allows bad actors to get in and get out undetected, leaving little to no trace behind that is recoverable via forensic analysis.
Stalkerware is stealthy be design and made to go undetected but awareness, vigilance and making strong security practices routine can all help to keep us safe. Simply put, cyber hygiene matters.
A few tactics we should all adopt include:
- Changing passwords on all devices regularly
- Rebooting devices frequently
- Never clicking on random links
5. Cyber warfare
In today’s political environment with increasing global tensions, such as with the situation in Russia and Ukraine, attacks that seem more likely to make up the plot of a James Bond movie are, in fact, very real possibilities. The boundaries of civilian and military blur, and Internet and apps can fundamentally change intelligence and military outcomes. Just look to civilian company Starlink’s $80 million investment in Ukraine communications infrastructure as an example.
Be aware that with such lines blurring and geopolitical tensions being what they are currently, we run the risk of having a single bad actor decide they're going to support that war, but from their basement. There’s a new digital high ground, in which open-source, publicly written technologies can be leveraged in military operations.
What action to take
The scale of the cybercrime landscape and the audacity of attackers' efforts have become breath-taking in scope so it’s easy to see why navigating the challenges and reinforcing security posture is keeping so many of us up at night.
High profile breaches drive the point home that attacks have real world implications not just for businesses but for people on a personal level too. The last year has brought a sharp rise in awareness that no one is immune to the possibility of a devastating attack. Not only that, but we’ve also seen the issue of dialing up cybersecurity begin to ripple through boardrooms as a business priority. This increased tension on the issue needs to persist as we map out the best practical pathway forward.
These threats are all very real, and the best way to prepare for them is to arm yourself with the skills and knowledge necessary to fight against them. While taking ownership of basic personal cyber hygiene is paramount, the good news is the transition to robust cybersecurity doesn’t have to be handled independently. With the role of the security professional packed full of so many endpoints, people and regulations to navigate, its vital that we leverage all support possible through an approach that brings together of people, training, communications and technologies. This new approach is one that will cement cybersecurity as a pillar of success for any organization – large or small – and will ramp up the confidence and defenses we all need to counter the growing hacker ecosystem.
