The real deal on cybercrime, breach timelines, and mounting a proactive defence
Here’s something that may seem obvious but is more true today than ever: Organisations that take security breaches seriously (which should be all of them) can’t afford to sit back and take a reactive approach to their defensive strategy. Although a considerable amount of damage can be done in a shockingly short period of time, simple proactive steps can often thwart cybercriminals and defend organisations against a wide variety of attacks.
No target is impervious, but the most resilient companies understand who the cybercriminals are, what motivates them and which tactics they use. Criminals waste no time in attacking as soon as the right opportunity presents itself, meaning the organisations they target must preemptively act, and knowledge is power in being able to do so.
Cybercriminals come in all shapes and sizes. They can operate individually or coordinate with others. Some are newcomers to the scene (“skids”) who don’t have a high degree of technical acumen, while others are seasoned professionals who use sophisticated methods to conduct widespread attacks.
While criminals vary drastically in their capabilities, methods of choice and chosen targets, they all have the common motivation of seeking control. The most common interest is to control funds that aren’t theirs. By stealing credentials that grant them access to bank accounts, personally identifiable information (PII) or corporate data and intellectual property, criminals can keep the profit for themselves or, most likely, sell the accounts and data to either trusted contacts or on underground markets. More capable actors, such as those sponsored by nation states and organisations, seek information that can be used to expose weaknesses and render a targeted entity powerless.
While their end intent is often uniform, cybercriminals aim for organisations of all types and sizes. The FBI estimates that business email compromise (BEC) cost organisations more than $5 billion between October 2013 and December 2016. And while associated reputational damage can be more difficult to quantify, it can be just as devastating.
In stealing account credentials and PII, health records and social security numbers bring in the most money. One recent report found that a skilled cybercriminal committing these kinds of attacks can make as much as $350,000 per year.
Sometimes, employees of the organisations targeted by criminals work unwittingly in their adversaries’ favor. These employees can be manipulated into helping criminals take over accounts or wire money to criminal-controlled mule accounts by falling for instructions in a phishing email or an email from an already compromised account.
Social engineering is also used to trick unsuspecting users into revealing personal information. This tactic generally targets individuals who have access to central databases or high-value assets. It only takes a single employee to inadvertently grant a cybercriminal access to sensitive data. With a single click or a weak or reused password, they can end up giving criminals all they need.
Once criminals establish their preferred tactics, techniques and procedures (TTPs), they repeat their crimes to target more organisations or scale their attacks to multiple employees. To scale, criminals automate their attacks at rapid speed to hijack credentials, data and money on multiple accounts simultaneously. Bots, for example, are perfect for quickly spreading malware, cracking passwords and performing credential stuffing attacks at scale. Since there are a number of solutions that may help organisations recognise activity from a bot, it would seem logical that this problem would be simple to solve. Unfortunately, the most sophisticated criminals are smart enough to “fingerprint” companies to determine whether or not their login attempts can be traced. These criminals tend to change techniques until they can attempt logins undetected.
Criminals then sell their commandeered goods (credentials and data) to underground armies that grow exponentially as the breach matures. Overhead is low and ROI can be quite high. Attack sequences like this can turn a single breach into a widespread event that can still take months for companies to discover, causing significant brand and financial damage in the meantime.
The first 72 hours, months and years ahead
Cybercriminals are fast. When a criminal discovers a vulnerability on Day 0, for instance, they can sell that vulnerability within 24 hours. By Day 2, a larger team of criminal cronies has already purchased the vulnerability and proceeded to breach the organisation to steal employee or customer usernames and passwords. Millions of credentials can be stolen within only 48 hours of the vulnerability being exposed. By Day 3, those credentials are being used by criminals to actively take over employee or customer accounts.
Cybercriminals are also patient. They squeeze every last ounce of potential gain from their breaches. Over the next several months to a span of a few years, they will use those stolen credentials to attempt to breach other accounts that may use the same password or a derivative of that password, a common occurrence. This credential stuffing technique is quite literally where criminals “stuff” their stolen credentials into as many websites and apps as they can find. For every account that can be taken over, the criminal has a new asset to monetise in underground markets.
Credentials that were harvested from the original breach are never deleted or removed from the underground, eventually leading to less-sophisticated criminals being able to use simple tools to automate attacks at scale. This is why such a large percentage of login attempts at large online sites are malicious and fraudulent (and easily detected).
The proactive defence
The possibility for prevention lands squarely on detection early in the breach timeline, preferably the day the credentials are harvested. Existing tech solutions that detect bots or suspicious IP addresses rely on a combination of AI, machine learning and data scraped from the deep and dark web. However, given that time is of the essence, organisations cannot afford to wait for a bot detection, scraper or AI-driven security information and event management (SIEM) solution to eventually alert of an attack.
The single most effective way to prevent account takeovers early in the timeline is to know when customers’ or employees’ credentials have spilled and then change the affected passwords before a criminal can make use of them. That remediation process is the proactive path to ensuring that criminals cannot continue to leverage data from accounts that have been compromised and cannot expand into full-scale breaches.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.
- » Today’s CIO needs to learn the language of the board: The first lesson
- » How machine learning is helping to stop security breaches with threat analytics
- » The CIO's role is moving to customer obsession - but many lack the tools to do it
- » How Walmart – among others – fell victim to recent customer phishing scams
- » Protecting your organisation from phishing scams: A guide