German businesses are revolutionizing their systems and joining the digital supply chain, but this brings with it a corresponding increase in risk of cyber attack.
As we learned in our previous article “10 known cyber espionage groups and how to protect yourself“, there are a great number of advanced persistent threat (APT) groups out there looking to spy on or harm companies both public and private.
But what are the most common attack vectors that these groups, and others like them, are using? And how do you harden your systems against such attacks? Let’s take a look.
Today’s threat vectors:
- Supply chain compromise
- Threats from within
1. Supply chain compromise
What do we mean by supply chain compromise?
The world’s supply chain is highly digital these days, with most modern companies utilizing digital services in at least some capacity. Indeed, it’s quite rare to find a business in Germany that is not relying on a third-party vendor for some outsourced service or tool.
This reliance on another company’s services means your system becomes connected to theirs – an attack on one side could now compromise the other.
How can APTs abuse the digital supply chain?
Today, APTs sometimes only need to attack one company to gain a foothold in a raft of others. If they were to compromise a software vendor, for example, they could theoretically piggy-back on that company’s platform right into the heart of hundreds of clients (which has happened in real life – see case study below).
So, an attack up or down the digital supply chain isn’t just a problem for the vendor, but for its partners. You could have the best security in the world but if they don’t, you’re at risk.
Case study – SolarWinds: The 2020 SolarWinds hack is one of the best modern examples of massive-scale supply chain compromise. A suspected Russian-backed cyber criminal group snuck its malware into SolarWinds’ Orion software, which was in use by thousands of companies around the world. When those companies inadvertently installed an infected patch onto their systems, they opened their own doors to the Russian group. So, from one single attack, the group managed to compromise nearly 20,000 different businesses including major organizations such as Microsoft and the US Department of Energy’s National Nuclear Security Administration.
How to mitigate the risk of digital supply chain compromise
- Investigate and assess third parties: Every time you are about to engage with a third party, and for all the third parties you have previously engaged with, you must thoroughly investigate and assess their risk. What security measures have they taken to protect their systems? If you can gain access to their code, how secure is it? Any information you can squeeze out of them about how they protect themselves is information you can use to determine if the benefit of working with their product outweighs the risk of connecting your two systems.
- Make those risks visible: Key people in your enterprise must be aware of the risks of each third-party vendor. Obviously your security teams and key technology leaders will need to be involved, but this risk should be visible at the board level too. If board directors aren’t tech people themselves, make sure to present any information relevant to them in a manner that they will understand – that isn’t to say to condescend them, but rather if they understand things in terms of finances and business impact, not servers, codes and IT jargon, then present the information in the former, not the latter. Your job is to educate them, not to tick a box.
- Keep up to date: The risks your organization faces will change over time. Thus, it’s hugely important that you and your security leaders keep up to date with risk exposure – that is, current threats, important threat events around the world, trends in your industry, and active threat actors (like our list of 10 APTs).
Bonus tip: Try to keep aware of the threats facing your suppliers, too. Their threat landscape will likely differ to yours, but could still impact your company.
- Prioritize risks: As soon as you dig into risks, you’ll likely find a lot. But they aren’t all made equal. In terms of ‘what to do first’, prioritize risks by likelihood and significance of impact – high likelihood and high impact should be dealt with first, and vice versa.
- Keep a diverse set of suppliers: Locking yourself into just one vendor might feel convenient but it’s its own risk. A diverse set of suppliers means you have access to a range of technology, can pick and choose from the best of the best, and, importantly, spread your security risk out a little.
What is the problem with malware?
For those of you who aren’t sure what the term means, ‘malware’ is a general name used to describe infectious software that causes harm to, spies on or disrupts a system. Computer viruses are one type of malware, although there are many others.
Malware is the classic cyber attack vector, having been around basically since the dawn of the world wide web. Even now with all our advanced anti-malware software, it’s still a huge issue – the German BSI noted there were about 322,000 new malware variants discovered per day last year in Germany alone.
Some other examples of malware include: ransomware, which we describe below; keyloggers, which can record keystrokes made by a computer; trojans, which enter systems in disguise; droppers, which can install other pieces of malware; bot infections, which can replicate and spread on their own; and then viruses designed purely for destruction – wipers.
How are APTs using malware?
Unfortunately, the ways that APTs use malware are as varied as malware itself, which is why it’s so hard to stop. Groups often develop their own custom malware to help them attack companies and individuals through the channels of their preference (i.e. phishing, see below). But, they also often share malware with other groups and may compromise legitimate technology for their own purposes – Cobalt Strike, for example, is a tool that both legitimate and criminal groups use.
There are many different ways that attackers can inject malware into a system. Phishing is hugely common, but attackers may have other means such as trojanized files pretending to be something they are not (say, a PDF which is actually a virus), or perhaps spoofed websites that look real but which are out to steal your credentials or make you download infectious software. Macros in seemingly safe Word or Excel files are also popular.
Case study – Bouncing Golf: Bouncing Golf is an APT that has been detected in the Middle East, targeting military-related data. This group tries to sneak its software onto its victims’ mobile devices; its malware poses as legitimate applications about news, sports, lifestyle and so forth, so that people will download it. This then gives the attackers access to the victim’s device, where they can see files, call logs, SMS messages, device location, and more. They can also steal files from the device and download more onto it.
How to mitigate the risk of malware infection
- Vulnerability scanning: Vulnerability scanning tools check your applications for common entry points – for example, out of date software, exploitable errors, known bugs and so on.
- Antivirus/antimalware software: There’s a reason antivirus/malware software is considered ‘stopping viruses 101’. Antivirus software designed for businesses can scan your systems for suspicious files, keep an eye on incoming files and warn you of suspicious websites. Generally these are kept up to date to include all the latest malware discovered by the world’s security experts.
- Encrypt sensitive information: If your system is communicating data from one place to another, especially sensitive data such as customer information, it must be encrypted. When files are encrypted, they become scrambled – illegible. Even if they were stolen, they couldn’t be used because without the key to unlock them, they’re just nonsense.
- Network intrusion prevention systems (IPS): Where antivirus looks at your files, IPS monitors communications. It looks for activity within network packets that seem suspicious and take action against them, either blocking them or informing you of their presence. So, antimalware blocks software, IPS blocks traffic.
What is ransomware?
Ransomware is one type of malware. When injected into a system, it can actually lock the entire thing up and encrypt it so that its users lose access. The attackers will then typically ask for a ransom in return for access (hence the name).
Bonus fact: The average ransom paid in 2021 is US$170,404, but only 8% of organizations say they get all of their data back after payment (Sophos).
There are two common types of ransomware:
- Lockscreen ransomware: This infection locks a computer and sends a message (which fills the screen and locks it) telling a victim they must pay to get access back. The computer is not usable in that time.
- Crypto-ransomware: This infection encrypts files with a password. To get the password, a ransom must be paid.
How do APTs use ransomware?
As you can see, the point of ransomware is to disrupt activity and force someone to pay up.
This is usually used as an act of cyber criminal activity as opposed to cyber terrorism, with the goal to make money rather than spy on or destroy key targets. Thus, it’s often seen being done by independent cyber groups as opposed to state-backed actors.
One thing to note is that ransomware is often the final stage of a long string of activities, such as social engineering, vulnerability scanning (yes – APTs use the same thing companies do to look for vulnerabilities, but in this case to exploit rather than patch), and phishing. This makes it critical to detect such activities in advance.
Case study – New Zealand Waikato District Health Board: Even small, out-of-the-way countries are at risk. New Zealand might not seem like a big target, but in 2021 the district health board (DHB) of its Waikato region was struck by the worst cyber attack in the country’s history to date. Criminals crashed the DHB’s system (affecting computers and phones), gained access to confidential files, and demanded ransom for its return. This disrupted vital medical care, with services taking weeks to restore. In this case the NZ government chose not to pay.
How to mitigate a ransomware attack
- Perform regular data backups: If your entire system is backed up regularly, the effects of ransomware will be less severe. Instead of losing everything, you may only lose a few days’ worth of files. This is of course still not ideal, but it cuts some of the damage.
Bonus point: This data should, of course, be stored off-system. Given its importance, it must be highly protected so that it itself cannot also be targeted.
- Keep an eye on your systems: As we mentioned, ransomware is the killing blow at the end of a long line of activities. Chances are in the build-up to that point, suspicious activity will have already occured within your system and files will have been downloaded or modified. You must monitor for such activities at all times.
Examples: There may be large quantities of file modifications in user directors. Or, in cloud systems, storage objects may be replaced by copies.
What is phishing?
Phishing is one of the most common attack vectors used by the world’s most notorious APTs. It is the act of trying to get a user to perform an action (i.e. click a link, download a file) by pretending to be a legitimate source. Email phishing – called email spam – has been around for decades, but these days phishing can also be highly complex, involving long-term social engineering via social media and other channels.
Bonus fact: The FBI found phishing to be the most common cyber crime in the US, and it has only gotten worse (FBI).
Phishing versus spear phishing
You’ll see in our top 10 APTs article, and around the web, the mention of both phishing and ‘spear phishing’. Spear phishing is the same thing, but far more targeted – whereas phishing casts a wide net with the hopes that as many as possible will fall victim, spear phishing focuses on attacking highly specific individuals with more advanced techniques.
How are APTs using phishing to attack targets?
Some of the world’s more common phishing techniques include:
- Sending seemingly innocuous messages (such as email or SMS) that encourage a victim to download a file.
- Compromising someone’s email or phone in order to send phishing messages to their contacts.
- Designing fake websites to appear legitimate, often used to harvest people’s credentials.
- Compromising existing websites to seem trustworthy (coming from a recognizable source) and achieve the same end as above.
- Complex social engineering and relationship building to gain trust, in order to attack in future.
Case study – Charming Kitten social engineering: Charming Kitten is an infamous APT believed to be working for Iranian interests that has become adept at social engineering. For example, in a famous case the group used social media channels to pose as journalists and build relationships with potential victims. After a degree of trust had been established, they encouraged victims to sign up for a ‘webinar’ which was, of course, actually malicious.
How to mitigate the risk of phishing attempts
- Protect yourself from malware: Our advice on protecting against malware is highly relevant here. If your systems are hardened against suspicious activity and capable of monitoring for such events, even if a staff member falls victim to phishing you’ll still have those important safety nets.
- Train your people: Not everyone is tech savvy. What might seem like obvious phishing to you may seem legitimate to someone untrained. So, prepare training for all members of staff – from top to bottom – about how to spot suspicious activity, and what to do if they encounter it.
- Restrict certain functions: Certain file types (i.e. .exe or .pif) are used commonly in phishing and you may be able to block people’s ability to download them without permission. The same goes for websites you deem suspicious.
5. Threats from within
What do we mean by threats from within?
We’ve talked a lot so far about threats from without, but there’s always going to be a risk that someone inside your company is themselves a potential threat.
Here we’re not talking about the possibility of innocent human error, although that is always a risk. No, our point here is actually about the very real risk that someone somewhere in the company is being radicalized – either by people they know in person, or via online forums.
- Radicalization? These days we often associate ‘radicals’ with religious extremism. However, someone can be radicalized for a host of reasons, such as religious, political, environmental, or even just due to extreme negative emotions (i.e. disgruntlement) which are egged on by others.
The internet and social media has made this problem worse. There is now an echo chamber effect online which can exacerbate the risk of radicalization. Facebook and Twitter are particularly bad for creating echo chambers, as users flock to like-minded individuals, and then content algorithms look to provide ‘desirable’ content to users, digging them further and further into their information bubble.
Read more: “The echo chamber effect on social media“
How can APTs use radicalization to attack an enterprise?
There are any number of ways a cyber threat group could use someone on the inside; someone on the edge is ready to be pushed over. If an individual or group that wishes to do your company harm is able to set up an ‘inside man’, as it were (by cultivating and nurturing their viewpoint or emotional state), they are already in a position where they can directly compromise your business from the inside, bypassing common security measures.
They might ask that staff member to inject malware into the company computers, to send phishing attacks via their accounts so that they appear to come from a trusted source, or some other form of attack.
Case study – US Armed Forces: The US Armed Forces is learning it must fight radicalization within its own ranks. According to an annual survey of active duty troops by MilitaryTimes, over a third of personnel witnessed ideology-driven racism (i.e. white nationalism) in 2019, up 22% from the year prior (MilitaryTimes).
Contextualizing this to business: Anyone with a social media connection runs the risk of falling into an echo chamber, and anyone runs the risk of growing bold enough (or angry enough) to act on their changing beliefs. If this were to happen to someone with access to your business network, it could be hugely damaging.
How to mitigate the threat from within
- Turn to ZeroTrust: ZeroTrust is a model whereby your business assumes anyone behind its firewall could be a threat – either from radicalization or, more commonly, human error. It involves the use of strict access controls to monitor who can access what, when, where, and for how long, and also establishes a policy to keep an eye out for suspicious activity.
- Use your company culture: A supportive and protective company culture could help prevent someone from becoming radicalized in the first place. Look to invest in mental health support and employee wellness programs, career support, social clubs, and all of those different activities that are so important for people’s social, mental and physical wellbeing.
- Again, protect against outside threats: Knowing how to protect your systems against malware, supply chain compromise, ransomware, etc., and monitoring for suspicious activity as defined above, can help you in the event that someone does try to attack your company.
You’ll see that a lot of the threat mitigation strategies we have discussed today could be applied to multiple threats. Essentially, a company that is capable of monitoring for suspicious activity, blocking it as it occurs, and defending against it should it enter the system, is capable of being reactive and mitigating a wide range of potentially damaging attacks.
Of course, prevention is almost always the best option. That’s where training, support and monitoring come into play, to enable you to keep an eye on not just your technology but your people, so you can provide a safe, healthy environment for them to work within.
Finding this overwhelming? We can help
At dig8ital, we’re experts in cyber attack mitigation and have been working with some of Europe’s biggest companies for years to help them digitally transform into modern, flexible, defensible enterprises. Contact us today for a free maturity consultation.