As we learned in our annual spotlights on Germany and Spain, there are a variety of cyber threats currently targeting European organizations – from a multitude of directions. In this article, we explain some of the most common cyber attack vectors threatening businesses in 2022, and how malicious actors are utilizing them.
Today’s threat vectors are:
- Social engineering
- Business email compromise
- Cloud misconfiguration
- Supply chain compromise
- Malicious insiders
1. Social engineering
What is social engineering?
Social engineering is a broad term that we’re using today to cover a variety of attack vectors. These include terms you will have likely heard before such as phishing or spear-phishing, but it also covers smishing, business email compromise (BEC), watering hole attacks and anything else that involves the manipulation of a person.
In fact, according to the Identity Theft Resource Center’s 2021 Data Breach Report, smishing, phishing and BEC were the most common cause of cyber breaches in 2021 (33%), higher even than ransomware (22%).
How do social engineering attacks work?
They all work a little differently, but with the same objective. Social engineering attacks generally try to manipulate a person’s actions by tricking them. Often attackers will put content in front of the target victim posing as genuine and trustworthy. The victim will have been lured into engaging with this content, clicking through to a website or downloading a file, allowing the attackers to either steal credentials (see below) or install malware onto the target device.
But social engineering isn’t just scam emails and fake websites
Targeted social engineering campaigns can have long lead times, where attackers scope out potential victims, find vulnerable but valuable targets, build trust using a variety of techniques – such as fake social media profiles purporting to be journalists or industry peers – and then bait the victims into the trap. This process can take weeks, even months.
An attacker highly skilled in social engineering may not even need spoofed content, if they can convince someone via phone or private messaging to hand over their details willingly.
How to mitigate the risk of social engineering attacks
- Train your people: Not everyone is tech savvy. What might seem like obvious phishing to you may seem legitimate to someone untrained. So, prepare training for all members of staff – from top to bottom – about how to spot suspicious activity, and what to do if they encounter it.
- Protect yourself from malware: Our advice on protecting against malware below is highly relevant here. If your systems are hardened against suspicious activity and capable of monitoring for such events, even if a staff member falls victim to phishing you’ll still have those important safety nets.
- Restrict certain functions: Certain file types (i.e. .exe or .pif) are used commonly in phishing and you may be able to block people’s ability to download them without permission. The same goes for websites you deem suspicious (a technique known as whitelisting).
- Operate a ZeroTrust model: The principles of ZeroTrust help add an extra layer of security around a business’s critical systems by using better, smarter security controls. Learn more here.
2. Business email compromise
Before we move on, we need to warn you in a bit more detail about the threat of business email compromise (BEC).
Ransomware (see below) tends to grab most of the big media headlines, but it’s not the top scam in terms of financial loss. BEC, which almost nobody really talks about, costs significantly more per year: in the US alone, the FBI noted that BEC cost organizations US$2.4 billion in 2021 – ransomware only cost $42 million.
What is BEC?
It’s where cyber criminals send company employees emails with a specific request, pretending to be from a legit source (such as someone else in the company, a known vendor, etc.). It could be a request for a money transfer, a fraudulent invoice with an urgent payment deadline, or perhaps an order to go and buy a bunch of gift cards that will be used as “employee rewards”. Of course, all the money goes to the scammer.
Often BEC scammers use fake email addresses and hope no one will double check the name. Other times they use real email accounts – scamming a real employee out of their credentials, logging into their account, and sending compromised messages. This latter method is exceedingly dangerous, and hard to spot, because it means the scam comes from a trusted source.
There is another type of BEC called conversation hijacking, where a scammer using someone else’s account will jump into an existing email chain with their financial request.
How to mitigate the risk of BEC
- Raise cyber awareness generally: This isn’t a technology problem, it’s a social engineering problem (for the most part). The more your team knows how to spot scam emails, and what is or is not legitimate, the more likely they are to raise concerns if they spot unusual behavior.
- Set up multi-factor authentication for business accounts: That way even if someone’s password is stolen, a scammer will still struggle to get into their email account.
- Consider an in-person or phone-based policy for payment request verifications: You could look to institute a policy where all payment or purchase requests sent via email are verified either in person or over the phone. Consider it multi-factor authentication for payments.
3. Cloud misconfiguration
What is misconfiguration?
Misconfiguration is a term for the poor configuration of an organization’s systems, of which cloud storage has become an increasingly common example. Due to the inherent accessibility of the cloud, it’s quite easy to get the security settings wrong and so leave company data exposed to non-employees gaining full or partial access.
Don’t the big cloud providers offer security?
The big cloud providers like Amazon and Google do have highly secure servers, yes. Misconfiguration isn’t a problem at their end but at the user’s end, where incorrect settings can, for example, leave a private folder set to public so that anyone can get into it with just a link.
To put it into perspective: the cost of issues due to misconfigured cloud servers is 12 times higher than worldwide investment in cloud (DivvyCloud). Additionally, 80% of companies have experienced a cloud data breach within the past 18 months and the leading cause was misconfiguration (67%) (IDC).
Examples of common misconfiguration errors:
- Incorrect/insufficient access management settings
- Lack of visibility into access management
- Lack of control over access to resources
- Overly complex infrastructure
- Unpatched systems
- Unencrypted files
- Out-of-date web applications
- Unsecured devices
- Insufficient firewall protection
- Using default credentials (i.e. usernames and passwords)
How to mitigate the risk of cloud misconfiguration
- Establish good governance: Develop a policy and framework that dictates how your company will use the cloud, when, and who has access to which levels. Review these settings on a regular basis.
- Educate people on their responsibilities: As above with social engineering, one of the best ways to reduce the chance of human error is to properly train everyone in their security responsibilities (from the newest ground-floor employees all the way up to board members).
- Migrate with security in mind: When you first migrate to the cloud, security personnel must be involved. Test new tools in isolated environments before rolling them out, run tests to ensure everything is working smoothly, and create a process for individual staff to escalate problems quickly and efficiently.
Learn more: 5 multicloud strategies and how to address them
What is the problem with malware?
‘Malware’ is a general name used to describe infectious software that causes harm to, spies on or disrupts a system. Computer viruses are one type of malware, although there are many others.
Malware is the classic cyber attack vector, having been around basically since the dawn of the world wide web. Even now with all our advanced anti-malware software, it’s still a huge issue – the German BSI noted there were about 394,000 new malware variants discovered per day last year in Germany alone.
Some other examples of malware include: ransomware, which we describe below; keyloggers, which can record keystrokes made by a computer; trojans, which enter systems in disguise; droppers, which can install other pieces of malware; bot infections, which can replicate and spread on their own; and then viruses designed purely for destruction – wipers.
How are cyber attackers using malware?
Unfortunately, the ways that cyber groups use malware are as varied as malware itself, which is why it’s so hard to stop. Groups often develop their own custom malware to help them attack companies and individuals through the channels of their preference (i.e. social engineering). But, they also often share malware with other groups and may compromise legitimate technology for their own purposes – Cobalt Strike, for example, is a tool that both legitimate and criminal groups use.
There are many different ways that attackers can inject malware into a system. Phishing is hugely common, but attackers may have other means such as trojanized files pretending to be something they are not (say, a PDF which is actually a virus), or perhaps spoofed websites that look real but which are out to steal your credentials or make you download infectious software. Macros in seemingly safe Word or Excel files are also popular.
How to mitigate the risk of malware infection
- Vulnerability scanning: Vulnerability scanning tools check your applications for common entry points (see below) – for example, out-of-date software, exploitable errors, known bugs and so on.
- Antivirus/antimalware software: There’s a reason antivirus/malware software is considered ‘stopping viruses 101’. Antivirus software designed for businesses can scan your systems for suspicious files, keep an eye on incoming files and warn you of suspicious websites. Generally these are kept up to date to include all the latest malware discovered by the world’s security experts.
- Encrypt sensitive information: If your system is communicating data from one place to another, especially sensitive data such as customer information, it must be encrypted. When files are encrypted, they become scrambled – illegible. Even if they were stolen, they couldn’t be used because without the key to unlock them, they’re just nonsense.
- Network intrusion prevention systems (IPS): Where antivirus looks at your files, IPS monitors communications. It looks for activity within network packets that seem suspicious and take action against them, either blocking them or informing you of their presence. So, antimalware blocks software, IPS blocks traffic.
What is ransomware?
Ransomware is one type of malware. When injected into a system, it can lock the entire thing up and encrypt it so that its users lose access. The attackers will then typically ask for a ransom in return for access (hence the name).
Bonus fact: Most (96%) of companies claimed in 2021 that they got their data back after a ‘significant’ attack. But, on average they could only restore 65% of it – meaning they were losing potentially just over a third of their data per attack (Sophos).
There are two common types of ransomware:
- Lockscreen ransomware: This infection locks a computer and sends a message (which fills the screen and locks it) telling a victim they must pay to get access back. The computer is not usable in that time.
- Crypto-ransomware: This infection encrypts files with a password. To get the password, a ransom must be paid.
How do cyber groups use ransomware?
As you can see, the point of ransomware is to disrupt activity and force someone to pay up.
This is usually used as an act of cyber criminal activity as opposed to cyber terrorism, with the goal to make money rather than spy on or destroy key targets. Thus, it’s often seen being done by independent cyber groups as opposed to state-backed actors.
One thing to note is that ransomware is often the final stage of a long string of activities, such as social engineering and vulnerability scanning (yes – attackers use the same thing companies do to look for vulnerabilities, but in this case to exploit rather than patch). This makes it critical to detect such activities in advance.
How to mitigate a ransomware attack
- Perform regular data backups: If your entire system is backed up regularly, the effects of ransomware will be less severe. Instead of losing everything, you may only lose a few days’ worth of files. This is of course still not ideal, but it cuts some of the damage.
- Bonus point: This data should, of course, be stored off-system. Given its importance, it must be highly protected so that it itself cannot also be targeted.
- Test your backups: There’s no point backing your system up if it’s not actually recoverable. Ensure you have a process for recovering data from the backup, and that this process actually works as intended.
- Keep an eye on your systems: As we mentioned, ransomware is the killing blow at the end of a long line of activities. Chances are that in the build-up to that point, suspicious activity will have already occured within your system and files will have been downloaded or modified. You must monitor for such activities at all times.
- Examples: There may be large quantities of file modifications in user directors. Or, in cloud systems, storage objects may be replaced by copies.
5. Supply chain compromise
What do we mean by supply chain compromise?
The world’s supply chain is highly digital these days, with most modern companies utilizing digital services in at least some capacity. Indeed, it’s quite rare to find a business in Europe that is not relying on a third-party vendor for some outsourced service or tool.
This reliance on another company’s services means your system becomes connected to theirs – an attack on one side could now compromise the other. As such, supply chain compromise is also known as third-party vendor risk.
How are attackers abusing the digital supply chain?
Today, attackers sometimes only need to attack one company to gain a foothold in a raft of others. If they were to compromise a software vendor, for example, they could theoretically piggy-back on that company’s platform right into the heart of hundreds of clients (which has happened in real life more than a few times).
So, an attack up or down the digital supply chain isn’t just a problem for the vendor, but for its partners. You could have the best security in the world but if they don’t, you’re at risk.
How to mitigate the risk of digital supply chain compromise
- Review third-party agreements with security personnel: Just as you would invite legal, financial, technical and customer experts to any discussion on a new vendor agreement, invite security as well so they can review the vendor for red flags.
- Audit existing third-party vendors immediately: If you already utilize third-party software, consider auditing it immediately to check for those same red flags. Additionally, check that the agreements are still relevant to your business, they’re still compliant, and that the agreed owners/contact people are all still available for contact (i.e. they haven’t resigned).
- Keep a diverse set of suppliers: Locking yourself into just one vendor might feel convenient but it’s its own risk. A diverse set of suppliers means you have access to a range of technology, can pick and choose from the best of the best, and, importantly, spread your security risk out a little.
6. Malicious insiders
What are malicious insiders?
We’ve talked a lot so far about threats from without, but there’s always going to be a risk that someone inside your company is themselves a potential threat. There is a very real risk that someone somewhere in the company is being radicalized – either by people they know in person, or via online forums.
- Radicalization? These days we often associate ‘radicals’ with extremism. However, someone can be radicalized for a host of reasons, such as religious, political, environmental, or even just due to extreme negative emotions (i.e. disgruntlement) which are egged on by others.
The internet and social media has made this problem worse. There is an echo chamber effect online which can exacerbate the risk of radicalization, where algorithms designed to feed people content they should be interested in constantly offer them up radical messaging. They can quickly become trapped in this world.
Read more: “The echo chamber effect on social media“
How can cyber attackers use radicalization to attack a business?
There are any number of ways a cyber threat group could use someone on the inside; someone on the edge is ready to be pushed over. If an individual or group that wishes to do your company harm is able to set up an ‘inside man’, as it were (by cultivating and nurturing their viewpoint or emotional state), they are already in a position where they can directly compromise your business from the inside, bypassing common security measures.
They might ask that staff member to inject malware into the company computers, to send phishing attacks via their accounts so that they appear to come from a trusted source, or some other form of attack.
Anyone with a social media connection runs the risk of falling into an echo chamber, and anyone runs the risk of growing bold enough (or angry enough) to act on their changing beliefs. If this were to happen to someone with access to your business network, it could be hugely damaging.
How to mitigate threats from within
- Use your company culture: A supportive and protective company culture could help prevent someone from becoming radicalized in the first place. Look to invest in mental health support and employee wellness programs, career support, social clubs, and all of those different activities that are so important for people’s social, mental and physical wellbeing.
- Turn to ZeroTrust: Setting up a ZeroTrust model as we described earlier is another smart way to create an additional bulwark against cyber threats – within and without.
- Protect against outside threats: Knowing how to protect your systems against malware, supply chain compromise, ransomware, etc., and monitoring for suspicious activity as defined above, can help you in the event that someone does try to attack your company.
Other common entry points
Those are the most common cyber attack vectors we’re seeing in 2022. But, there are many more potential entry points to a business that its IT team must be aware of. While these are not ‘attack vectors’ quite as we’ve categorized them above, they are common weak points in a business system that can be exploited by someone utilizing one of the vectors above.
- Unpatched software: Cyber threats are always evolving, so technology moves with it. It’s a constant arms race, and if you don’t keep your software tools, operating systems, and device and app versions up to date, you may fall behind.
- Zero-day exploits: A zero-day exploit is the exploitation of an unknown flaw in a new piece of software (or new software version). It could be a gap in security, or a bug, but either way the developers haven’t found it yet – but attackers have. All new software should be trialed in a secure environment before being rolled out to the rest of the business. Otherwise, best-practice security measures as described above will help you mitigate the risk of a zero-day exploit.
- Weak/compromised/stolen credentials: Credential harvesting is a highly common objective of social engineering, where attackers trick users into offering up their login details. On top of that, weak passwords can often be cracked (called ‘brute forcing’). You can’t always prevent this, which is where social engineering protection, cloud security and ZeroTrust measures must be utilized as described above.
- Poor or no encryption: An unencrypted communication is one that can be stolen, read and sold to the highest bidder. All business communications, but particularly sensitive comms, should be encrypted.
Finding this overwhelming? We can help
At dig8ital, we’re experts in cyber attack mitigation and have been working with some of Europe’s biggest companies for years to help them digitally transform into modern, flexible, defensible enterprises. Contact us today for a free maturity consultation and let’s talk about your unique needs.