<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Request demo →
Cybersprint Digital Risk Protection Platform

The Cybersprint Platform

We’ve developed a unique Digital Risk Protection SaaS-platform that works 24/7 as an automated ethical hacker, continuously in search of online vulnerabilities. Read more

Cybersprint provides realtime insights

Make the world more cyber-secure

Cybersprint protects organisations by providing real-time insights into their online footprint. Read more

close

From practice to preventing: How criminals adapt their attack methods

by Sebastiaan Bosman Blog 23 Jun 2020

Similar to traditional ‘brick-and-mortar criminals’, not all cyber-criminals employ the same method to reach their goal. A burglar wouldn’t enter a house with an alarm or when there are people inside, but go for an easier opportunity. The same goes for internet-thieves. Their risk/reward balance depends on the required investment beforehand to successfully carry out their attack. What are the aspects they take into consideration?

This blog is based on excerpts from one of our recent webinars with Brian Kime (Senior Analyst at Forrester) and Eward Driehuis (SVP Strategy at Cybersprint). For all insights of the conversation, you can watch the entire webinar here.

Time and effort

Let’s get an obvious one out of the way first. Preparing any task, both criminal and legit, takes time. If a cyber-criminal attempts to imitate an executive or a supplier in a phishing attack, they would have a higher success rate if the messages are as realistic as possible. Next, they’d have to create a customised message using the proper tone of voice, fonts, logos and colours of the organisation, and find a way to make the email pass the spam filters.Gathering the necessary OSINT (Open Source INTelligence) data on the target demands research time into many different sources. 

Even though this process of phishing (or spear phishing in this case) can be an exhaustive one, Eward pointed out the tactic is still lucrative enough to be the number one digital threat, according to the FBI. Luckily, knowing (and limiting) your accessible information online and having proper email security systems in place will go a long way to protect your organisation from such threats.

Picking procedures

Threat actors attempting to install malware in your digital infrastructure is a whole different matter. Instead of relying on an employee to accidentally click on a link, threat actors would have to write and develop the malware – a very timely process taking months or even years to create. Of course, premade malware is also for sale, but advanced malware would set you back a few tons.

That’s not always the favourable approach, as Brian and Eward illustrate with the example of the Russian attack on the OPCW in 2018. Though state-sponsored, the attack appears to be have been deemed most effective by buying four plane tickets and Wi-Fi hacking equipment, renting a car, and trying to gain access to the organisation’s systems from the building’s car park. It may seem silly to be caught like that, but instead of spending five or six-figure sums on malware, this ‘only’ cost a few thousand.

Know your entry points

After discussing how threat actors employ a wide variety of methods, Brian and Eward shared their views on suitable solutions. Ideally, you can use a combination of two tactics: looking at the outside world to predict the next attack, and taking preventive action by mapping your digital footprint. This will help you understand and repair your exploitable vulnerabilities before it's too late. Digital Risk Protection is an approach used to first get a detailed picture of your own organisation’s online assets, and using it to strengthen your cyber-resilience.

Gaining actionable insights and mitigating the weaknesses in your systems makes you a much harder target to attack. It’s just like leaving your house lights on, installing an alarm, putting up cameras and having three Dobermanns patrolling in the yard.

In cybersecurity, Brian stresses the benefits of improving your security to force threat actors out of their anonymous environment and into the physical world. It’s easier to spot unauthorised personnel in your car park than in your digital systems. If you make their risk/reward scale tip in your favour, you’ll be sure to have a better night’s sleep.

Curious for more hands-on cybersecurity approaches,
based on actual use cases?

Watch the webinar >


pasfoto001

 Sebastiaan Bosman is Content Marketeer at Cybersprint. With a   background in Communications and Linguistics, he is responsible for   the creation and editing processes of most internal and external   communication. He writes content such as blogs, whitepapers and   case studies, primarily based on Cybersprint’s own research data.   Previously, Sebastiaan worked as Content & Communications   Advisor at ING Global.

Hâck The Hague: From council questions to a unique hacking competition

The Hague Municipality’s Council, Monday 30th of September 2019 at 10:25 AM. On this location 3 years ago, the idea for the first edition of this event was established. Today, as chairman I have the pleasure to initiate its third edition, Hâck The Hague 2019. For the third year in a row, the municipality of The Hague and Cybersprint are working together to test the digital security of the city along with its inhabitants.

read more

Use case: Provincie Overijssel

For governmental organisations, it is important to have a clear overview of their digital footprint and risks. They need to ensure the right policies are in place when it comes to cybersecurity. To illustrate their challenges, and the benefits of digital footprint management, we've interviewed one of our customers from the governmental sector. Rick Verkade, Security and Privacy Specialist at Provincie Overijssel shares his experiences in this interview.

read more

How to prevent CEO-fraud with your digital footprint

CEO-fraud is the most common form of cyber-crime to target businesses worldwide. It’s now a 26-billion-dollar scam and continues to grow rapidly, with a 100% increase between 2018 and 2019. Creating awareness among employees is critical, but doesn’t offer full protection. What technical measures should you take to prevent a CEO-fraud attack at your organisation?

read more

Do you have a question?

Our experts have the answers

Contact us