Similar to traditional ‘brick-and-mortar criminals’, not all cyber-criminals employ the same method to reach their goal. A burglar wouldn’t enter a house with an alarm or when there are people inside, but go for an easier opportunity. The same goes for internet-thieves. Their risk/reward balance depends on the required investment beforehand to successfully carry out their attack. What are the aspects they take into consideration?
This blog is based on excerpts from one of our recent webinars with Brian Kime (Senior Analyst at Forrester) and Eward Driehuis (SVP Strategy at Cybersprint). For all insights of the conversation, you can watch the entire webinar here.
Time and effort
Let’s get an obvious one out of the way first. Preparing any task, both criminal and legit, takes time. If a cyber-criminal attempts to imitate an executive or a supplier in a phishing attack, they would have a higher success rate if the messages are as realistic as possible. Next, they’d have to create a customised message using the proper tone of voice, fonts, logos and colours of the organisation, and find a way to make the email pass the spam filters.Gathering the necessary OSINT (Open Source INTelligence) data on the target demands research time into many different sources.
Even though this process of phishing (or spear phishing in this case) can be an exhaustive one, Eward pointed out the tactic is still lucrative enough to be the number one digital threat, according to the FBI. Luckily, knowing (and limiting) your accessible information online and having proper email security systems in place will go a long way to protect your organisation from such threats.
Threat actors attempting to install malware in your digital infrastructure is a whole different matter. Instead of relying on an employee to accidentally click on a link, threat actors would have to write and develop the malware – a very timely process taking months or even years to create. Of course, premade malware is also for sale, but advanced malware would set you back a few tons.
That’s not always the favourable approach, as Brian and Eward illustrate with the example of the Russian attack on the OPCW in 2018. Though state-sponsored, the attack appears to be have been deemed most effective by buying four plane tickets and Wi-Fi hacking equipment, renting a car, and trying to gain access to the organisation’s systems from the building’s car park. It may seem silly to be caught like that, but instead of spending five or six-figure sums on malware, this ‘only’ cost a few thousand.
Know your entry points
After discussing how threat actors employ a wide variety of methods, Brian and Eward shared their views on suitable solutions. Ideally, you can use a combination of two tactics: looking at the outside world to predict the next attack, and taking preventive action by mapping your digital footprint. This will help you understand and repair your exploitable vulnerabilities before it's too late. Digital Risk Protection is an approach used to first get a detailed picture of your own organisation’s online assets, and using it to strengthen your cyber-resilience.
Gaining actionable insights and mitigating the weaknesses in your systems makes you a much harder target to attack. It’s just like leaving your house lights on, installing an alarm, putting up cameras and having three Dobermanns patrolling in the yard.
In cybersecurity, Brian stresses the benefits of improving your security to force threat actors out of their anonymous environment and into the physical world. It’s easier to spot unauthorised personnel in your car park than in your digital systems. If you make their risk/reward scale tip in your favour, you’ll be sure to have a better night’s sleep.
Curious for more hands-on cybersecurity approaches,
based on actual use cases?
Sebastiaan Bosman is Content Marketeer at Cybersprint. With a background in Communications and Linguistics, he is responsible for the creation and editing processes of most internal and external communication. He writes content such as blogs, whitepapers and case studies, primarily based on Cybersprint’s own research data. Previously, Sebastiaan worked as Content & Communications Advisor at ING Global.