There is a shift in the way cyber criminals are targeting organisations. The methods of mass phishing and hacking are making way for more directed and personalised attacks. They carefully select their targets and craft convincing messages. However, that takes much more time and preparation. To make up for that, they now use automated techniques to carry out attacks. How can you protect your organisation from this emerging threat?
The new kind of hacker
The age of automation has started over a century ago, offering many business opportunities for organisations. Unfortunately, the cyber crime world has now followed suit. In the past, hackers were highly skilled enthusiasts, making for a small community. They did their own extensive research and wrote their own tools and code, taking days to implement a successful attack.
Nowadays, the entry barrier is lower, making the cyber criminal community larger. Instead of each hacker creating their own tools, software and frameworks are now shared and (ab)used by more hackers.
“The days of the Nigerian prince scams are coming to an end”
The new kind of hacker uses publicly available information (also known as OSINT = Open Source Intelligence) to create a profile of their target. Examples are information taken from the company website, third party websites, social media, news platforms, powerful search engines, publicly available presentations such as Prezi, etc. This is used during the reconnaissance phase of an attack, or to impersonate an organisation’s VIP, for example. The tools used to collect (scrape) the necessary intel have become more powerful and efficient, and many more are available.
Automating these processes delivers structured overviews of an organisation’s vulnerabilities. All steps of the cyber kill chain can be automated, letting scripts hack by themselves. Collected information can also be used to create highly convincing profiles of organisations’ VIPs. The more convincing a profile is, the more likely victims are to fall for it. The days of the Nigerian prince scams are coming to an end.
How can it affect you?
What are the practical uses of automated hacking, and how can it affect your organisation? Using tools such as Shodan, hackers generate an extensive overview of internet-connected devices such as your webservers, but also security cameras, webcams or printers.
For example, In Sweden, someone used automated hacking tools to discover public webcams near a harbour. With that footage, they could monitor and identify submarines going in and out of the port. They could calculate how long the submarines had been deployed, what their range would be, and where they could have gone. This doesn’t take a team of IT specialists but can be done by anyone.
Though your organisation probably doesn’t lease submarines, it is likely to have security cameras at the entrance and wireless printers. These devices can be mapped and potentially accessed remotely. It’s not anyone’s business who enters your office or meet with; that information belongs to you.
“Cyber criminals are trying their best to convince their target”
Phishing, spear phishing & whaling
As mentioned above, cyber-attacks are increasingly targeting specific individuals. This is called spear phishing. Instead of solely hoping unobservant people click on the phishing message, cyber criminals are now trying their best to convince their targets that they should transfer sums of money. Fake profiles, email addresses, web sites, and brand and communication styles are developed to impersonate a third party or company executive. When a high-level CxO is targeted, it’s also known as ‘whaling’.
To build a compelling message, cyber criminals’ first step is reconnaissance. Which customers does the target organisation have, how many employees, do they use a specific email template; what are their vulnerabilities? But rather than going through publicly available information manually, they use automated resources. This makes their method more detailed and faster, with higher success rates.
Using automated hacking as a security measure
Know that repairing an incident is much more expensive than investing in proper counter measures. An average data breach costs a US company up to $7.9 million, next to the reputational damage. On the other hand, treating every incoming incident as a severe threat can result in false positives and incorrect assessments, hindering productivity.
You need to know what you must protect and how you should protect it. What is the scale of your digital attack surface? Which vulnerabilities appear? You can prevent attacks using automated tools that detect and assess your digital footprint - not only your own websites and digital assets, also those belonging to third-party vendors. All are related to your brand and could seriously harm your reputation when hacked by cyber attackers.
You can’t prevent everything, but proactive detection and mitigation of your risks goes a long way. Make your invisible vulnerabilities visible - before hackers exploit them.