Increasingly, It’s Artificial Intelligence vs Cyber-Criminals
Protecting Yourself from IT Threats
By Charlie Christensen
As hackers, organized crime syndicates, and state-backed bad actors aggressively pursue ways to compromise the world’s data; business owners, leadership, and IT professionals continue to seek ways to counter these ever-growing threats to their information technology infrastructure. In this article, I will explore some of these threats, as well as the advancements in anti-virus/malware protection that are working to defend corporate and personal data every minute of every day.
Lastly, I will provide you with some key steps you should take to protect your business and data assets from attack.
“The notion that you are just too small a company to worry about these threats, or that no one wants your data is a fallacy. Criminals are targeting small companies every day because they are easy targets.”
As someone who understands the threats we as IT professionals see every day, it is my hope that I can use this opportunity to provide the average businessperson with a better understanding of what they should focus on most urgently in today’s technology environment, and how they can better protect their business from being compromised.
• Ransomware: This is every company’s worst nightmare and is a topic that we could dedicate an entire article on. In short, ransomware is an extortion scheme that costs businesses billions of dollars per year. It most commonly spreads via malicious email attachments or links, software apps, infected external storage devices, and compromised websites.
Ransomware searches out every computer on the network and seeks to encrypt the data it finds. The only way to get the data back is to pay the extortion, usually via cryptocurrency which is largely untraceable. Not content with simple extortion, cybercriminals are now adding an additional element to the ransomware scheme.
Attackers will now download your data prior to encryption, and if you refuse to pay, they will threaten to release your data into the public domain. If the thought of this doesn’t lead you to a few sleepless nights, it should.
• Phishing, spear phishing, and whaling attacks: I think by now we all understand phishing. An attacker uses social-engineering techniques, like an enticing looking link, to get the end user to disclose some form of personal information such as a Social Security number, information, credentials, etc. Spear phishing, however, is a bit more focused and targeted. A spear-phishing message might seem like it came from someone you know or a familiar company like your bank or credit card company, shipping company, or a frequented retailer.
Whaling, on the other hand, goes after high-value targets such as C-level leadership or accounts payable. A whaling attack might look like an email from the CFO asking you to initiate a transfer to pay a large invoice. This is an incredibly common attack vector and one that relies on your team’s ability to identify it. Education and vigilance are your best defense.
• Advanced persistent threats: APTs happen when an intruder gains access to your systems and remains undetected for an extended period. They seek to quietly extract data such as credit card data, social security numbers, banking information, and credentials. Detection relies on the ability to identify unusual activity such as unusual outbound traffic, increased database activity, network activity at odd times. APTs also likely involve the creation of backdoors into your network.
• Insider threats: Although we are fixated on external threats, internal threats are more common and can be equally as damaging. Examples of intentional and unintentional threats include:
Intentional threats such as employees stealing data by copying or sending sensitive or proprietary data outside the company. This may occur via email/FTP, USB drive, cloud drive (One Drive, Dropbox, iCloud), or some other means. Often, these happen because someone fails to comply with security protocols because they are perceived to be inconvenient or “overkill.”.
Unintentional threats might include an employee clicking on a phishing email, responding to a pop up asking for credentials, not using a strong password, or using the same password for everything. It could also be a system that was not patched, a port that was left open on a firewall, or forgetting to lock a user account after termination.
• Viruses and worms: Frequently considered to be ‘old school’ threats, these still exist and can cause tremendous damage. Users should be careful about clicking on ads, file sharing sites, links in emails, etc. Their purpose is to damage an organization, systems, data, or network. However, traditional anti-virus software is usually effective at controlling them.
• Botnets: Simply put, a botnet is a collection of devices that have access to the internet like PCs, servers, phones, cameras, time clocks, or other commonly found networked devices. These devices are then infected by malware that allows criminals to use them to launch attacks on other networks, generate spam, or create other malicious traffic.
• Drive-by attacks: These are infected graphics or code on a website that gets injected into your computer without your knowledge. They can be used to steal personal information, or inject trojans, exploit kits, and other forms of malware.
While this list might seem exhausting, it only represents a few of the more common attack methods that we see daily. It also helps explain the emergence of a new generation of security products and platforms. To better understand how we look at information security, let me borrow one of the examples I commonly use when speaking to businesspeople and groups about building an effective Information Security Program.
Think of information security as an onion. Like an onion, information security programs are comprised of layers (firewall, backup, AV, email filtering, etc…) of protection surrounding the core (your data). As we build an information security program, we need to put layers of protection between the threat and the asset we are trying to protect. While the details of an information security program are outside the scope of this article, for the purposes of this discussion you only need to understand that there is no single magic product that can protect you from all threats. Anti-virus, or even the new generation endpoint detection and response (EDR) products are but one layer of protection in an over-arching strategy to protect your business from modern threats.
A brief history of antivirus (AV) products has them coming onto the scene in the late 1980s, with familiar names like McAfee, Norton, and Avast. These early products relied on signature-based definitions. Much like you look up a word in the dictionary, these AV products could catch defined threats, but they would easily fail to prevent attacks that had yet been discovered; or worse, that they had not yet downloaded an update for that would allow them to recognize the threat. Traditional AV changed very little until several years ago with the advent of Next Generation Antivirus. NGAV uses definitions coupled with predictive analytics driven by machine learning to help identify undefined threats.
The latest technology to hit the market is enhanced detection and response (EDR) or extended detection and response (XDR). These technologies continue to use traditional signature-based antivirus and NGAV, but they also introduce the use of artificial intelligence (AI).
AI is used to constantly analyze the behavior of devices so it can detect abnormal activities like high CPU usage, unusual disk activity, or perhaps an abnormal amount of outbound traffic. This new generation of software not only detects an attack and warns you that it is occurring, but it can also isolate the attack to the device(s) that are infected by automatically taking them off the network and protecting the rest of your network. Some EDR products like SentinelOne also have threat-hunting capabilities that can map the attack as it unfolds. This mapping aids IT professionals in the identification of devices involved in the attack; a process that can take days or weeks when performed manually. XDR even goes a bit further in that it looks beyond the endpoint (PC, laptop, phone) and looks at the network holistically.
A good example of how EDR systems are being used as a layer of protection is how SonicWall firewalls combine a physical firewall with a suite of security capabilities like content filtering, DPI-SSL scanning, geo-blocking, gateway antivirus, and more to filter traffic before it enters your network. Then, with the addition of their Capture Client product (a collaboration between SonicWall and SentinelOne), they integrate the power of SentinelOne EDR with the firewall’s rules. This allows you to extend protections beyond devices inside the network and include company devices outside the network as well. This helps to eliminate gaps in protection that can exist with remote users.
The notion that you are just too small a company to worry about these threats, or that no one wants your data is a fallacy. Criminals are targeting small companies every day because they are easy targets. Large companies have armies of highly educated and well-paid people protecting their networks. And while a large company might represent a big score, hackers can spend years trying to penetrate a large network. However, they know smaller organizations have limited budgets and staff to protect their network. This makes it far more lucrative to hit 50 or 100 small companies for $100,000 than a single large company for, say, $2 million.
Investing in modern security products, building a sound information security program, and educating your team will pay off in the long run, as the question is not if you will be attacked — but when. The cost of the systems to protect you is far less the frequently irreparable harm caused by a breach or infection.
Many people say, ‘I have cyber insurance,’ but fail to put the necessary precautions in place to protect their systems and data. Little do they know that when they filled out the pre-insurance questionnaire and answered ‘yes’ to all the questions, they gave the insurer the ability to deny the claim. If you do not have written policies, use EDR (or at least NGAV), have a training program in place, and use multifactor authentication to protect user logins, you could be sealing your own fate. Insurers are no longer baffled by today’s technology and are aggressively investigating cyber claims. In fact, we are seeing significantly increasing numbers of denied claims.
There is little you can do after the fact to offset missing protections or enforcement of policies. By taking the appropriate steps to protect your network and systems you can hopefully minimize the risk of falling victim to an attack and ensure that your insurer will cover such a claim. Insurance companies will go to great lengths to cover legitimate claims at great cost. In fact, they can be their own worst enemy. In many ransomware attacks, insurance companies will simply pay the ransom because it is more expeditious to do that than it is to pay for the actual remediation. This, of course, only encourages the criminals while leading to higher premiums and greater risk to our technology infrastructure.
To close, I’d like to leave you with a few things that you can do to better protect your systems, data, and network.
• Take the time to understand what protections you have in place and engage a professional to help you identify any gaps in your information security strategy;
• Educate your staff on information security best practices and the threat spectrum. An educated workforce is one of your best protections. There are several great training tools that are inexpensive and easy to implement, such as KnowBe4;
• Implement a next-generation firewall that utilizes deep packet inspection and take the time to dial in the suite of security features that are designed to stop threats before they get into the network;
• Move to an EDR system rather than relying on a traditional signature-based antivirus;
• Be sure that all systems with access to your networks (computers, network equipment, servers, firewalls, IoT devices, cameras, etc.) are patched regularly to eliminate vulnerabilities that can be easily exploited;
• Do not run unsupported operating systems, equipment, or applications;
• Establish a set of written information security policies, and make sure everyone understands that they need to live by them; and
• Limit those with administrative credentials on your network. If an administrative account is compromised, you have given away the keys to the kingdom. Make sure users only have permission to get to the resources they need to do their job.
Charlie Christensen is president of East Longmeadow-based CMD Technology Group; http://www.new.cmdweb.com/; (413) 525-0023.