Sun Tzu’s The Art of War provides some relevant thought around how we should approach the ever-present battle against external attackers. He states:
“If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
My personal interpretation of this is if you know how your enemy attacks, and you know the security you have in place, you’ll know the result when the two meet. So, it’s important to understand how your enemy (the external attacker) is changing their behavior, so that you can act accordingly.
This blog is the third in a three-part series covering the Cisco 2017 Annual Cybersecurity Report. The first blog provided a 2017 Security State of the Union, with the second focused on the 4 phases of attack behaviors. In this third blog, I’m going to do a little deep diving into how attackers are approaching attacks.
A British term for a long-term, multi-step scam, often involving multiple people, aimed at obtaining large sums of money from marks, the long game is a great description of the methodology attackers use today. Sure, there’s still the opportunistic blasting out a bazillion emails knowing some will hit. But not all attackers look at this just as a number game, some are smart folks (just like you) and want to increase their chances of successfully gaining entrance to a corporate network.
The result is the long game. A series of steps taken to identify pieces of personal information that will improve their ability to fool you into clicking their link or opening the attachment that will eventually compromise your machine with malware.
While only the third most commonly observed malware, Facebook scam links are indicative of how cyber criminals work to ensure their attacks are successful. Here’s the scenario:
Let’s say you do one of those dumb “which '80s rock band are you???” type questionnaires. When getting your results (OMG, you’re TOTALLY Bon Jovi!!!!), you’re offered to post the result to Facebook. And while the permissions request (access to your profile and your friends list) seems relatively benign, your profile includes your email address, and your friends’ profiles can include theirs. So, now the scammers have a viable address (yours) and a target list to phish (your friends).
Seems a bit like a conspiracy theory, right? We’ll I’ve experienced this personally. I received an email from my nephew one day. First off, he’s literally NEVER sent me an email (in fact, he doesn’t even know my email address). Second, it’s definitely his name (how many Austin Cavalancias do you think exist in the world?). So my suspicion level is high here. I open it and it’s some sort of bogus request to look at a link to some server in a remote country. Definitely phishing.
Now the question is how did the phishing author get his name, my name, and my email address? There’s only one place the two of us are connected in the entire world—Facebook.
The Cisco report shows that Facebook scams, which also included fake offers, media content, and survey scams as part of the initial touch, are only the tip of the iceberg. These phishing emails are designed to introduce malicious adware, which includes ad injectors, changes to browser settings, hijackers, utilities, and downloaders.
Still think it’s not a problem? Cisco found that 75% of organizations are infected with adware—another long game stepping stone. (Adware can be used to redirect search requests to compromised websites containing malware.)
It’s a complex path that seeks to claw away at the individual’s security (first social, then web environment, followed by workstation, and finally credentials).
I’m only scratching the surface here, but I think the examples I’ve pointed out make the case that your enemy is definitely in a long game mode, requiring you to be thinking about your defense strategy in that same manner:
By going long on your security strategy, you align your defenses with the attack methods of your enemy, stand toe-to-toe with each attack method, vector, email, and link.
Get more info—Learn how SolarWinds MSP helps MSPs and IT Service Providers stay more secure here.