One of the oldest methods of online attacks is breaking into someone’s email. The reports during last year’s US Presidential elections that hackers had stolen e-mails from John Podesta, the chairman of Hillary Clinton’s campaign, reminded everyone how vulnerable e-mails still are.
While targets have remained the same, what has evolved over years are techniques adopted by criminals to mask their trail and thereby make it difficult to investigate and find solutions.
More than personal e-mails, it’s big organisations that are the favourites of hackers, since the stolen data would be more valuable and the security breach would have a far-reaching impact.
“We keep seeing more of the same in terms of the type of attacks. But they (attackers) are finding newer techniques to do it,” said Julie Cullivan, Chief Information Officer and Senior Vice President of Business Operations, FireEye, during a recent visit to Bengaluru.
A stark difference noticed by experts is that the tactics adopted by hackers now are as sophisticated as those by State sponsors.
Personal calls on phone
A new trend noticed by researchers is for attackers to target persons specifically rather than send out mass phishing e-mails with generic subject lines like “Invoice” or “Delivery confirmation”.
According to the ‘M-Trends 2017’ report released recently, hackers even call up potential victims to follow up on the malicious email, and obtain crucial information, like personal email IDs of top executives, to avoid the possibility of phishing mails getting caught in controls protecting official corporate emails.
One such ‘privilege escalation tool’ leveraged CVE-2016-0167, a previously unknown vulnerability. The tool allowed attackers to obtain elevated privileges in environments where the initially compromised user did not have them, says the report.
Two traditional security measures, especially in big organisations, are: network segmentation (instead of one large network, break it up into many, so even if one is breached, the entire system won’t go down) and multi-factor authentication (instead of one password, have one or two more layers of verification like one-time password or fingerprint authentication).
The report says last year, attackers managed to access e-mails by circumventing even these two security measures. “With an OAuth token, an attacker has the ability to bypass multi-factor authentication to access a target user’s cloud resources such as email, calendar and shared documents,” says the report. “The volume of email stolen through the years is likely greater than all other forms of electronic data theft combined.”
Educating boardroom
The increasing incidence of big companies getting hit has led corporate boardrooms to look at cyber attacks differently. “We are seeing more effort on the part of boardrooms to get educated on cyber security. CIOs are also having to change the language they speak, so they make themselves understandable to the boardrooms on their risks and on ways to mitigate the risks,” said Julie Cullivan.
She said, now companies are being advised to look at cyber risk not just from the technology point of view, but also as an enterprise risk. “It’s important to understand what the financial implications would be, should something happen, or what the legal liabilities would be. Companies also need to ensure that they have the right partners and communication plans, and the right tools to mitigate the risks,” she said.
The sophistication adopted by hackers is of such high levels that the thin line of difference between the attacks mounted by run-of-the-mill hackers and State-sponsored attacks have today completely vanished.
With strong command and control structures, they are adopting improved counter-forensic techniques, say experts.
