Over the past 2 months, we hosted client forums about the latest cybersecurity threats and how to stay ahead of the curve when it comes to safeguarding your business. The cybersecurity trends for 2023 are optimizations of past threats. Join us as we navigate this dynamic world of cybersecurity, providing insights and strategies for a safer digital environment.
The Modern Ransomware Landscape & Threat Actor Strategies
Much like business owners, threat actors engage in strategic planning. They meticulously weigh the costs of acquiring the tools to infiltrate a network against the anticipated return on investment. Recognizing that some of their tried-and-true tactics are losing their efficacy, they continuously develop and refine new methods. These cyber adversaries engage in a cycle of innovation, driven by staggering statistics. In the world of business, startups often seek the path of least resistance—the easy money. Why tackle complex challenges when simple, low-effort endeavors promise quick returns, without the need for extensive training or specialized expertise? Threat actors share a similar philosophy. They begin by exploiting the easiest means to make money, but when those methods inevitably lose their effectiveness, they venture into slightly more intricate territory. When the low-hanging fruit has all but vanished, and the well-worn tactics yield diminishing returns, these threat actors must elevate their game.
The Future of Ransomware
In essence, the world of cybersecurity is ever evolving, marked by a perpetual arms race between attackers and defenders. As the complexity of attacks escalates, it’s imperative to remember that while threat actors may incorporate new tactics, the old ones remain in their arsenal, albeit transformed. Adaptation and vigilance are the keys to navigating this ever-shifting landscape.
With that said, the current landscape reveals a disconcerting reality: the average ransom demanded in today’s cyberattacks routinely reaches the hundreds of thousands, if not millions of dollars. Hackers have honed their skills in conducting meticulous reconnaissance on targeted organizations, a stark departure from their more haphazard approaches of the past.
Their newfound proficiency leads to a strategic approach, often driven by a keen understanding of the victim’s insurance coverage. If these cybercriminals can ascertain that an organization possesses a cyber liability policy worth, for example, two million dollars, they leverage this information to set the ransom, frequently just below the policy’s limit, typically around 1.5 million dollars. The rationale is clear and unrelenting: to ensure a successful data recovery, the ransom must be paid.
Consequently, the burden falls squarely on the victimized organization, which must grapple with the financial implications of these exorbitant demands, especially when critical data access hangs in the balance. These trends underscore the broader context of evolving cybersecurity threats.
Beyond Ransomware: Business Email Compromise
In addition to ransomware, we frequently encounter another significant threat—business email compromise. Typically, this threat manifests through various means, with phishing being the most common method. Users receive deceptive emails, cunningly urging them to provide credentials or authorize access to their Microsoft accounts. It’s noteworthy that Multi-Factor Authentication (MFA) is a crucial security measure for business email accounts. Surprisingly, around a third of the email compromises we observe still occur despite having MFA enabled.
Now, imagine a scenario where an attacker infiltrates your email account. They can manipulate your email communication, impersonate you, and redirect sensitive transactions. For instance, a hacker might intercept a message about an authorized wire transfer. They create a fraudulent website, cleverly mirroring your bank’s site, tricking you into entering login credentials. Subsequently, they interact with your bank on your behalf, initiating transactions. This man-in-the-middle attack, which we didn’t witness as frequently five years ago, has gained prevalence due to the increased use of MFA.
The primary objective of these attackers is financial gain, often achieved by intercepting payments. They target key individuals, including executives, procurement personnel, or finance staff. An example involves intercepting payment instructions and rerouting funds to their accounts. Occasionally, even legitimate employees unwittingly cooperate by updating payment information when presented with fraudulent instructions. Therefore, it is imperative for companies to establish robust processes for handling payment updates and ensure their employees remain vigilant.
Another concerning trend involves attackers impersonating colleagues or superiors via text or email, soliciting unusual requests such as purchasing gift cards and sharing card details through photos. New employees, in particular, may fall victim to this ploy. Effective training and education for users are critical to prevent such incidents. Employees should exercise caution when receiving requests via email or text and verify the authenticity of such requests through channels outside the communication medium.
Cybersecurity in 2023: Assumptions vs. Reality
Okay, let’s talk about what we can see and what we can’t see. Most people assume that as a technology provider, we basically have eyes on everything happening on your network, and that we can see and know about whatever could happen, like in a Hollywood movie set. Not true. There are certain things that we can see. Typical managed service providers can see big things, for example when a server goes offline, we receive an alert for that. However, will we know if someone legitimately logged in with certain credentials from a strange location? No, we don’t actually have the capability at the basic level of services to detect that.
Realistically, if you look back five or ten years, the technology that could do that was generally only used in enterprise settings because only enterprises could afford the resources required to do those things. So very large companies and government entities could afford that technology. However, the market for those tools has expanded to the point where almost everyone needs some type of capability to detect what’s happening.
The Evolution of Detection Technology
For most of our history as a managed service provider, we focused on protection. We wanted to prevent bad things from happening, but very little emphasis was placed on detecting when they did happen. Now that there’s a larger market and more people are willing to pay for it, these tools are becoming more affordable. Not necessarily cheap, but they are becoming more accessible and can make more sense than the alternative, which is experiencing a breach that you’re unaware of, which can cause significant disruptions.
Better tools are now available. Tools that allow us to monitor network traffic flowing in and out of a network and analyze that traffic for known threat patterns. We can also collect event logs from various systems, including antivirus and firewall logs, two-factor authentication logs, and Office 365 logs, and analyze them to identify anomalous patterns.
Do I Need Additional Security?
The main question is whether you need them, and that’s a decision each organization must make. When deciding on additional tools, consider factors such as the size of your business and the type of data you handle. Sometimes, the answer is no. Think of it this way:
If you had a lemonade stand, what would you do to protect your assets e.g., the cup of money? To keep it from blowing away because the biggest threat to your assets is the wind. A strong gust of wind could blow all your money into your neighbor’s yard. You can solve that problem with a big enough rock.
But what if you have a lemonade truck? Now you have more threats, right? A mobile truck requires different security measures. And if you have a massive lemonade franchise with thousands of locations? You’ll invest significantly more in protection. So, it all comes down to a client’s decision. Typically, it’s about assessing the value of your assets and your business. If losing your data would be catastrophic, then investing in comprehensive security is essential. But each business has unique needs, and it’s not always necessary to spend a fortune to protect against every possible threat. These calculations are something we work through with our customers, but you can do it yourself too.