Getting into the mind of a hacker

Rik Ferguson is not your typical cyber security geek. He understands the importance of breaking away from the jargon and silos that so often exist in his industry and making the topic more broadly appealing. After all, he tells StrategicRISK, cyber and data security concerns everyone.

“So many people are just not interested in IT, full stop. And then when you start talking about security and people start using buzzwords or very technical terms, if you start explaining how encryption works for instance, you can see people’s eyes begin to glaze over. And it’s not the way to approach security education - you’re doomed to failure.”

Instead he likes to inject a bit of fun into IT security education and training. For instance, Trend Micro offers its clients’ employees video-based multiple-choice simulations, to allow them to experience a cyber attack of some sort and to make decisions along the way. If it’s ransomware attack for instance, do they pay or don’t they? Such an approach “allows employees to make mistakes and see the consequences of those mistakes in a controlled environment”, making it a powerful tool.

“They’re a bit like ‘choose-your-own-adventure’ books,” explains Ferguson. “You get to play the CIO or CSO of an organisation and you watch the video, the action pauses and you get to make a decision. The outcome at the very end of the scenario will be based around all those decisions you took throughout, and you can find out whether your organisation got compromised or not.”

If it didn’t make a profit, the criminals would stop doing it

Ransomware attacks have seen significant growth over the past two years, with Petya and WannaCry amongst the attacks disrupting businesses around the world and hitting the headlines. 2016 saw an incredible 752% increase in the number of new ransomware families being released, according to Trend Micro. “There’s never been an increase like it and there are a number of reasons why: First and foremost it’s because it works,” states Ferguson. “If it didn’t make a profit, the criminals would stop doing it.”

“One thing we’ve noticed recently is that the criminals have been focusing ransomware more on businesses than they had in the past,” he continues. “It started out as a consumer-focused threat, going after music, image and office files, but more recent variants have gone after things like the files necessary for hosting websites, or SQL databases or other assets that are useful to businesses. They are also adding capabilities for replication and propagation.”

“WannaCry is the most high-profile and recent example of that,” he adds. “A ransomware that once it gets into your system is capable of spreading further by itself by self replicating across the network. So there’s a whole new set of potentially more valuable targets. If you compromise multiple computers in a business you can ask for a higher ransom.”

Targeting humans, not systems
Inevitably, humans have the greatest fallibility when it comes to breaching an organisation’s defensive systems… and hackers know this. “Attackers will take advantage of our willingness to help and get the job done,” says Ferguson. “A common attack is phishing or ‘vishing’, where you’re trying to gain access, information and passwords by socially engineering someone by email or over the telephone.”

“We see all those social engineering skills coming into play in email-based attacks that are very well-targeted based on great open source intelligence resources,” he continues. “You address the victim by name, mention things you know they’re interested in, and it may appear to come from somebody they already know. You take advantage of human emotions like trust in order to persuade them to do something. In almost every case the attackers are targeting a human over and above a system.”

In addition to educating employees on how to spot a scam email and protect sensitive information, controlling who has access to what data is another useful tool. “It’s about making sure people only have access to the data that they need to, in order to do their job,” explains Ferguson. “And making sure you use the principle of ‘least privilege’, so that if someone does have access to certain data they can only read it and can’t write or modify it, if they don’t need to be able to do that. That will stop ransomware in its tracks.”

Again, cyber criminals know organisations do this. Which is why senior management and the individuals with full access to data and responsibility for making payments are increasingly targeted. Social engineering goes a step further when it comes to ‘business email compromise’ (CEO fraud or whaling) attacks where typically (in just over 70% of cases) it is the CEO or the MD of an organisation whose email account is hacked.

“They will compromise the inbox of those individuals and simply listen for a while to figure out what tone of voice do they use when they address employees - is it surname basis or first name basis? And then when they feel they have enough information, they will use that email account to send a mail to someone senior within the finance part of the business. A person who has the rights to move money. And they will send an email saying there’s a very important invoice to be paid and will use some very clever social engineering.”

Ferguson offers the example of AF Global, a Texas manufacturing firm whose director of accounting Glen Wurm received a series of emails from someone purporting to be Gean Stalcup, the CEO of the company. “Glen, I have assigned you to manage file T521,” the message allegedly read. “This is a strictly confidential financial operation, to which takes priority over other tasks. Have you already been contacted by Steven Shapiro (attorney from KPMG)? This is very sensitive, so please only communicate with me through this email…”

“It didn’t have any requests for payment of any kind it was just an email designed to make the recipient feel very trusted very involved and part of something important and secret, to boost his confidence and make him feel good about himself,” explains Ferguson. “And then half an hour later he got a call and email supposedly from this guy at KPMG that due diligence fees for this merger project worth $480,000 were needed.”

In another case, Europe’s largest cable and wire manufacturer lost €40m in a corporate email scam last year that used a combination of spear phishing and whaling techniques to extract the funds. In an announcement the company acknowledged “it had become the victim of fraudulent activity with the help of falsified documents and identities and the use of electronic communication channels” and that as a result, “company funds were transferred to accounts abroad”.

Business email compromise is well established has made around $5 billion over the past four years

“One of the predictions we made last year was that we would see criminals moving into ‘business process compromise’,” reveals Ferguson. “Business email compromise is well established and has made around $5 billion over the past four years. We were trying to imagine where an attacker goes next and business process compromise is where an attacker breaks into an organisation, modifies a business process such that it continues to run as normal… at least for a period of time… while generating profits for the attackers.”

He points to a recent case involving an unnamed shipping firm, whereby its systems were hacked and a small virus was planted that monitored all emails in and out of the finance department. Whenever one of the firm’s fuel suppliers sent an invoice, it would simply change the text of the message before it was read, adding a different bank account number. It is understood that several million dollars were transferred to the cyber criminals before the company discovered that it had been compromised.

Need for cyber breach “fire drills”
The days of hoping to build a fortress to keep out all threats and malicious attackers are over, acknowledges Ferguson. Because cyber criminals are not bound by the same rules as everyone else “they get to do things nobody else can”. This is why a tried and tested breach response is such an important part of an organisation’s security posture.

“It shouldn’t just revolve around what you do from a technological perspective, it’s not about having a disaster recovery plan… that’s a subset,” he explains. “Your breach response plan needs to involve your legal, PR and marketing team and your customer support and service team and all the people who are at the coalface from a technology perspective. It has to be coordinated - the left hand has to know what the right hand is doing - and it’s critical to carry out regular fire drills to make sure that that plan works.”

He is particularly concerned about the Internet of Things, which were never really designed with security in mind and whose vulnerabilities have been exposed in a number recent attacks, including the 2016 Dyn DDoS attack. “This is really our last chance as a security industry to do something about IoT before we’re left with a very toxic legacy of interconnected devices with very low security standards,” he says.

Ultimately the buck stops with the organisations that are entrusted with sensitive data and their senior management. Pointing to high-profile breaches in the US where organisations’ directors and officers were implicated, Ferguson believes this will become more commonplace, particularly as new data protection laws come into place in various parts of the world.

“My overriding advice is to be transparent and to be timely,” he says. “Certainly with GDPR [and other data protection regulations] around the corner being timely is going to be far more important. You need to make sure you are able to get people out of bed in the dead of night and that they know what they need to do, that you have open channels of communications, war rooms and prepared templates.”

“It goes right up to board level and there are some very severe penalties for not enforcing the regulation in those areas. And it’s not just about the fines - up to 4% of global turnover in the case of GDPR. It’s about the notification costs, the costs of re-evaluating your security technology finding out how did this happen and how can we prevent this from happening again? And it’s the brand damage that is caused. And if you’re a company that’s publicly trading, it’s the damage to the financial value of your organisation.”

“That’s why you see either a swinging axe or a raft of resignations in the wake of these kinds of events, because they have very real financial consequences,” he adds. “There will be employment consequences now for any major breach.”