It will come as no surprise to most Computing readers that many cyberattacks this year played on the fears and uncertainties around Covid-19. In fact, the shift has been larger than most would expect, with almost every social engineering attack seen by cyber security firm Proofpoint this year leveraging the pandemic in some way.
"There's been a massive shift to criminals leveraging COVID as a current topic," says Adenike Cosgrove of Proofpoint, "whether it's 'Click here to see who's been infected', 'Click here to get the latest cure', or 'Click here to make sure that you're still getting your payslip'. And, unfortunately, some people are being drawn in by, 'Click here to make sure you're not on the [redundancy] list'. They're really leveraging that fear and anxiety to socially engineer and exploit people."
The shift to remote working this year has caused many cyber criminals to move away from exploiting technical vulnerabilities to social ones. Email is a major attack vector, where impersonation is relatively simple, and stealing credentials - which Proofpoint calls Business Email Compromise, or BEC - is simply a case of getting a busy worker to click on a link.
"If we look at Business Email Compromise specifically, we saw over 7,000 CEOs and other executives being impersonated in email [this year]… We continue to use email to do business, and especially now we're using it even more, because…it's impossible for us to go to a colleague, walk over to their desk and ask them a question; and so, we send an email. We're sending email to our business suppliers and business partners; we're sending emails to our customers, and the criminals recognise this. Why would I try to hack the network or the data centre, which is increasingly being outsourced to Google, Microsoft and Amazon, when I can get somebody to give up their credentials?"
Swapping nets for spears
The number of attacks hasn't risen any more than would normally be expected year-on-year; they're simply becoming more targeted, in both the victim and the bait. Criminals are also combining attacks: an initial assault might steal credentials, which are used for internal phishing, or malware delivery. The impact is significant: cyber insurance firm AIG announced last year that more claims were made for BEC than for any other type of attack, including malware, ransomware and denial of service.
"Companies are losing hundreds of millions of dollars to a single attack," says Cosgrove.
Despite the damage BEC causes, there is no silver bullet: no simple software tool that can completely stop email attacks, especially those without a payload. There are technologies that can block specific types of attack, like DMARC email authentication for domain name spoofing, or AI algorithms for display name spoofing; but there is no single solution that addresses them all.
Cosgrove recommends not only employee training, but bringing them on-side with your security team. Instead of security being seen as the ones that will name and shame when someone clicks a malicious link, they should instead be the ones who will work alongside that person to ensure it doesn't happen again:
"No technology can 100 per cent guarantee that nothing bad will ever land in your inbox, and that's why it's critical that security professionals not only block these threats, but communicate the threats that have been blocked to the end users that have been targeted. Let them know that they're being targeted, and educate them on the behaviour they need to follow to alert security if they think they've received something that looks a little bit malicious. Make it easy, because they're the victim.
"So, if somebody clicks something, don't blame them, don't shame them. We need to make sure that they are comfortable enough to notify the security team that something went wrong… Make it easy for them to communicate that to the security team."
A people-centric view of security supports the more common technical approach. As well as building a schematic of the network, understanding the state of endpoints and so on, security professionals need to work with users - not see them as an impediment.
"You need to understand who those VAPs are - those very attackable people - and you need to make sure that you're protecting those people from the criminals that are targeting them."
Working with users also helps to counter the growing threat of internal compromise, which could come from malicious insiders, compromised users or plain old human error.
Malicious insiders are the lowest percentage of internal threats Proofpoint sees - about 14 per cent. These are people who are typically looking for revenge for a perceived slight. More common are the compromised insiders, where a criminal has stolen credentials and is using them to steal company data. The largest internal threat, however, comes from accidental users: those who may not know company policy, and use personal devices, or shift important data to a cloud drive in an effort to be more efficient. "That's about 60 per cent of the insider incidents that we identify at ProofPoint," Cosgrove says.
Focusing on people is not just good security practice; it also has implications for the role of IT in business. The desire for a seat at the board table is a common one, enabling CISOs to communicate security risk in a language that the business understands.
"If there's one thing that a business understands, it's people - because the people are working to generate revenue for the organisation, and if they're being targeted and if they're impacted, that's going to impact the bottom line of the business - and you can start to quantify that. You can start to give visibility into who's being targeted, and you can link that back to the potential impact that will have on the business.
"My key recommendation is to build that people-centric security programming strategy. Understand who's vulnerable, understand who's under attack, understand who has privileged access to sensitive systems and data, and implement controls to protect those people."