Cyber resilience through consolidation part 1: The easiest computer to hack

Many of us connected to the internet are in constant unease about the growing threat of cyberattacks. Malware, phishing and social engineering are all tactics that can easily target the average user.

It’s normal to be worried about how cyber threats can be carried out, but the stereotypical hackers portrayed in the media — using advanced programming and malicious programs to harass and victimize their targets out of a dark basement — are mostly fiction. Real attacks are more mundane but just as consequential.  

The harsh reality is that most of today’s cyberattacks are not as sophisticated as once thought, especially compared to earlier tactics that grew as the popularity of interconnected devices rose. Although some attack methods have matured in sophistication, many vectors of attack have not changed in years but are still very successful, largely due to social engineering and human error. 

Being (and staying) cyber-resilient

Cyber resiliency is an organization’s ability to anticipate, withstand and recover from potential threats without severely compromising or disrupting the business’s productivity. By taking advantage of emerging technologies, staying “cyber fit” and creating a comprehensive restoration and recovery system with the right tools and resources, it’s possible to stay ahead of the cybercriminals.

In short, being — and staying — cyber-resilient is one of the most important steps one can take to protect themselves and their organization.

In this two-part series, I’ll outline some of the biggest risks in cybersecurity across the industry and how to mitigate them. This starts with the easiest computer to hack: People. 

The easiest computer to hack

The human brain has always been one of the easiest computers to hack. Even though some attack methods evolved through the years, the use of social engineering to carry out most attacks has stayed consistent.

Most cyberattacks succeed because of simple mistakes caused by users, or users not following established best practices. For example, having weak passwords or using the same password on multiple accounts is critically dangerous, but unfortunately a common practice.

When a company is compromised in a data breach, account details and credentials can be sold on the dark web and attackers then attempt the same username-password combination on other sites. This is why password managers, both third-party and browser-native, are growing in utilization and implementation. Two-factor authentication (2FA) is also growing in practice. This security method requires users to provide another form of identification besides just a password — usually via a verification code sent to a different device, phone number or e-mail address.

Zero trust access methods are the next step. This is where additional data about the user and their request is analyzed before access is granted. These measures can help ensure password security, either by storing encrypted passwords or by adding an extra layer of security via secondary authorization. 

Phishing still prevalent

The human tendency to be easily manipulated is also evident in the consistent deployment and success of malicious phishing e-mails. No matter how much security awareness training a business’ staff has under their belt, there will always be at least one very inquisitive user who will fall for a scam and click a phishing link.

These malicious links direct to a well-designed website impersonating another known site and tricking users into giving up credentials or opening unknown attachments that may contain malware. These emails are usually not very sophisticated, but social engineering can be quite convincing, with up to 98% of cyberattacks carried out via social engineering tactics.

Social engineering is when attackers victimize their targets by exploiting the instability of human error through social interaction, usually by impersonating the personnel of a trusted organization. This is why users need to have a multi-level cyber protection approach to keep their systems truly safe.

Sophisticated Advanced Persistent Threat (APT) groups

That being said, there are some extremely sophisticated attack methods out there, predominantly conducted by Advanced Persistent Threat groups (APTs). For example, in software supply chain attacks, threat actors use malicious code to compromise legitimate software before distribution. These types of attacks are not easy to block and are not new: There are plenty of examples, including CCleaner, ASUS and SolarWinds.

With this type of attack method, threat actors try to compromise a trusted vendor and use their channel to infiltrate their target. This can happen in various degrees, the most sophisticated being when an attacker fully compromises the software vendor and manages to implant a backdoor in the next software release.

If successful, this can be very sneaky, as the malicious update is now sent from the original vendor’s website and is even listed with official release notes and a valid digital signature. Unfortunately, until that point, there is no way that a user can know that the update is malicious.

Even if the victim only installs the update on a handful of computers to test compatibility, this might still not reveal the malicious payload, as it’s common for such malware to “sleep” for a few weeks after installation before unleashing its payload. Because of this, the only feasible way to protect against such attacks is to monitor the behavior of every application on a system in real-time, even if it is believed that the program is legitimate. 

Beyond Trojans

Attacks through the supply chain are not limited to embedding Trojans into software. Last year, application service provider Okta was compromised by the Lapsus$ attacker group. The malicious group gained access to some of the administrator panels, allowing them to reset passwords, thus allowing the attacker to bypass the strong authentication. This led to data breaches for some of Okta’s customer base, including high-profile customers such as Microsoft. 

Similarly, we do see more and more living-off-the-infrastructure attacks against MSPs. With this method, attackers compromise the very software tools used by service providers to roll out new software packages, deploy patches or monitor various endpoints.

If, for example, an attacker can guess the email password of the administrator or get it from a phishing attack, then they might be able to reset the password for the software deployment console — at least if no multi-factor authentication is enabled. Once access is gained, cybercriminals can distribute their own malware through the same process.

Then, not only can the attacker abuse the efficient ways of software control to compromise all customers of the MSPs, but they can use the same methods to disable security and monitoring tools or to delete backups. 

In part two, we’ll discuss some of the other types of attacks that remain so common across industries, such as subscription-based attacks and the new threat that AI brings to the table.

Candid Wüest is VP of research at Acronis.