Last time, Candid Wüest, VP of Acronis cyber protection research, gave us some insight into the types of attacks that we could expect from today’s hackers, as well as the mindset and the motivations behind this type of crime.
No doubt working from home has added risk to today’s threat landscape. This could be anything from private unmanaged machines, insecure home networks, and machines that can be exposed to other unsecured devices or users, to sensitive data that’s stored unprotected, issues related to bandwidth, or a lack of IT visibility over this new environment.
Add to this the behavioral changes of users who are now working from home, covering anything from new shopping habits, increased stress levels, and the use of new apps to support remote working, and you’re beginning to see why cyberattacks are through the roof. So, to better support your team and your clients, here’s what you should be looking out for.
How are Machines Compromised?
Cyberattacks usually start with a malicious document. You’re probably all familiar with the message that pops up when you open a file that says ‘enable active content.’ This means that any code in the file will not run without your consent. When you absentmindedly click the enable button, your machine is compromised. In 99% of cases, there is interaction required.
Take a step back in the journey. How did this document end up on your machine to start with? The answer is usually via email. At Acronis, we see that malicious emails are still attacked vector #1. 1 in 15 emails was malicious in 2019, and that’s without adding phishing attacks to the mix – emails that direct you to malicious websites to trick you into giving over sensitive credentials. Some of the top email tricks include:
Social engineering: Emails have come a long way since Nigerian Princes begging for money, but the emotions that play behind the message are the same. Playing with fear or urgency is a great way to get the reader to ignore the quieter voice that asks them if this is a scam.
Encryption: Email checkers are pretty good at asking if you trust the email that’s arrived in your inbox, so in many cases, attackers will hide the malicious content in an attachment, for example, using a zip file. They may even give you the password for the zip file in a separate message so that when your machine scans the original attachment, they can’t get in.
Your behavior: Some malicious attackers can even use technology to reply to original email threads that you have written in the past, making it much more likely that you will click on a link inside. If you’re expecting a bill to come through, an attacker can pretend to be from that company, providing fraudulent details for the transaction. Attackers can also leverage your online behavior, sending you a message that appears to be from a Facebook or LinkedIn contact, or sending a targeted offer that meets your browsing habits or online interests.
Phishing attacks thrive from this kind of intelligence. If you’re waiting for an Amazon parcel (and who isn’t?), you’re much more likely to click on a link that says your parcel has been delayed, and hand over your Amazon credentials on a site that mimics the original.
Not all Attacks Need Malware
Phishing websites are just one example of an attack that can steal sensitive information without the need for actual malware. Business Email Compromise [BEC] is becoming more common, where victims are convinced into making a fraudulent transaction by false emails that come from a senior member of staff, or your direct line manager. The FBI says that $1.3 billion is lost in this kind of attack every year.
Variations include requests sent by text message, which isn’t protected in the same way as an email inbox and can be very convincing. Imagine a quick text message that says, “Can’t call as I’m in a conference, but can you send me $500 of iTunes or Amazon vouchers and expense them for the clients I’m meeting with right now? Need to share the confirmation with them within the next hour.” It’s easy to see why a busy assistant might put the order through, replying with the confirmation so that the attackers can take the vouchers and move on. More sophisticated BEC attacks can even mimic the voice of a target if given something as simple as 30 minutes of video content, easy to do if the person in question has ever spoken at a conference or created a webinar and uploaded the video to YouTube for example.
Traditional infection flow of ransomware
More often now, we see semi-manual attacks that leverage more advanced patterns and malware to adapt to their environment. Targeted ransomware that specifically goes after a specific company, and not just to encrypt information (as companies often have cloud backups and can more easily get this information back) but also to steal sensitive data that can cause compliance headaches or media scandals. In that case, businesses are more likely to provide the ransom to attackers for stealing information than encrypting alone.
We’ve also seen multi-stage ransomware attacks where the perpetrators will hack into a service provider account, then use the password reset functionality to gain access to the online console, where they can quickly delete back-ups, uninstall security on the client machines, and use remote access such as RMM software to install ransomware directly. Misusing that local functionality can impact everyone in the supply chain.
The chart above shows typical methods that attackers could use for the three stages of an attack. Initial access can be made via spear phishing and malicious email contact through vulnerable services such as a VPN or Citrix, for example, or through poorly secured supply chain accounts and services, including RDP and MSPs.
Once the attacker has established a foothold, they can then make use of what’s there with what’s known as ‘Living off the Land’ attacks. This could be finding a cleartext password and then using that for privilege escalation, or executing fileless malware, using commands that run in the memory and are much harder to detect as soon as the system has been rebooted.
Using dual-use tools, attackers can make lateral movements spreading to other machines in the network, gaining and escalating credentials and causing a massive amount of damage in a short space of time, often before the victim has any idea that a breach has occurred. With a combination of these attack types, and the new attacker methodology, a successful attack pattern has evolved from the simple version we saw above to something like this:
One Thing Stays the Same: The Earlier You Can Block the Attack – the Better
The problem is that most companies don’t have the resources or the skilled talent to keep these attacks at bay. Budgets have been cut in the wake of COVID-19, and as people move to the cloud, the risk landscape is new, visibility is much lower, and IT staff are undertrained.
However, that doesn’t mean there is nothing you can do. Let’s take a look at the kind of products and services that are on the market. With the thousands of options out there, they all boil down to three critical types of solutions.
Think of this, like finding the attacks fingerprint using file signatures. This could be as simple as a single hash or a group of checksums or byte arrays, or it could be several pages of code.
The downsides of this kind of protection are that you need to know that something is malicious to have it marked as a potential attack pattern in the first place. As attackers get smarter, obfuscation techniques can help to bypass detection, and blacklists and whitelists of attack signatures will need continual updating.
You also need to think about false positives. If you’re looking for a Ferrari, and you put out a search for a fast, red car, you’re probably going to get quite a few Fiats alongside your sports cars. Technically, the algorithm was correct, but it didn’t come back with only what you’re looking for. If you’re using this technology to delete anything that doesn’t fit your profile, you could end up taking away features, applications, or functionality that your clients need. This is about how sensitive your detection technology is. A solution could claim to catch 100% of malware, but it could simply stop every single piece of traffic inside and outside the data center. Sure, it will have prevented every incident of malware, but it’s also finished all legitimate communication, too. A detection rate without a false positive rate is meaningless.
You may be thinking, signature-based detection isn’t brilliant then! This would be a mistake. Just because cars now have more intelligent sensors and protective capabilities, that doesn’t mean we remove the airbags. Signature-based detection is still beneficial in combination with other modes of protection.
This technique tells us what an application is doing, for example, tools like file encryption. More sophisticated techniques could be reputation analysis using machine learning.
Machine learning will take a learning set of data from previous attacks, extract features, train the model, and test it with a decision tree. This will provide a more accurate read over the network when testing new models, too. Eventually, we will see Artificial Intelligence being used here, allowing the process to be automated, so that the system doesn’t need to be retrained over and over, learning on its own what features to extract and how to rebalance the tree.
Behavior-based detection will monitor what each process is doing, blocking any unusual or malicious behavior patterns. Of course, by this point – the attack has been executed, and you’re using incident response to limit the damage. If this kind of system suffers from false positives, which of course it can do – you could disrupt service while the mistake is rectified.
These limitations are why it’s important to use preventative tools as well as responsive. Prevention will stop any unwanted changes and find threats ahead of time. Consider solutions from read-only files, Sandbox environments, URL filtering against phishing scams, or multi-factor authentication, all the way through to sophisticated security technologies like micro-segmentation.
Things to Remember
- Not all threats are equal. Leaking email addresses, many of which are already in the public domain is by no means as dangerous as leaking passwords or bank details, for example.
Protect yourself. As an MSP, think about your own scanning and monitoring processes as your CCTV camera. You can’t protect your clients if you aren’t ironclad yourself. This includes backups and local security software.
- Patching. Patching isn’t foolproof, but it’s an essential start. Software issues with known patches need to be fixed immediately. There’s no excuse for being unprotected if there is a known patch.
- Don’t forget zero-day attacks: Zero-day vulnerabilities cannot be fixed with patching, and these kinds of vulnerabilities are like gold dust for attackers looking for an easy way to cause havoc. Your antivirus solution can’t stop with patching, or with signature-based detection, as you don’t know what’s around the next corner.
Acronis is an integrated solution, covering backups and antivirus, as well as anti-ransomware, forensic backups, anti-malware protection, machine learning, and behavior-based detection. Underneath it all is a foundation of classical signature-based detection, patch management, and vulnerability management. Here’s how we break it up into an all-inclusive solution.
This combination of multiple detection technologies and prevention and analysis is essential. Each tool on its own has its limitations and constraints. Together, this comprehensive protection gives you far more than any solution could on its own.
Want to hear more from Candid Wüest? So do we! That’s why we’ve invited him for a live webinar next month, so we can open the floor to the Ateran community to ask him specific questions about the cyberthreat landscape and the Acronis solution.