Cyber Incident Methods

High-Tech, Low-Tech and Blended Attacks

It might be easy to throw up one’s hands and say that data breaches are inevitable and, to an extent, that is true. There is no such thing as 100 per cent security but that is not an excuse to give up. Any meaningful study of threats recognizes that some are high-tech. They rely on vulnerabilities in software or in cybersecurity operations. Others are low-tech, relying on human error. Still others combine multiple vectors of attack into blended threats. Consider the following examples.

Vault 7

Vault 7 is the name given by Wikileaks to its trove of cybersecurity information apparently stolen from the US Central Intelligence Agency. Vault 7 material included what were previously unreported methods for compromising multiple types of systems. Suddenly, with the release of Vault 7 material, nation states and cybercriminals had access to world-class hacking tools. This is one reason for so many attacks being successful. They employed methods that the perpetrators would have never had access to if it were not for the release of CIA materials through Vault 7.

Polymorphic Malware

When malware was first developed, defensive systems were developed that could recognize the specific signature of pieces of malware. But malware writers understood this and developed what is called polymorphic malware, which modifies itself every time it is duplicated, without the changes affecting the functionality of the malware. Once each copy is unique, traditional pattern-based detection systems cannot see it. Newer defensive tools had to be developed to recognize the actions of the malware. Adversaries continue to develop malware with more advanced detection-avoidance capabilities, so anti-malware vendors are always in a race to keep pace.

Malware (and Malware as a Service)

Tens of thousands of pieces of malware are developed every day. Malware can be aimed at an operating system or an application. The proliferation of malware makes it vital to maintain up-to-date patching. Patches are software modifications developed by manufacturers to counter specific threats, including those associated with malware. Additionally, as a business feature, some malware writers, rather than selling a piece of malware to a buyer, operate it for them, and this is known as malware as a service.

Ransomware (and Ransomware as a Service)

In the past couple of years, a new form of malware called ransomware has emerged and been the cause of tremendous problems for both public and private sector organizations. When it enters a system, ransomware encrypts storage devices that it can control, leaves behind a notice that the software has encrypted stored documents and files, and informs system owners that upon payment of a ransom (often to be paid in a cryptocurrency such as bitcoin or monero), the perpetrator will send a decryption key. While initial ransomware usually asked for a few hundred dollars, ransomware today is often targeted at enterprises, and ransom payments ranging from tens of thousands to hundreds of thousands of dollars may be demanded. High ransom payments are often demanded if the ransomware has the capability of encrypting cloud-based backup copies of files. Unfortunately, many companies feel they have no alternative but to pay the ransom and have to hope that the criminals will provide a working decryption key. Note also that some ransomware is provided to criminals as a service operated by other criminals. Some are so sophisticated as to provide detailed instructions for the victim to use in purchasing cryptocurrency. Some even provide a customer service phone number for victims to call for payment assistance.

Denial of Service Attacks

Websites can be overwhelmed by receiving millions of messages per second. This is how DDoS attacks work. Most often operated by criminals as a service, these attacks take advantage of thousands of computers that have been infected with malware that enables them to be commanded to send large numbers of messages to a target. With hundreds or thousands of computers sending large numbers of messages to the target, the website can be disabled. These DDoS attacks can be combined with a blackmail demand (‘Pay me and I will stop the attack’) or may be conducted for political or ideological purposes. Fortunately, internet service providers have become good at defeating these attacks.

Social Engineering

Social engineering attacks focus on making people do what the attacker wants. The many forms include the following:

  • Business Email Compromise, as Discussed Earlier

Credential compromise. This is a scheme designed to get a targeted individual to reveal system credentials, such as user ID and password. One way of reducing the chance of a successful credential compromise is to use what is called two-factor authentication (or 2FA), whereby a user ID and password is not sufficient to gain access to a system. The second factor could be a message sent to a smartphone, or a fingerprint, or any number of other means.

Dropping infected drives. Perpetrators have been known to leave a thumb drive containing malware where it can be readily found. For example, it might be left attached to a key ring in a public toilet, or in a company car park. The hope is that it will be found and the drive plugged into a computer in an attempt to identify the owner (perhaps by finding a picture or document with a clue as to the person’s identity). Once plugged in, the drive injects the malware into the system, where it is designed to spread. An alternative is for someone with access to the premises, such as a janitor, to plug an infected drive into multiple computers.

  • Automated Attacks

One method that perpetrators use to identify potential victims is an automated attack, in which the perpetrator uses software that runs tests against target systems to identify those with specific vulnerabilities. In some cases, the objective is to identify a vulnerable system for infection at a later stage. In other cases, identification of the vulnerability is combined with exploitation of the vulnerability.

Source
An extract from the first edition of The Guide to Cyber Investigations. The whole publication is available at Global Investigations Review.

Cyber Incident Methods 2019-10-16T00:00:00.0000000 /en/insights/publications/cyber/cyber-threat-landscape/cyber-incident-methods /-/media/kroll/images/publications/featured-images/2019/cyber-incident-methods.ashx publication {78D3F940-BF08-40FB-A7F6-B55FB2D9165B} {8DDC49CA-1D0A-451A-A649-F026824A6638} {1AB4A94D-BDC5-4744-81D9-A9DF250E9807} {144A7548-A9F0-4228-93CC-9A86304CD5E8}