Most people hear about breaches from news articles written after the fact
They read about thousands or millions of records being stolen after the fact. They read about credit monitoring being set up for customers, loss of reputation and potential lawsuits. However most companies tend to believe it won’t happen to them, because they don’t have anything valuable. Companies also believe that these attacks are targeted ones and because they aren’t valuable, they won’t be a target of a hacking attempt. Those companies could not be more wrong.
Most of today’s hackers employ a “try anything and everything” mentality. This mentality allows for low cost attacks across a wide range of targets. Imagine if you will a neighborhood with homes lining the streets. Now imagine a thief going up and down the street trying every garage door, front door, back door and window to see if he can get in. Now imagine there are 50 robbers on that street all doing the same thing and some of them are talking to each other when they are successful. That, my friends, is what it is like with hackers attempting to get into your network.
Techniques to “Get In”: Reconnaissance
The use of personal devices exasperates the problem, when those devices are not secure. How many of you provide your neighbor with the key to your house in case they need to let your dogs out or let your kids in after work? What if that neighbor just leaves the key out in the open where a thief can use it to get into your home? That is what it is like when you allow personal devices on your network and you do not see to it that those personal devices are secured.
Phishing is a very common broad stroke attack. With phishing, the hacker is sending an email in attempts to get the recipient to open a malicious attachment, click on a link to a malicious website or provide usernames and passwords for access to a system. Phishing can also be done over the phone, but that is not as common these days. The cost to send those tricky emails is rather inexpensive costing no more than an internet connection, free email account and some stolen list of email addresses. All the hacker needs is one person to get hacked to make it worthwhile.
It is this “try anything and everything” mentality that leads to any company being a victim. Yes, any company. Do you have a bank account? Do you pay bills via wire transfer or over the web? Do you have an internet connection? Do you have data on a computer that you would be at a loss if it was encrypted and inaccessible? If you answered “yes” to any of these questions, you are a target. The hacker typically isn’t looking to grab millions of credit card numbers from a retailer, thousands of credentials from a bank or the latest formula for a tasty beverage (although to be honest, I’ve contemplated a good beer recipe or two). Sure, those are the attacks the public reads about, but that is because those are the attacks that are exciting, interesting and fodder for the media. It is the thousands of small attacks the public doesn’t hear about until it happens to them.
Persistence is the Goal
Some companies think, “When I get hacked, I’ll just quickly get the hacker out of our systems.” That’s just it, you won’t know when you get hacked. When a hacker infiltrates your system he or she doesn’t just start setting off alarm bells or notifying you that you’ve been hacked. Most often the first thing a hacker does upon infiltrating a company’s network or computer is to just establish a foothold. The term we use in our industry is “maintain persistence”. The hacker wants to see to it that even if you reboot a computer, the hacker can still come back in (the industry average is 9-12 months). A hacker may then leave the company network for a period of time. Then at some point in time later, the hacker will return to the company and figure out how the hack is going to be beneficial.
- Maybe the hacker will steal proprietary information such as engineering drawings or formulas.
- The hacker may steal personally identifiable information such as social security, addresses and dates of birth.
- The hacker may decide to use the company computers to transfer money to another account.
- The hacker will look to see what other companies the hacked company is connected with in order to use the hacked company as a jumping off point to hack someone else, and if you don’t have any of that…
- The hacker may also just use the company computers to conduct a denial of service attack (DOS) on another organization. A DOS is an attack by which a hacker looks to prevent people from accessing another company’s email, website or other electronic resource by bombarding that company’s servers with large amounts of internet traffic.
What You Need to Know
In summary, if I can provide you, the reader, with some take away points it would be the following:
First, understand that your company is a target for a hacker just because you exist. You may think that you do not have anything valuable but it isn’t all about valuable files or intellectual property. It is about stealing your money, encrypting computers and forcing you to pay a ransom or using you to get to someone else.
Second, hackers are going to try to get into any and all organizations by just trying that front door. The hacker is looking for the low hanging fruit so a little prevention can go a long way.
Third, and finally, the hacker is going to be in your environment for months before you even have an idea that they are there.
So how can you combat this?
- Understand the gaps within your security. If you really don’t know, take an honest look at it. If your IT Department/Provider is well-versed in CyberSecurity, have them assess the organization’s control environment. And if you don’t have someone that is an expert in this area…find someone and have them conduct a comprehensive assessment;
- Build a control environment with a layered approach. Take away the long hanging fruit and go a couple layers deeper. In essence, make your environment less attractive to the attacker;
- Establish a written Incident Response Plan. The worst time to plan for a data breach is during it. You will inevitably make mistakes – some which can be extremely costly.
Make sure that the data breach response plan addresses how you’re going to answer the questions that everyone asks once the dust settles:
- How do we know we got everything? How did this happen – specifically?
- What, specifically, was compromised?
- Do we have any notification duties? (Today’s regulatory and legal environment have moved to a need to prove that something has NOT been compromised – otherwise you must assume that it has been compromised. That oftentimes is a significant difference!)
If you’re concerned about how your organization can be ready, contact the Experts at Vestige Digital Investigations to discuss how our data breach response services can help you.
by: David Jacobs, Forensic Analyst & Greg Kelley, CTO at Vestige