Cybersecurity continues to mature rapidly and holds a critical role during times when industries, organizations and people need them most.
“In the past year, the typical enterprise has been turned inside out,” says Peter Firstbrook, VP Analyst, Gartner. “As the new normal takes shape, all organizations will need an always-connected defensive posture, and clarity on what business risks remote users elevate to remain secure.”
It comes as no surprise that PwC’s 2021 Global Digital Trust Insights report also highlights just how much organizations are coming to terms with this. Businesses are investing more, increasing their cyber budget by roughly 55% and headcount by 51%. Companies are also focusing on where they need to change their cyber strategy, with 50% stating “that cyber and privacy will be baked into every business decision or plan” and 72% planning to “strengthen cybersecurity posture while containing costs.”
We spoke with Olga Polishchuk, ZeroFox Senior Director of Threat Analysis and Investigations, to take a deeper dive into cybersecurity attacks to uncover what exactly defines them, the risks they pose, and some best practices to disrupt what might be headed your way.
What Is a Cybersecurity Attack?
When truly tackling the idea of what a cybersecurity attack is and what it involves, it is better to take a step back and define it in the stages that lead up to the attack itself. It can be seen as a formula or equation, with the attack being the aftermath. It is a complete life cycle, beginning with capability that matches somebody’s intent. If somebody intends to inflict harm, do they have the capability to carry this out? If they have the capability to do so, then it’s undoubtedly a threat. Next, the motivation should be understood, if possible, to better understand the threat as a whole.
Beginning with the cybersecurity threat itself, this could be any possible malicious attack with the intent to unlawfully disrupt operations, access data, damage reputation and more. These threats also come from a wide range of actors, driven by various motivations, and can include hacktivists, terrorist groups, criminal organizations, lone hackers and more. Because these threat actors seek to employ a wide range of potentially damaging actions, cybersecurity professionals are essential to stay protected and mitigate risk.
For instance, a malicious actor was motivated by animal rights and had waged an attack on a pharmaceutical company running tests on animals. So, in this instance, the threat actor had acquired compromised account credentials to the company’s network and was able to gain access to exfiltrate sensitive data and then sought to use it for their own purposes of essentially highlighting animal cruelty more publicly. Here the attacker was ideologically motivated; they then had the capability in order to disclose this sensitive information, coupling with a vulnerable internal system of a pharma company. The intent was to publicize and adversely affect the reputation of the company.
In cases where ransomware is leveraged, these are generally financially motivated actors rather than ideology, however, that has taken place as well. Here we see different motivations, with the same goals and impacts in the end. Furthermore, everyone is at risk, and no one is bulletproof. Instead of asking the question, “what is an attack on cybersecurity,” we should be asking ourselves bigger-picture questions. To understand an attack, it should be broken down further into the steps beforehand. Ask yourself what the vulnerabilities, risks and threats are.
Although the types of attacks can vary, most involve the following primary phases:
- Reconnaissance – researching targets and vulnerabilities to plan an attack strategy. This includes identifying the best methods and phases of the attack.
- Exploit and Install – This is the beginning of the attack where tactics are deployed against vulnerabilities, often referred to as the initial point of entry.
- Access and Control – At this phase, attackers have a stronger foothold and can instruct the following stages of an attack, including gathering and stealing as much data as possible. Attackers will prioritize maintaining or disguising their presence as long as possible until the goal is complete.
- Act on Motive – now with full control, attackers can act on motive and achieve their intended goal, whether infrastructure destruction, extortion, data exfiltration or more.
Types of Cybersecurity Attacks and Threat Actor Landscape
The cyber threat landscape remains diverse and features a variety of hostile actors possessing a wide range of capabilities and tools. Cybersecurity attacks occur daily, if not more often, at different levels of sophistication and success rates. When identifying the types of cybersecurity attacks that might be looming, there is not a cookie-cutter, one-size-fits-all approach. Intelligence and priority requirements with each customer are critical in finding that tailored approach to cyber defense. A strong security posture must start with establishing the “crown jewels” and focus on pinpointing vulnerabilities and risks specific to the target.
Keeping this in mind, the cyber threat actor landscape also comes with just as much diversity in motivations and capabilities. Industry competitors, nation-states, hacktivists, cyber terrorists and cybercriminals are the primary actors with the intent, motivation and means to conduct cyber attacks. While cybercriminals are a consistent threat due to their financial motivations and opportunistic spirit, organizations can face increased targeting by competitors, states and hacktivists depending on the conditions specific to those actors, such as geopolitical tensions, country agenda or contract competition. Although, the tactics themselves tend to remain almost the same and can include social engineering, malware, brute force, phishing, ransomware and more.
Cybercriminals run the gamut of sophistication, ranging from rudimentary to very experienced, and may work individually or in groups of varying sizes. They are typically financially motivated. These groups are generally the loudest and are very present on illicit marketplaces and forums. The level of maturity varies here, especially if they have already established a peer-to-peer connection. The span of their operations is as diverse as the actors themselves, with targets ranging from individuals to businesses to healthcare organizations to financial institutions. No sector or industry is immune from these actors. Losses include financial, intellectual property and other sensitive information that can be monetized for profit. Furthermore, cybercrime has evolved in that it is no longer the sole purview of criminals. It is now also an option for states seeking to steal money to improve their economic status.
Cyberespionage, or cyber spying, is not unique to state actors. Industry competitors have been known to engage in cyber-enabled operations to steal sensitive data or gain sensitive information for an edge. The type of data that is valuable to competitors varies depending on how the offending group is going to use it.
Nation-state threats vary greatly depending on what the actor cares about, such as strategic interests, espionage, stealing intellectual property and more. These groups are typically quieter, so their efforts can last longer.
Hacktivists are typically more anonymous and driven by social justice. Hacktivism melds traditional political activism with the digital space, allowing these groups and individuals to express social and political discontent via cyberspace rather than in-person to pursue their objectives. Because the hacktivist landscape is diverse in its own right, encompassing multiple individuals representing numerous political, religious, economic and environmental constituencies, it is difficult to highlight each group with any fidelity. Hacktivists have been known to use DDoS attacks, doxing and network exploitation, among other types of activities, in their operations against multiple industries and verticals, depending on the intent of the group or individual.
Hacktivism is largely contingent on specific periods of unrest in a hacktivist group or community that translates into online attacks. Therefore, it is difficult to predict when such attacks will occur unless hacktivist groups make public calls for support and set up online resources for operational and logistical planning purposes.
Cyberterrorism is driven by ideology or beliefs. The cyber capabilities of terrorist groups and their online sympathizers remain limited. Many of the attacks attributed to these groups and individuals have been low-level DDoS attacks and web page defacements. However, some groups have demonstrated advanced capabilities in online propaganda, recruitment and obtaining personal information of individuals and posting it online for physical targeting.
While these groups likely possess nascent but growing cyber capabilities, there is evidence linking cybercrime to terrorist funding. While there is limited information on the nexus between the two, cyber-crime-as-a-service offerings in underground forums provide an array of offensive capabilities to interested customers who can afford to purchase them but do not have the capabilities themselves. Like hacktivism, these groups and individuals are likely to conduct operations dependent on geopolitical issues or perceived transgressions.
Preventing a Cybersecurity Attack
Behind every attack is a human. Understanding how actors think as well as behaviors of the possible targets (a great example of this is password resetting or reuse) can go a long way to prevent a possible attack.
Aside from the typical “education and awareness” that is usually referenced as a preventative measure, it is also imperative that digital users understand their footprint. What is out there that can enable malicious exploitation? Additionally, we must strike a balance when understanding new technology before jumping in. There tends to be a false sense of anonymity and “it won’t happen to me” that only serves to provide gaps in security measures. Cyber hygiene is everything, as well as understanding what you share and where you share it.
With the rise of attacks and a constantly evolving threat landscape, this is also a perfect time for organizations to reset their cyber strategies and leadership roles. Business-driven cyber strategy is a must, and CISO’s need the ability to take on a more prominent role and make overarching decisions. The goal should be arriving at mitigation and protection versus reactive panic. Build resilience and a sound game-plan for any scenario proactively.
Lastly, we need to think through evolving our security teams to match the evolving landscape focused on the future of threats rather than the present. Aside from training, this may mean hiring and partnering with experts in the field that can fill gaps you would otherwise find yourself grasping to meet haphazardly. When filling gaps, open communication and cooperation should be considered. Cooperation with peers and others in the cybersecurity space is an edge we should all take advantage of and participate actively. We cannot act in isolation and should seek out ways to share our knowledge. This could be through leveraging advisory boards, information sharing forums and trusted communities established to connect the dots. A strong community that not only consistently reports, but isn’t afraid to work together moving forward, can make the difference in the ongoing cyber battle.
Understanding where to focus efforts is critical to finding and addressing threats at scale. If you’re not sure where to start, don’t go it alone. Combining AI processing, deep learning tools and dark ops operatives, ZeroFox combs through massive datasets across social media, the surface, deep and dark web to deliver relevant intelligence on threats targeting your business, people and sector. Reach out to our team to find out how we can help.