It was just an accident! It’s a common phrase, and the world of cybersecurity is not exempt. In fact, an accidental threat to data can bring an entire organization to its knees when it comes to digital risk protection. When defining a threat as either ‘malicious’ or ‘accidental,’ it may seem like semantics, but a clear understanding can be helpful when mitigating risks and identifying potential threats.
Accidental threats can be closely tied to tailored attacks such as phishing, social engineering and even ransomware. According to Verizon’s “2021 Data Breach Investigations Report,” phishing attacks and ransomware attacks have increased by roughly 11%, with phishing seen in 36% of breaches this year. The costs are evident on many levels and go beyond dollar signs alone. However, the report also highlights 95% of computer data breaches that led to losses came in at roughly $30,000 on average but climbed as high as $1.6 million in some cases. Of the breaches analyzed, 85% had a human element that is easy to tie back to your everyday “accidental threat.” This broad term can include any attack that pulls in a social component, be it business email compromise (BEC), phishing, lost or stolen credentials, or malware triggered with a simple click. All of which can be closely tied to your typical accidental threat to data.
We spoke with Neera Desai, ZeroFox Senior Threat Researcher, to take a deeper dive into these types of accidental threats to uncover exactly how they stand apart, the risks they pose, and some of the best ways to disrupt what might be headed your way.
What is an Accidental Threat to Your Data?
Where a malicious threat intends to do the organization harm, the accidental threat can be closely tied to the human element. A perfect example would be falling for a clever phishing attack and unintentionally clicking on a malicious link in an email. Phishing attacks work as often as they do and are still as prevalent because of this human factor.
This can also include vishing scams, accidental data leaks, and more. The way cyber threats are evolving, it can be tricky to prevent falling for these attacks. However, it’s essential to keep a few rules of thumb in mind. Take time to consider what information you share, or what you click on, and how it could affect you or your organization. A threat actor trying to get access to someone’s personal information or data using phishing doesn’t have to implement an elaborate scam, such as spear phishing; it could just be something general using email as a basis to launch the attack. In other cases, the phishing scam might be more sophisticated by impersonating a brand that the target is familiar with. At the end of the day, the accidental threat comes into play because the scam looked authentic enough for the victim to click and trigger the rest. Before you know it, you’ve fallen for a phishing attack and the cybercriminal has all the information they need. Regardless, the attacker now has potentially sensitive financial information, personal information, and more because of that one simple mistake.
Another critical element when it comes to accidental threats to data would be social engineering. Over the past several years, ZeroFox has identified and remediated tens of thousands of social engineering profiles and fake accounts impersonating our customers. These accounts spoof a company’s brand or executive persona, hijack their logo, messaging or product photos, and try to mimic the authentic account in order to attack employees and defraud customers. Social engineering is that added layer of sophistication where an attacker may integrate these elements into the lure to convince the victim to take the following steps in the attack. It could be as simple as sending someone a LinkedIn request, stating you also work for X company, in an effort to connect and further convince the victim that they should engage with you in whatever manner instructed.
Passwords are another considerable player in accidental threats. On a large scale, threat actors leverage the lowest hanging fruit. They capture the information from social media we share ourselves for their phishing campaigns. They use compromised account credentials from previous breaches with the knowledge that many users tend to reuse the same passwords between multiple accounts. They continually use malicious documents and BEC techniques that have been successful for decades. They use the information we give them to see what works and how it works, so they only have to create the absolute minimum amount of original material for success. It’s important to note that regardless of whether you are focusing on the external malicious threat or the internal accidental threat, the two often go hand in hand.
You can keep yourself protected as much as possible, but sometimes it’s up to the organization to help protect you as well. Consider third-party threats. You can do everything in your power to make sure your passwords are secure, and you are trained on recognizing threats, but then your credit card company announces that there’s been a data breach and your information has been compromised. It’s difficult if you’re just a single person trying to avoid accidental threats, and then something happens external to you that is out of your hands. In those cases, it isn’t really the end user’s fault. This is when the organization must step in to ensure they also have the proper measures in place.
How to Protect Against Accidental Threats?
Ultimately the goal is to prevent any threat from impacting your organization. If we’re specifically looking at unintentional threats or accidents, it will be a similar approach regardless. For example, if you want to prevent the external attacks from actually affecting your internal employees, organizations can implement cybersecurity awareness training. This equips the workforce to quickly recognize what a threat may look like and escalate to their security team. In terms of the technology or security team, this is more a matter of figuring out ways to prevent those malicious emails from impacting the corporate network or even reaching employees at all. It’s easier to picture your organization living in a castle, and you are under attack. You want to have a defense set up to prevent the attacker from coming into your castle, so in a similar sense with cybersecurity, you want to prevent the attackers from infecting your network entirely before it even reaches your people. It boils down to setting up defenses and training your employees to recognize what could be a potential method in which an attacker may try to trick you into giving up data or infecting your machine.
I was part of a group of ZeroFox researchers and analysts who authored the “The Future of Digital Threats: 2020 Insights, 2021 Predictions” report published earlier this year. One of the interesting sections discussed was how fatigue from the pandemic and working from home could lead to additional risks. It is also likely that the return to office will increase the risk that services hastily stood up to enable remote work are left orphaned, not adequately decommissioned, maintained or even remembered by security teams. These are all perfect examples of modern-day risks when it comes to accidental threats to data. Some software will no longer be required, and security resources are likely to be strained while adjusting to yet another new normal. Any company that lacks a comprehensive plan to maintain or decommission remote infrastructure, including an inventory of software that persists but is not regularly used, is tantamount to leaving backdoors into a network for adversaries to exploit. Given the current climate of the pandemic and everything that resulted from it, there are many insights there to draw upon when thinking through the human element and accidental threats. This has put a spotlight on the risks outside the typical security perimeter and forced security teams to start thinking outside the box and consider all aspects of the organization and associated risks.
As we have seen every year, the balance between defenders and threat actors continues to change. Often the trends we observe are directly linked to the move counter-move nature of the struggle we all are in. We have seen threat actors essentially double down on existing capabilities and challenged defenders to stop them. In 2021, security teams must once again rise to the new challenges posed by these threat actors.
To mitigate trends we see forming in 2021, accidental or otherwise, security teams should take the following steps:
- Enable two-factor authentication for all accounts. Ensure employees are using strong, unique passwords and avoid reusing them. Have them check to ensure they haven’t been affected by a breach. If an email address has been involved in a breach, make sure to update the password associated with that account as soon as possible.
- Training and education on cyber threats. The workforce should be equipped to recognize and report when malicious activity might be underway. Ensure there is a process in place to escalate to a security or technology team for mitigation.
- Protect against ransomware. It is no longer sufficient just to make network backups. Teams should encrypt their data at rest to prevent effective doxing and store backups on other networks to prevent corruption of the data.
- Focus on technical intrusion chains rather than attribution. Knowing who did it might be satisfying, but understanding how tools and capabilities augment each other and the common linchpins of operations should be more effective in disrupting intrusions.
- Maintain security best practices and enforce a security control on the creation of new instances. Cloud computing, for example, is not being hacked in new or novel ways. Threat actors are just taking advantage of poor configurations and errors often created by incomplete security coverage. An accident waiting to happen. Maintain and enforce the same security controls on the cloud as you do with your traditional tech stack.
- Plan for the future. If your company is not committed to remote-first as a new business model, start planning how to secure and decommission the infrastructure currently sustaining your operations. The more services that remain alive but unmanaged after people are in the office, the more likely you are to have a self-inflicted compromise.
The ZeroFox team continues to produce informative resources and engaging events to help security teams and organizations as a whole navigate unknown territory as the landscape continues to evolve. To learn more about the top threat trends from 2020, as well as predictions on the tactics and techniques expected to increase in 2021, download the free ZeroFox report on The Future of Digital Threats. If you missed our panel discussion related to the report, it is now available to watch on-demand.