With so much of daily life tethered to digital communication and most of our important information residing in data clouds, we’ve all got a lot riding in this virtual atmosphere. So naturally, the seemingly endless stream of cyber attack reports put everyone on edge. And Hollywood film scripts contribute to our collective tension, creating a shadowy underworld rampant with “cyber-espionage” and high-tech, sophisticated criminals cracking codes and infiltrating impenetrable defenses.
But like a lot of things that influence perceptions via movies and television, the reality is much more mundane. And that, in some ways, maybe even scarier.
“[Cyber-espionage] is not something that is very dramatic, you know?” explains CyberArk Labs lead security researcher Lavi Lazarovitz, a 12-year veteran of the Israeli Air Force and Israeli Intelligence Corp who helped build and expand CyberArk’s security team since joining six years ago. “If you had a camera inside the headquarters of the threat actors, you’d just see a lot of people connecting with basic desktop protocols, just querying data. It’s not dramatic. But what happens on the other side of it is dramatic.”
A distinct lack of drama on the surface is largely what fuels the success of cyber attacks. Verizon recently released its first-ever Cyber-Espionage Report, a deeper dive into the evolving landscape of cyber attacks that build off of its annual Data Breach Investigations Report (DBIR). While both reports found similar, and perhaps not surprising, stats such as the fact that 86% of data breaches were for financial gain, and that more than half (56%) of the time, threat actors are going after credentials to gain a foothold and unlock critical assets. But where the Cyber-Espionage Report goes a little deeper is into the ways in which cyber attacks thrive less on shadowy quick strikes at specific targets, and more on slow, quiet infiltration buttressed by very personal and seemingly normal direct contact with their victims. Add to that simple human error, and you have situations that open up more vulnerabilities that can potentially create even more damage than ransomware and other malware-based attacks.
All Hands on Deck
Threat actors thrive on periods of fluctuation and transition, and the past year has seen an abundance of both as organizations and employees have had to make radical adjustments to where and how they work with little to no preparation. But even prior to the emergency mass adoption of remote work and the added burden – and importance – of privileged access management (PAM), Lazarovitz and his team have seen security become less the domain of specialized experts and more a collective responsibility.
“There are a lot of advantages and disadvantages to the fact that security is not only the business of the security guys,” says Lazarovitz. “Engineers, developers – they now have their hands in a lot of sensitive material. All along here there is sensitive access and secrets and identities that need to be protected.”
Lazarovitz points out that there are benefits to having security concerns as a frequent touchpoint along the production pipeline, too. “It brings more firepower to security. Now security is integrated into each part of the development pipeline. But because many of the developers and stakeholders, in general, are not proficient or skilled enough to manage or configure security, most of the breaches we see are simply based on misconfiguration and mistakes. A misconfigured access to servers, an open firewall…all of these are now managed by a lot of stakeholders, and mistakes are bound to happen.”
The GIF Offensive
Perhaps the most shocking revelation in the Verizon reports is just how much human contact is behind a large portion of cyber attacks. The top three methods – accounting for 67% of all breaches – are phishing/social attacks, human error, and credential theft (which is often the result of No. 1). Lazarovitz puts it in advertising terms, comparing the actions of threat actors to a brand’s “conversion rate” – the more customers they contact, the more likely they are to make a figurative sale. “Personal interaction is something that is known to be very, very effective,” he says. “Social engineering is the leading attack vector when it comes to opportunistic attackers and nation-states – all of them rely on social engineering.”
By now, most people are aware that they shouldn’t open attachments they don’t recognize and most spam filters corral suspicious email addresses, but the recent reliance on remote communication and collaboration applications like Zoom and Microsoft Teams have provided the opportunity for phishing attacks to become more targeted, manipulative and subtle.
Even a friendly-seeming GIF can be a foothold for a threat actor.
“During this COVID pandemic, messaging apps have become a popular way to communicate – and they allow threat actors to make communications appear more personal,” says Lazarovitz. “It’s not just a spamming email or something. Now you get tailored messages, sometimes you get GIFs and you feel more comfortable looking at it, interacting with it, but just viewing it can compromise someone’s identity and let a threat actor gain a foothold.”
As Lazarovitz goes on to explain, attackers rarely home in on one target and “smash and grab” to get it. He describes it as more of a “living off the land” approach, where a threat actor won’t use any outside tools but will utilize an organization’s own administrative tools and communication platforms to appear as normal and non-invasive as possible. Combining that with personalized messages and “normal” interaction, gaining access to credentials, and overcoming access controls becomes that much easier.
It’s why breaches are rarely dramatic events at the outset, and often don’t immediately raise red flags. “The threat actor can use a dormant privileged account to get in undetected, and once within the network, they can reach out to people directly disguised as one of their own employees,” Lazarovitz says, reinforcing the idea that the goal of many cyberattacks is to exist within an organization’s ecosystem for as long as it can, appearing as “normal” as it can. As the Verizon Report indicates, not only does it take an average of months to even years to detect an attack in 69% of breach incidents, but often the breach isn’t even detected by the victim organization itself but rather by a third party.
“These espionage campaigns are very long and slow, they take a lot of time. After conducting reconnaissance, attackers seek out privileged credentials and accounts, then escalate privileges that allow them to move laterally and vertically toward their target, which obviously, in many cases, is sensitive data,” Lazarovitz says.
Threat actors take full advantage of both the growing sophistication of messaging apps and communication software, and their ubiquitous use as organizations implement more remote staff. The flaws are many, and there isn’t what Lazarovitz describes as a “silver bullet” to fix them all.
That’s where post-exploitation research and adversary simulation come in, employing a host of tactics, techniques, and procedures (TTPs) used in real-world attacks to uncover hidden vulnerabilities, test security procedures, and pinpoint areas that need to be improved. Security-focused teams like Lazarovitz’s comprise experts from various backgrounds, harnessing their talents and natural curiosity to think and act like real attackers who’ve gotten inside – helping organizations prepare for real attacks against their infrastructure.
While such teams, which spend almost equal time defending against known threats as they do anticipating the unknown – are vital, cyber-espionage actually benefits the most from the tiny, seemingly innocuous mistakes that everyone is prone to. This is both a source of frustration and a reminder that the threat to our digital lives isn’t necessarily nebulous and inevitable.
The threats we face won’t take the form of elaborate, cinematic attacks. They’ll be mundane, seemingly innocuous, and waiting for the slightest crack to emerge. And that’s why healthy suspicion, constant vigilance, and a “think like an attacker” mindset are the foundation of effective cybersecurity.