{"id":104,"date":"2024-09-04T06:00:00","date_gmt":"2024-09-04T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=104"},"modified":"2024-09-04T06:00:00","modified_gmt":"2024-09-04T06:00:00","slug":"6-things-hackers-know-that-they-dont-want-security-pros-to-know-that-they-know","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=104","title":{"rendered":"6 things hackers know that they don\u2019t want security pros to know that they know"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Security professionals have good insights into the technical tactics, techniques, and procedures (TTPs) that threat actors use to launch cyberattacks. They are likewise well-versed in key defensive strategies, such as prioritizing patching based on risk and implementing a zero-trust<\/a> approach.<\/p>\n

But the world of enterprise security collectively seems to remain one step behind the hackers, who continue to successfully launch a growing number of attacks year over year.<\/p>\n

Here\u2019s one reason why: many CISOs underappreciate, overlook, and sometimes underestimate all the knowledge that hackers are bringing to the table \u2014 the nontechnical insights that they\u2019re using to gain the upper hand.<\/p>\n

\u201cHackers know that the average CISO has a lot on their plates and they don\u2019t have enough [resources] to get everything done. So CISOs really have to pay attention to what hackers are doing and what they know so they can best defend against them,\u201d says Stephanie \u201cSnow\u201d Carruthers, chief people hacker at IBM.<\/p>\n

What, then, do hackers know that may not get enough credence? Here are six strategies that hackers employ to craft their attacks that may not be on a CISO\u2019s radar according to security researchers.<\/p>\n

Organizations don\u2019t train aggressively enough for the way hackers actually attack<\/h2>\n

When COVID hit, executives focused on shepherding their organizations and employees safely through the crisis. Hackers, on the other hand, saw an opportunity to exploit.<\/p>\n

In fact, hackers willingly seize on any vulnerability they can \u2014 no matter how low, says Erik J. Huffman, founder of cybersecurity services firm Handshake Leadership. They\u2019re willing to take down the CEO, embarrass the CFO, ruin careers, and cripple critical services to get what they want.<\/p>\n

\u201cCriminals are stooping to levels we didn\u2019t expect them to stoop to,\u201d Huffman says.<\/p>\n

Most CISOs haven\u2019t internalized that fact, even if they\u2019re aware of it, Huffman says. Instead, they generally craft anti-phishing campaigns, security awareness training programs, and security drills that don\u2019t incorporate below-the-belt punches. For example, they generally don\u2019t devise highly personalized emails that mimic targeted phishing campaigns because it might be perceived as an overly aggressive move.<\/p>\n

That\u2019s a mistake, and it\u2019s one that hackers exploit because \u201cthey\u2019re willing to attack in ways that CISOs don\u2019t. That means we don\u2019t quite train how the fight is happening,\u201d Huffman says. He advises security executives and devises anti-phishing campaigns, simulations, and drills that more closely mimic the down-and-dirty strategies that hackers use. \u201cTake the gloves off; really challenge your team.\u201d<\/p>\n

Hackers know the best times to attack based on your<\/em> schedule<\/h2>\n

It\u2019s not a coincidence that many attacks happen at the most challenging of times. Hackers really do increase their attacks on weekends and holidays when security teams are lean. And they\u2019re more likely to strike right before lunchtime and end-of-day, when workers are rushing and consequently less attentive to red flags indicating a phishing attack or fraudulent activity.<\/p>\n

\u201cHackers typically deploy their attacks during those times because they\u2019re less likely to be noticed,\u201d says Melissa DeOrio, <\/strong>global threat intelligence lead at S-RM, a global intelligence and cybersecurity consultancy.<\/p>\n

DeOrio acknowledges that many hackers are located in countries whose daytime work hours neatly coincide with the nonworking hours in the Americas and Western Europe. But she says evidence shows hackers do indeed take advantage of that difference by calculating the timing of their attacks.<\/p>\n

Additionally, threat actors look for periods of organizational change (i.e., mergers, acquisitions, layoffs, etc.) to exploit, says Tomer Bar, vice president of security research at SafeBreach. \u201cThreat actors will try to launch an attack at the most difficult time for the CISO and the blue team.\u201d<\/p>\n

Although CISOs generally know that hackers time their attacks, experts say some may be unaware of just how strategic hackers are when it comes to researching and plotting opportune times. Moreover, Barr says CISOs may not be as attentive as they should be to this issue.<\/p>\n

To counter this hacker strategy, longtime security leaders advise CISOs to account for it in their own defense strategies. They should leverage third-party services during off-business hours to complement the security team\u2019s work schedule, add more automation to boost staff efficiency at all hours, add extra layers of security such as more monitoring or tighter filters at times of heightened risk, ensure priority security work happens before busy times such as holidays, and educate all staffers about the heightened risks that exist during such times.<\/p>\n

DeOrio also recommends running an incident response drill as if the incident was happening at a particularly problematic time \u2014 perhaps the middle of the night during summer vacation season \u2014 so that the security team can identify and close any gaps in its response.<\/p>\n

Hackers gather lots of intelligence on your organization<\/h2>\n

Threat actors actively engage in open-source intelligence<\/a> (OSINT) gathering, looking for information they can use to devise attacks, Carruthers says. It\u2019s not surprising that hackers look for news about transformative events such as big layoffs, mergers and the like, she says. But CISOs, their teams and other executives may be surprised to learn that hackers also look for news about seemingly innocuous events such as technology implementations, new partnerships, hiring sprees, and executive schedules that could reveal when they\u2019re out of the office.<\/p>\n

Granted, such low-level activities don\u2019t produce the same worker anxiety or organizational confusion that downsizing and M&As do \u2014 and, thus, don\u2019t present the same opportunities for hackers. However, Carruthers says they still create changes that hackers can use to their advantage. \u201cThey all breed opportunities for attackers.\u201d<\/p>\n

Carruthers knows firsthand how effective such hacker strategies are. Her team of ethical hackers runs exercises that start by gathering information from six months\u2019 worth of announcements, blogs, social media posts, and online forums where employees share their own thoughts. Then her team determines where and how to strike based on that information-gathering, just as hackers would. She says her team might use something positive against the company by crafting a phishing campaign that says a popular employee perk is ending. Or the team might seize on a migration to a new technology to more easily get employees to share login or credential information.<\/p>\n

Although CISOs can\u2019t shut off the flow of news, they can counter hackers\u2019 ability to successfully use it against their organizations, Carruthers says. They can monitor OSINT about their organizations, work with other executives on announcements and the timing of those announcements, and run simulations on how such announcements play out from a business perspective. All that helps CISOs and their teams see what hackers see, better understand their thinking and prepare for possible targeted attacks.<\/p>\n

Today\u2019s corporate culture works in the hackers\u2019 favor<\/h2>\n

Security awareness training typically instructs individuals to take time to review emails or think through requests to help determine whether a request is legitimate or suspicious. Yet workplace culture today generally works against that approach, Huffman says. \u201cWe praise ourselves for putting ourselves in an emotional hot state,\u201d he says, pointing to job postings that use phrases such as \u201cfast-paced,\u201d \u201cdynamic\u201d and \u201chigh-intensity\u201d to describe the workplace culture as evidence.<\/p>\n

Employees in such environments don\u2019t have \u2014 nor are they encouraged to take \u2014 extra time to evaluate incoming messages (whether they\u2019re via email, phone, video, text, etc.), Huffman says. \u201cAnd that\u2019s why hackers are successful: they catch us in constant emotional hot states when you\u2019re clicking through 1,000 emails.\u201d<\/p>\n

CISOs and their executive colleagues could create a more secure organization by lowering the temperature.<\/p>\n

\u201cMost companies I consult with don\u2019t understand how hard their teams are working and how much pressure their teams are under. They think they have great cultures but little do they know they\u2019re teams are working overtime. But if they encourage them to slow down, if they can [identify] what can wait for tomorrow, if they could allow people to relax, they\u2019d do better securing [their organization],\u201d Huffman says.<\/p>\n

Deepfakes really work<\/h2>\n

Deepfakes<\/a> are absolutely good enough to trick employees, as evidenced by reports earlier this year that an employee at British engineering firm Arup was duped by scammers who used a deepfake of the company\u2019s CFO to request a $25-million transfer.<\/p>\n

\u201cDeep fakes have been around for almost 10 years but the technology has gotten much better,\u201d says Kev Breen, who as senior director of cyber threat research at Immersive Labs researches new and emerging cyber threats. He notes that deepfake audios are particularly mature today. \u201cA deepfake video is still hard to do, but it doesn\u2019t take much audio to create convincing clips.\u201d<\/p>\n

He says most CISOs are aware that audio and video deepfakes are now good enough to be convincing but many other executives and employees aren\u2019t as aware of this emerging threat. And while these deepfake attacks are highly targeted, hackers are counting on that widespread lack of awareness to help boost their success rates.<\/p>\n

Although security tools to detect and block deepfakes don\u2019t exist, CISOs can blunt the threat by educating workers on the threat and how to detect possible deepfake audio and video as well as by updating protocols around business processes such as money transfers to ensure those requesting such actions are legit.<\/p>\n

Companies forget to make controls independent<\/h2>\n

Defense-in-depth can boost an organization\u2019s security posture, yet many organizations aren\u2019t getting that benefit because their controls aren\u2019t independent, says Lou Steinberg, founder and managing partner of CTM Insights, a cybersecurity research lab and incubator, as well as a member of MITRE\u2019s Science & Technology Advisory Committee and former TD Ameritrade CTO.<\/p>\n

\u201cI\u2019ve seen cases where what should be independent controls are all run on the same box. And hackers know when they compromise that one server, they can compromise multiple controls all at once,\u201d Steinberg says.<\/p>\n

He also had worked with one company in the past where a penetration test revealed that a network control and a non-network control were both running on the same on-premises server.<\/p>\n

\u201cBoth controls could get bypassed together, which isn\u2019t good,\u201d he says.<\/p>\n

He also has heard of similar scenarios in the cloud, such as where the credentials for the security control \u2014 such as a cloud access security broker<\/a> (CASB) or a web application firewall \u2014 were the same as the credentials for the organization\u2019s cloud administrator.<\/p>\n

Steinberg says closing this security gap is relatively easy: Make sure controls are independent so that a compromise of one doesn\u2019t compromise any others so that the organization truly has defense in depth \u2014 and not just the illusion of it.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Security professionals have good insights into the technical tactics, techniques, and procedures (TTPs) that threat actors use to launch cyberattacks. They are likewise well-versed in key defensive strategies, such as prioritizing patching based on risk and implementing a zero-trust approach. But the world of enterprise security collectively seems to remain one step behind the hackers, […]<\/p>\n","protected":false},"author":1,"featured_media":105,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-104","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/104"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=104"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/104\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/105"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=104"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=104"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=104"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}