Ryan Pullen, Head of Cyber Security at Stripe OLT asses the current state of cyber breaches and offers prevention measures to UK businesses.
In our ever-evolving digital landscape, staying on top of emerging threats is no easy feat, especially for small to medium-sized enterprise (SMEs).
In the recent UK gov report, Cyber Security Breaches Survey 2022, results show that in the last 12 months, “39% of UK businesses identified a cyber attack” and at Stripe OLT, we only know this too well.
Advanced phishing attacks
Phishing emails are becoming more advanced, persistent and targeted with personalisation and geo-targeting increasing, they’re even more of a risk to organisations. The Cyber Security Breaches Survey, notes “that of the 39% of UK businesses who identified an attack, the most common threat vector was phishing attempts”.
At Stripe OLT, we’ve seen an increase specifically in OAUTH Phishing (Open Authorisation), which is essential when you’re sent an email that wants you to sign into a specific platform.
These seemingly professional OAUTH phishing emails (sometimes masquerading as an Office 365 message), prompt the user to use a single sign-in solution, ultimately with the goal to obtain the user’s login details. Once these have been obtained you have compromised remote access details.
With these details, hackers can either use them to steal data directly or sell the details online for a fee – confirmed remote access accounts reach high pay-outs and this is becoming an attractive business model for many hacker groups, such as LAPSUS$.
There are many reasons why Multi-Factor-Authentication (MFA) should be in place and although it cannot completely prevent a breach, it’s much harder to bypass even if details are available to purchase on the dark web.
Compromised remote access details
There are plenty of open-source tools available for network vulnerability scanning and they aren’t always used by the good guys… If your external facing endpoints are vulnerable, hackers can utilise these tools to identify weaknesses enabling them to exploit a system, such as remote access protocols, there are various ways to do this, but commonly we find:
• Scanning the Internet for IP addresses that host vulnerable services such as Remote Desktop Protocol (RDP) that are open to the public. It is definitely not ok to leave RDP exposed on the internet. The risks of such exposure are extremely high and RDP is only meant to be used across a local area network (LAN).
• Running a password-cracking tool – unfortunately, there are still some services that store unencrypted or weakly-encrypted passwords on their servers and when these come under a brute force attack (trial and error to crack passwords), they can fall very quickly if the passwords are easily guessable.
Once a malicious actor has successfully gained remote access, they can wreak havoc. From uploading malware to holding your systems to ransom, hackers have access for as long as they stay undetected.
Many have been known to stay for long periods of time, waiting to strike at the right moment, according to IBM, in their recent breach report, the average mean time to detect malicious activity was 250 days after the initial compromise took place. That’s 8 months (on average) of malicious activity hiding within a system.
Businesses use application programming interfaces APIs to connect various services and to transfer data between systems and if configured incorrectly, hackers can use APIs to their advantage. There are a number of different types of API attack vectors and these are only on the increase. Recently we’ve witnessed:
•Broken Access Controls – Access control policies ensure that users cannot perform acts outside of their set permissions (for example, access to specific documents within a network). However, sometimes there are vulnerabilities present within these parameters and they can be altered. When this happens, an unauthorised user can gain access to sensitive data and IF they gain access to a privileged function, this can give them the ability to gain access to multiple areas within the network.
•DDoS Attacks – A denial-of-service attack is a cyber attack on a specific server or network in which the malicious actor seeks to make a machine or network resource unavailable to its users by flooding it with traffic, overwhelming the system and halting services.
•SQL Injection Attacks – SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for database exploitation and thus access to hidden information. This information may include any number of items, including sensitive company data or customer details.
Sophisticated social engineering TTPs
Social engineering is the term used for a wide range of malicious activities, achieved by exploiting human behaviour. But, what makes social engineering so dangerous is that it relies on human error, the number one cause of a data breach.
Rather than relying on vulnerabilities in software and operating systems, mistakes made by genuine users are much less predictable and harder to control and we’ve witnessed social engineering tactics, techniques and procedures (TTPs) becoming more and more sophisticated.
Gone are the days where you just had to look out for a malicious link – scammers and hackers take their time to assess what information they need, who they need to target and how to get what they want before they strike.
They formulate near-perfect, scripted routines and messages (be it via text or a direct call) in line with other well-known company processes and often it’s hard to tell whether they’re offering genuine support or not.
From malicious cold-calls to scareware and spear phishing, social engineering attacks underpin almost all human-based security errors and unfortunately, we’re in the age of the digital wild-west. Without adopting a zero-trust mindset, alongside robust security policies and procedures, anyone can become a victim.
Supply chain attacks
We all regularly hear about third-party, supply chain attacks in the news; the recent August attack against the NHS 111 service once again highlights how it’s not just a business that can suffer and that the frequency of these attacks is only increasing.
In it’s most basic form, a supply chain attack is when a malicious actor uses either an outside provider or business partner, that has access to a particular system or company data, to then enter their infrastructure. Once they’ve gained entry, they can insert malicious code or software that will compromise it in some way.
Many businesses are starting to understand the risks suppliers may pose, but danger also lies in a lack of understanding from wider business users. It’s almost impossible to know about all the data your wider supply chain holds, nor the other businesses that they are supporting, so ensuring all business personnel follow a zero-trust mindset is crucial.
Quick win solutions
It’s not all doom and gloom – although threats are evolving, there are ways to improve your security posture quickly. Prevention is always better than cure and there are cyber security essentials every business can adopt, without requiring massive internal resourcing.
Educate your employees – Build a company culture that talks about and understands, the risks that come with bad cyber hygiene. In a recent ISACA survey, 43% of respondents indicated that their organisation experienced more cyber-attacks in the last year, however, only half of these respondents believed that was likely that they’ll suffer an attack in the next 12 months…
Whether you have already fallen victim or believe it will never happen to you, ignorance is not always bliss. Senior leaders need to take accountability for the level of awareness in their organisations – human error is still the number one cause of a breach, but you can turn this weakness into your first line of defence with proper training.
Gain visibility over your assets – Knowing what data, systems and devices are accessible within your business, both on-premise and in the cloud is a massive win when dealing with a potential breach. Knowing what you have and what you need to protect is fundamental when building a security strategy.
There are multiple ways to gain visibility over your assets and this starts with an internal audit and log of all company devices and any additional hardware (servers, etc.). Once you have a complete list, you can begin a risk register to identify what or who could pose a potential risk.
Adopt a zero trust approach – The term ‘zero trust’ does not refer to specific technology but rather an overarching approach to network security. It is a security framework that believes no one should be automatically granted access to a network, but instead strict identity verification is required for every user and every device.
The model essentially acts under the impression that all users and devices trying to access the network are threats and this approach should be adopted across your entire infrastructure in order to manage risks adequately.
Even starting with the basics, like implementing MFA and conditional access policies, are a great place to start. Zero trust teaches us to ‘never trust, always verify and this is something we live by at Stripe OLT.
For more information, visit: stripeolt.com
This article was originally published in the September 2022 edition of Security Journal UK. To read your FREE digital edition, click here.