John Shier, senior security advisor, Sophos, shares with Saudi Gazette about the cyber threat landscape — cyber threat types and delivery method, how cybercriminals are using coronavirus pandemic as a bait to launch cyber attacks and how to protect working from home employees from cyber threats. Here are the excerpts: Q: What current types of threats do businesses mostly face today? Shier: The threat landscape today has largely stabilized. With a few exceptions, the most prominent threat groups, threat types and their delivery methods have been consistent for the past couple of years. It consists of nation-state attackers, highly skilled cybercrime organizations, and low-skill opportunistic groups and individuals. The nation-state attackers are the most difficult to defend against, if it's even possible. They are extremely highly skilled, endlessly patient and enjoy limitless resources. We can however learn from their past tactics and tooling which ultimately end up in the hands of organized cybercrime. This group is almost exclusively financially motivated and is responsible for most of the threats we encounter. Many of them are highly skilled and well-funded. They are continually looking for the next edge in defeating our defenses. Both tech and humans. They operate botnets and create most of the malware in the wild. The low-skilled, opportunistic criminals contribute to the rest of the noise and distraction in the threat landscape. They rely mostly on automation and older, over-used, and detectable tools. Email continues to be the preferred mechanism for distributing first stage threats. Whether this is from infected attachments or malicious links, threat groups are still finding success with email campaigns. Email is also responsible for phishing attacks where the goal is to harvest credentials for resale or use in potentially targeted attacks against organizations. Many large botnets, such as Emotet, are also used in spreading malware like banking trojans and ransomware. Ransomware continues to be one of the most visible and destructive threats organizations face. Over half of the organizations we recently surveyed admitted to being victims of a ransomware attack. Data theft is also very concerning for many organizations. The data being stolen can take many forms: intellectual property, credentials, financial information, personal information, customer lists, state secrets, etc. Each type of data can be used to further the attack, published to harm the company, or sold to third parties. Unfortunately, the way data theft manifests itself sometimes is in conjunction with a ransomware attack. This means some organizations are doubly affected. Other threats, such as, credentials stealers, keyloggers, and phishing attacks all play a role in abetting data theft. As with ransomware, sometimes these threats operate in concert with each other. For example, the Emotet (info stealer) to Dridex (banking trojan) to Ryuk (ransomware) infection chain. Q: Is this situation changing in any way in connection with the coronavirus pandemic? Shier: Cybercriminals have not hesitated to use the pandemic as a pretext for their ongoing campaigns against consumers and businesses alike. In fact, they have always used significant regional or global events as lures in malicious email campaigns and other scams. What makes this event a bit different is both the size of the event and the diversity of potential subjects. We've seen everything from sextortion-like attacks to charitable relief scams. We've seen campaigns targeting academic research organizations and vaccine disinformation. The proliferation of some scams even mirrored the real-world spread of the virus in Western Europe. These lures have been used by traditional scammers, as well as by threat groups responsible for well-known malware such as the Trickbot banking trojan. The news that Donald Trump tested positive for COVID-19 provides yet another opportunity for scammers and cybercriminals to use as bait for attacks against our wallets, systems, and networks. Q: How to protect employees working from home in the best way? Shier: The primary focus for IT organizations during any disruptive event is to provide business continuity in a safe and secure way. Therefore, the priority is to create and test a continuity plan before disaster strikes. Employee safety might involve closing offices as we've seen during the pandemic. With so many people now working from home, ensuring the security of your business means having a solid foundation of security basics implemented. Maintain visibility of all your assets and ensure that patching and vulnerability managements systems are functioning as expected. Consider turning on automatic patching for as many systems as is feasible for your business. Enable and enforce multi-factor authentication for cloud services and remote access to internal systems. Provide remote access clients, collaborative tools, and virtual meeting applications so users aren't seeking these tools on their own. Make backups a priority, do it frequently, and periodically test them for efficacy. Finally, ensure that your users know how to report security incidents and make it easy for them to do so. Q: Have ML and AI technologies proved itself successful? If so, in what areas, abilities etc.? Shier: The use of machine learning, specifically deep neural networks, continues to be one of the most significant drivers of new technologies in security. Machine learning allows us to analyze and process massive amounts of data. Machine learning algorithms can be used to detect threats in executable and other files, such as user-generated documents. They are also useful for detecting malicious websites just by looking at the URI. An algorithm can be used to scan emails for simple spam and phishing campaigns, but also for more dangerous threats like thread-jacking and business email compromise attacks. Taken together, these examples illustrate how machine learning touches every aspect of a user's typical daily experience. But more than that, these algorithms can learn what normal looks like in an organization and spot suspicious patterns in network traffic, authentication, and user behavior. These types of security products act as an early warning system for organizations. It allows the security team to react to events as they are happening and well before any long-lasting damage can occur. Q: Is it possible to specify in general a reasonable investment in quality security solution (e.g. a % of turnover or otherwise) what a company should invest? Shier: There is no simple rule that dictates how much a company should invest in security. There are too many variables and factors involved in making a security budget decision. Things to consider are the sector you are in, size of your business, reliance on technology, risk tolerance, and location. The sector you are in might determine the minimum investment you have to make to meet industry-specific compliance regulations. A good example of this is the financial services industry. The size of your business, in both people and geographical measures, will mean that larger global companies are spending much more than smaller local ones. If your business is 100% digital, you will spend more money on security to protect against downtime. Some businesses choose to accept more risk than others, and therefore can spend less on security. Finally, the country where you are based or the countries you do business with might force you to implement security controls by law. All of these give you a starting point but how far you need or want to go is up to individual businesses to determine. Q: Is it still true that the employee is the biggest risk? If so, how to deal with this "risk"? Shier: End users present a risk, but they are also one of your biggest assets when it comes to early detection and prevention of attacks against your organization. The way you deal with this risk and turn it into an asset is by creating and fostering a robust security culture in your organization. Doing security right is difficult. That's why we always say there's no "silver bullet" in security. A good start, however, is building a solid security foundation. This includes having the right people, processes, and tools in place to give you a fighting chance. A robust security culture ensures everyone is "on duty" when it comes to protecting the enterprise. Clear, easy-to-follow, and conservative processes will prevent simple mistakes from harming your business. Using the very latest prevention and protection technologies will defend your organization against attackers when the first two fail. Taken together, these three are just a starting point on the never-ending road to a mature security program. At Sophos we use the very latest security technologies to prevent, detect and remediate threats. But more than that, we also ensure that every employee has security in mind when going about their daily tasks. Training and awareness programs, repeated security assessments, and code reviews, to name a few, all contribute to a more secure Sophos. It's not just about developing and deploying secure code, which is paramount, but also making sure that everyone knows they play a part in making sure Sophos is secure. — SG
