With the number of cyber-attacks growing in prominence every day from the reputational ruin of organisations overnight to the manipulation of election results, the threat cybercrime presents to us all should not be undervalued.
Speaking in 2017, billionaire businessman Warren Buffett said: "I don't know that much about cyber, but I do think that's the number one problem with mankind." Buffett even went on to predict that cyber-attacks could become a more significant threat to humanity than nuclear weapons. (Business Insider)
In this guide, we look at what a cyber security threat is, different cyber attack techniques, and common cyber threats and how to defend against them. We then go on to explain the critical importance of cyber threat intelligence (TI) looking at what it is, different characteristics, and how you can obtain it to support your cyber strategy.
What is a cyber security threat?
A cyber threat has the potential to exploit a vulnerability and breach security. The danger could then cause harm to an organisation or an individual.
The National Institute of Standards and Technology (NIST) in the United States of America define threat as:
Any circumstance or event with the potential to adversely impact organisational operations (including mission, functions, image, or reputation), organisational assets, or individuals through an information system via unauthorised access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.
The different methodologies used in cyber-attacks tend to group into three distinct approaches as detailed below: NB. For details of the common threat actors behind cyber attacks and a list of cybersecurity threats most often encountered skip to the proceeding sections of the blog.
- Prevent data access - Stopping a target from accessing their data is repeatedly used in the form of Denial of Service (DDoS) and ransomware cyber attacks.
- Data theft - Cybercrime incidents like credit card fraud, ID theft or theft from cryptocurrency often originate from Nation-state supported crime. The threat actors are sponsored to obtain confidential information for economic, military, or political advantage.
- Data sabotage - Integrity attacks strive to sabotage data and are often motivated to cause damage to a company’s reputation by disrupting or stopping its services. The attacks are often subtle in nature, and the criminals range from script kiddies to nation-state perpetrators.
Common cyber threats and how to defend against them
With cyber threats and attack techniques advancing, we look at seven types of the most common cyber threats to watch out for:
- Advanced persistent threats (APT)
- Distributed denial of service (DDoS) attack
- Drive-by download attack
- Man in the middle (MiTM) attack
- Phishing attacks
Plus an overview of the primary threat associated with social engineering, social media and unpatched software.
Advanced persistent threats (APT)
What are APTs?
- An APT or advanced persistent threat is a collection of covert non-stop computer hacking attacks, planned by a lone criminal or a group of criminals targeting a specific entity such as a private organisation
- The attacker(s) use ‘advanced’ threat techniques with malware to exploit vulnerabilities in systems
- An APT is often politically motivated and can play-out ‘persistently’ over a long period
An example of an APT attack:
Seasalt APT attack - Seasalt is a new surge of APT cyber-attacks launched against South Korea, the US and Canada. The attacks appear to connect to a cybercriminal group with associations to the Chinese military. (ZDNet)
How to protect against an APT attack?
While APT activities are characteristically stealthy and difficult to detect, by carrying out these steps, they can become more accessible to identify:
- Monitor the command and control network traffic
- Conduct deep log analysis
- Cross-reference logs from the various sources
- Use agents to collect records from transmission control protocol (TCP) and user datagram protocol (UDP)
- Utilise a security information and event management (SIEM) tool to correlate and analyse logs
- Filter out the non-legitimate traffic
- Apply good asset management to detect new files on the network
Distributed denial of service (DDoS) attacks
What is a DDoS attack?
A distributed denial of service (DDoS) attack, characteristically inundates a network source with requests, eventually overthrowing it and taking it offline
- DDoS attacks often attack the system’s resources
- The DDoS attackers use malicious software which they control and launch from a range of host machines
- Often the goal of DDoS is‘service denial’
- Sometimes the objective of DDoS is to take a system offline and to commence a new attack through the technique ‘session hijacking’
- A DDoS attack is also known as a denial of service (DoS) attack
Examples of DDoS attacks:
The most prolific types of denial of service attack:
- ping-of-death attack
- smurf attack
- TCP SYN flood attack
- teardrop attack
How to protect against a DDoS attack?
DDoS attacks can take many forms, to mitigate their power consider these security tactics to build an infrastructure that is distributed, hardened, and as secure as possible:
- Purchase more bandwidth to prevent a flood of requests that your server capacity will not be able to handle
- Aid load balancing by increasing the number of servers across multiple datacentres
- Lock down your DNS server to protect it from being targeted
- Protect your DNS behind the same type of load balancing as your website
- Utilise content delivery networks to serve files to customers
- Ensure routers drop junk packets
- Block internet control message protocol (ICMP) if you do not need it
- Set-up good firewalls and block everything you can at your network border
- Protect your network from SYN attacks
- Consider caching servers to provide as much static content as possible
- In the event of an attack replace dynamic resources with static ones
- Utilise detection systems
Drive-by download attacks
What is a drive-by download attack?
Drive-by download attacks are a common technique for distributing malware.
- Insecure websites are targets for malicious scripts that get added to the sites HTTP or PHP code
- Scripts install malware straight onto the device after a user visits the infected site
- Alternatively, victims could be re-directed to a website controlled by the hackers
- Drive-by downloads can occur from visiting a website or opening an email or a pop-up window
- In a drive-by attack, criminals do not rely on a users interaction to infect their device
- A drive-by download takes advantage of apps, operating systems or web browsers which suffer from security errors
An example of a drive-by download attack:
Issaquah drive-by download attack
A city in the US state of Washington becomes locked down for four days by a drive-by download attack (Hacker News)
How to protect against a drive-by download attack?
- Keep browsers and operating systems current to avoid falling victim to drive-by attacks
- Avoid websites that might contain malicious code
- Concentrate browsing on your regular sites
- Avoid hoarding unnecessary programs and apps on your device
- Reduce the number of plug-ins on your device
Man-in-the-middle (MiTM) attack
What is a man-in-the-middle (MiTM)?
A man-in-the-middle (MiTM) attack strikes once an attacker places themselves between the communications of a client and a server.
- The attacker secretly relays and possibly alters the messages between two parties who believe they are communicating directly
- Active eavesdropping is a form of MiTM
- During eavesdropping, the criminal manipulates and controls the communication
- The criminal is intercepting all relevant messages passing between the two victims and adding new ones to the conversation
- Attackers often use the reception range of an unencrypted wireless access point (Wi-Fi) to insert themselves as a man-in-the-middle
- MiTM fails when the attacker cannot overcome cryptographic protocols such as endpoint authentication or thallium perfusion scan (TLScan) or mutually trusted certificate authority
An example of a MiTM attack:
In 2015, a gang of 49 criminals were convicted of MiTM offences towards banks across Europe (NakedSecurity)
How to protect against a MiTM attack?
We recommend that you introduce public key infrastructure (PKI) technology to your network to avoid your organisation falling prey to man in the middle attacks. PKI can help you as follows:
- Through secure/multipurpose internet mail extensions (S/MIME) you can encrypt your emails making sure they only reach the intended recipient
- S/MIME also provides digital certificate technology unique to every user as it links to your virtual identity
- Authenticate certificates on all employee machines and devices
- Upgrade to a hypertext transfer protocol secure (HTTPS) website certificate through secure socket layer (SSL) or transport layer security (TLS)
- TLS certificates can also link your domain name and your organisational identity to increase visitor trust of your website further
- Avoid mixed content on your website or page element loading over an HTTP protocol
- Ensure third-party links are from HTTPS sites
- Login forms should also be HTTPS protected to avoid credential hijacking
- Hyperlinks in your website should use the HTTPS protocol
- Configure your server correctly by using the best practices for protocols and algorithms
- Implement HTTP strict transport security (HSTS)
What is a malvertising attack?
Malvertising is a hybrid term for ‘malicious advertising’ and uses advertising to distribute malware on the internet.
- Criminals archetypically inject malicious adverts into genuine online advertising groups and websites
- Online advertising draws hackers because it offers the opportunity to exploit high-profile and reputable sites
- Malvertising can be planted into a webpage and spread through a system unsuspectingly
- Malvertising does not require the user to take action. Instead, the malware silently transports website adverts
- The Online Trust Alliance reported in 2012 that an estimated ten billion advert impressions were exposed to malvertising
An example of a malvertising attack:
Amazon malvertising campaign - Earlier this year, Amazon was the victim of what it called a ‘sophisticated and widespread’ malvertising scheme to deceive its customers (GeekWire)
How to protect against a malvertising attack?
To mitigate against malware ridden adverts users are advised to:
- Download anti-virus software
- Participate in increased levels of security awareness
- Deploy advert blockers
- Download browser extensions that alert towards malvertising campaigns
- Encourage companies to scan adverts before placing them live on their website
- There is a call for publishers to lead the fight in eradicating malvertising
Email phishing attacks
What is an email phishing attack?
During a phishing attack, the attackers distribute emails to the victim that are look-alikes from a trusted source. However, they indeed derive from a criminal who is attempting to steal information or manipulate users.
- Phishing blends social engineering and deception
- The email could contain a link that loads malware onto your device
- However, the email may also have a goal of directing the recipient towards an unlawful website
What is spear phishing?
Spear phishing is a targeted form of a phishing campaign.
- Criminals research their victims and form email campaigns that are personal and targetted
- By its nature, spear phishing is challenging to spot and defend against
Examples of phishing attacks:
- An example of spear phishing is email spoofing when the ‘From’ part of the email is falsified to appear legitimately from one of your contacts
- Website cloning is another example that occurs when a real website is copied to trick the users into entering personally identifiable information (PII) or their username and password
How to protect against a phishing attack?
Adopt these techniques across your organisation to reduce your organisation’s risk of being breached through phishing:
- Analyse emails for legitimacy by checking the email headers are always correctly populated and that the reply email domain is the same as the original email
- Hover over the links to see where the link would take you before clicking onto it
- Create a test environment for checking suspicious emails and untrustworthy links
What is ransomware?
Ransomware encrypts (code) a target's data and demands a ransom to decrypt (decode) it.
- Ransomware is a variety of malware that prevents victims from accessing their data
- The criminals then threaten to publish or delete the information unless the victim pays a ransom
- Some ransomware attacks are not that sophisticated so the system can be unlocked easily
- In an advanced attack, hackers use ‘cryptoviral extortion’ to encrypt files and then force victims to surrender to the scam to obtain a decryption key
An example of a ransomware attack:
Ransomware attacks are reported daily in the news. However, one of the most significant ransomware attacks to hit the headlines was WannaCry, which reportedly cost the UK national health service (NHS) £92 million.
How to protect against a ransomware attack?
Here are some examples of defensive actions you can take to mitigate against a ransomware attack:·
- Use software and security policies to block known payloads and prevent infection
- Store offline backups of data separate from any contaminated computers
- Install security updates issued by software vendors
- Practice cyber hygiene
- Use caution when opening email attachments and clicking on links
- Segment critical computers from the networks
- Disconnect infected machines from all networks
- Organise security awareness programs for all staff
- Deploy malware surveillance tools
- Set-up file system defences against ransomware
- Utilise file decryption and recovery methods where possible
Other frequently occurring cyber threats
Ensure you train your employees through security awareness education about the dangers of social engineering. Whether it be online, on the phone, in the mail or in person, employees are tricked every day by hackers looking to exploit vulnerabilities in your biggest weaknesses – people.
Social media threats
Catfishing is rife in both the dating world and in business. Catfishing occurs when a user creates a fake social media account to exploit other users. Be vigilant what you disclose on social media as it can be easily used to a criminals advantage.
Failure to patch a system or a network is like leaving your organisation’s back door open to intruders. If you fail to patch a vulnerability and an attacker deploys a zero-day exploit against you and your company, you are open to negligence. Patching is a minimal requirement for cybersecurity, yet it is often disregarded or overlooked as a serious security measure, and attackers know this and can take advantage of the situation.
Common cyber threat actors
Knowing your likely threat actors is vital threat intelligence for preparing your organisation for an attack. With the ever-evolving threat of cybercrime looming over your business, you need a cyber readiness plan in place which monitors the tactic, technique and procedures (TTPs) of these groups and it needs to be continually reviewed to keep up with their development.
There are numerous groups of attackers operating today, here is a summary of the main characteristics of each group:
Nation-state or government-sponsored groups
- Attack level: sophisticated
- Financial support: well-funded
- Focus: targetted attacks
- Motivation: agenda of economic, political or military proportions
- Goal: information for espionage
- Attack level: sophisticated
- Financial support: well-funded
- Focus: targetted attacks
- Motivation: high profits
- Goal: personally identifiable information (PII) or to steal high-value digital resources
- Attack level: mid-level sophistication
- Financial support: self-funded (medium funding)
- Focus: high-profile attacks to create headline news
- Motivation: political agenda
- Goal: draw attention to their cause
Unhappy employees or former employees
- Attack level: low to mid-level of sophistication
- Financial support: self-funded (low funding) unless in collaboration with another group
- Focus: expose or damage the company / steal data
- Motivation: revenge or money
- Goal: go undetected
Script kiddies or amateur criminals
- Attack level: low to mid-level of sophistication
- Financial support: self-funded (low funding)
- Focus: fame or money
- Motivation: headlines
- Goal: cause disorder
Grey hat hackers or security researchers
- Attack level: mid-level of sophistication
- Financial support: funded by research company
- Focus: money and prestige
- Motivation: industry kudos
- Goal: find a zero-day
Misconfigurations in the IT network are a significant threat to organisations.
Such errors are providing higher levels of system privileges to staff, which allow them to see and do more than they should on the network and potentially overturn critical systems.
Now you understand who your threat actors are - as detailed above, the next step is to gather threat intelligence to help you identify when you are observed or under attack.
The importance of cyber threat intelligence
What is threat intelligence?
Threat intelligence or TI represents external information about a threat that an organisation can use to its advantage.
TI derives from a collection of four main intelligence sources:
- Human Intelligence (HUMINT)
- Open source intelligence (OSINT)
- Social media intelligence (SOCMINT)
- Technical intelligence
The principal objective of TI is to research and analyse trends and technical developments in three areas: cybercrime, cyber espionage and hacktivism.
The intelligence collected is incorporated into the company’s defensive management processes, such as new policy creation, reconfiguration or design of a system, or the commision of new security technology.
The intelligence usually categorises into three areas: A. tactical, B. operational or C. strategic.A) Tactical intelligence
- Focuses on understanding the tactics, techniques, and procedures (TTPs) of threat actors
- Tactical intelligence answers how the threat actors will carry out their task
- The information will be useful for security and network operation teams in determining: vulnerability management, creating an attack warning system, and informing the design and configuration of the organisation’s network
- Operational intelligence derives from securityinformation and event management (SIEM) or threat intelligence platforms
- The logs are cross-examined with the organisation’s network logs and subsequently collected data to determine the threat actors plans to breach your organisation
- Analysing logs will also reveal if the threat actors have already penetrated your network defences and the scope of the breach
- Operational intelligence includes indicators of compromise (IoC) and will help divulge if an organisation is under cyber-attack and show specific weaknesses in the network
- Forensic analysts or the incident response unit will find this information useful
- Details reports of threat actor objectives, drivers, abilities, and their intentions against the organisation
- Strategic knowledge of this kind helps the victim organisation to determine what types of additional controls are needed to mitigate attacks
- Senior security professionals such as CISOs and IT management will leverage the strategic information
How do I obtain threat intelligence?
- Leverage threat intelligence through independent TI experts who are trained to detect, monitor and interpret information
- Experienced TI consultancies will usually have a security operations centre (SOC) or lab where they carry out the work
- In the first instance, firms should concentrate on tactical threat intelligence
- TI experts will use the tactical knowledge they obtain to map the anatomy of an attack or its ‘Kill Chain’
- Since the information from this type of TI provides insight into how the threat actors are operating it can directly link to your security controls and the deployment of highly effective short and long-term security countermeasures
How to defend and protect your data against cyber threats?
Today's best practices for cybersecurity are a combined approach of in-house protection and third-party defences. Staying up-to-date with evolving cyber threats reach beyond what is feasible for an in-house security team to provide.
- Security awareness training covering best practices for handling data, identification of phishing and processes to counteract social engineering
- Up-to-date software
- Anti-virus software
- Intrusion detection and prevention systems (IDS/IPS)
- Security event monitoring platforms (SIEM)
- A realistic incident response plan
Third-party cybersecurity partner defence:
Techniques your partner should be using
- Advanced threat monitoring at endpoints
- Firstline incident response staff and investigators on call
- Vulnerability scanning and penetration testing
- Moreover, the key is to use up-to-date threat intelligence
Useful cyber threat terminology
What is cyber threat analysis?
The Counter Terrorism Unit (CTU) releases publically available research on cybersecurity threats, known as threat analysis. It shares the intelligence after the information is deemed no longer helpful to threat actors.
What are ‘emerging threats’?
Emerging threats are new vulnerabilities that can lead to further cyber incidents. Threat advisories publish information about new risks quickly to help prevent related attacks.