March 1, 2021

How to address ransomware, phishing, and BEC

You’ve almost certainly heard of ransomware, phishing, and business email compromise as they are all over the news today.  You probably have a general idea of what they are – enough to be worried -- but how well do you understand the risks they create and how to protect your organization? 

Attackers are looking for the biggest payouts for the lowest effort and risk, and this drives the ever-changing prevalence of threats.  Ransomware is a dominant threat today because it's easier for attackers to commercialize compared to phishing.  Business email compromise is increasing because it can yield bigger payouts for attackers.  This post will discuss the threats of ransomware, phishing, business email compromise, and another one you may not have heard of, a server-side attack.  We'll then dig into what you can do about them.

Four threats

Let's start with the simplest threat, phishing to steal credentials.  Phishing is mostly delivered through email – but there are subtypes for SMS, etc. – and this type of phishing generally aims to fool the recipient into giving up their account credentials – userid and password -- using a fake login page for a cloud service. Using the stolen credentials, the attacker can obviously perform an account takeover of the cloud service account in question, but they will also likely be able to use credential stuffing to take over other accounts owned by that userid.  Credential stuffing means trying the userid/password combination on hundreds of different cloud services, and it works because most people use the same password for many of their accounts.  In other words, most users don't use a unique password per account, as they should. 

Once the attacker takes over one or more accounts, they can make money by many different means, including stealing data from the accounts then reselling the data (e.g., for credit card data) or threatening its disclosure.  (By the way, if personal information is accessed in any way, in most jurisdictions this is a privacy data breach and must be reported to the privacy authority.)

There is a related threat, a server-side attack, that involves an attacker stealing credentials from the cloud service itself instead of its users.  The attacker will break into a cloud service and steal the "passwords file", which contains the userid and the associated, obfuscated (salted and hashed) password for each of the cloud service's users.  The attacker will then perform a cracking operation to de-obfuscate the passwords, and will generally be successful for those users that haven't used a strong password. 

What makes a password "strong"?  It's sufficient length, sufficient randomness, and sufficient character types complexity (the mix of uppercase, lowercase, digits, and symbols).  "Sufficient" is a fuzzy and moving target, but if a password isn't a bare minimum of 12 characters long, doesn't look random, or doesn't use at least three types of characters, it may not be strong enough to resist cracking.  Once passwords are cracked, there are same risks as for phishing, such as account takeover and credential stuffing.

Business email compromise (BEC) requires the most effort for the attacker.  In a typical compromise, the attacker will get access (through one of a variety of means) to an email account for an organization head or financial head and will monitor the email traffic for a while.  Once the attacker understands the organization's financial processes and which employees are involve with financial transfers, they will send a fake email (from a fake account, often with a similar-looking domain name) to an employee requesting a wire transfer to some outside destination.  If the deception is not detected in time, the attacker will receive the transfer.

The last, and probably most important, threat we'll discuss is ransomware.  This is a type of malware usually delivered through phishing emails (but not the credentials-stealing kind), and it is rapidly surpassing other types of malware and phishing because of its ease of monetization.

For email-based ransomware (and other malware), a user will typically be fooled into executing a file attached to an email or to clicking on a link in an email and downloading a file, resulting in a compromise of their device by the attacker's malware (i.e., malicious software).  Ransomware encrypts the infected computer's files in place and then demands a ransom payment to provide the decryption key; and the ransomware will typically try to spread to other computers in the organization.  If the organization decides to pay the ransom (it's a complex decision) and is very lucky, the key will work; otherwise the data is irretrievably destroyed. 

Increasingly, though, ransomware does more than encryption: it will send a copy of the victim's data to the attacker's server before encrypting it, and the attacker will additionally (and maybe on more than one occasion) threaten to publicly release the data if the ransom is not paid.  Whereas a data backup is a good recovery mechanism for ransomware's encryption, there really is no way to mitigate a public release of data, which makes victims more willing to pay.  (Note that both cases would generally be considered privacy data breaches if personal data is involved.)

Mitigations

If we analyze the four threats in detail and look at how to mitigate the resulting risks – i.e., prevent them, reduce their effect, or recover from them -- it turns out that we need two different sets of mitigations, aka security controls:

  • controls that address the primary risks of account takeover and credential stuffing, and financial loss for BEC – let's call this Type 1; and
  • controls that address the primary risks of device compromise (by malware) and destruction of data – we'll call this Type 2.

Mapping these risks to the four threats above:

  • Type 1 controls are for credentials-stealing phishing, business email compromise, and credentials-stealing server-side attacks; and
  • Type 2 controls are for malware and ransomware.

Both types are also mitigating a variety of secondary risks, including financial loss and theft or exposure of data.

The controls

So what are these two amazing sets of security controls?  They are for the most part the basic set of security controls that security professionals call "security hygiene" – fundamental security controls that every organization should implement as a matter of course before getting into anything fancier. 

The Type 1 controls are focused mainly on protecting credentials:

  • user security awareness training;
  • the proper use of passwords: mainly ensuring they are strong and unique;
  • the use of a password manager: as the best way of properly managing passwords;
  • the proper use of the password manager, including using it to autofill login pages: whereas a user can be phished by a fake login page, a password manager will notice the fake page's incorrect domain name and will refuse to autofill the credentials into that page;
  • use of two-factor authentication (2FA)/multi-factor authentication (MFA): as a second line of defense on an account in case the account's password is compromised; and
  • for BEC in particular, setting up a proper verification process for financial transactions, such as through the use of out-of-band verification like a phone call or walking over to talk to the sender: to catch fraudulent requests.

The Type 2 controls are targeted mainly at spam and malware:

  • user security awareness training;
  • the use of an email anti-spam/malware filter: to stop phishing emails before they reach users; and
  • security hardening of devices, especially computers, by locking down operating system (OS) security-related settings and the use of antimalware ("antivirus") and anti-ransomware software or, for larger organizations, endpoint protection software/services: to prevent malware from successfully running if a user falls for it;
  • the use of data backup, to a cloud backup service or a local backup drive, or ideally to both: to recover from the destruction of data by ransomware.

User security awareness training is listed first for both type of controls because it's usually the most important control that organizations can put in place.  Properly trained employees could forestall many risks even in the absence of many technical security controls (such as password managers, 2FA, spam filters, hardening, antimalware, etc.) – but conversely, the best technical security controls can be bypassed or rendered ineffective by unaware employees. 

All organizations should properly train their employees on security (and privacy) risks – starting as soon as possible and then at least annually.  They should also choose the right mix of technical security controls to fit their organization, risk tolerance, and budget.  Every single organization, though, should have all the Type 1 and Type 2 security controls listed above as a minimum.

For more

This has been only a brief introduction to some common cybersecurity threats that most organization face, and to how to start addressing them.  If you want to learn more – and I strongly encourage you to do so – there is no shortage of information available.  Most everything you might want to know is on the Internet, so you can do a web search for any of the terms in this post.  You can also read some of my other blog posts; see my blog map for an index of useful posts.