(Reading time: 5 - 9 minutes)

What Attackers Want

Hot

Replace This Image

Every week the media covers stories about data breaches, ransomware, vulnerabilities and attacks to large organisations. These stories perpetuate a misconception that attackers only attack large organisations with assets worth going after.

This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.

 Glossary Terms in this Blog Article - hover to view, click for full glossary.

 

Introduction

The next step in our approach to security involves exploring what attackers want when they undertake an attack. We have already covered part of this question at a very superficial level in a previous episode on attackers, but today we are going to go into this in more detail which will help Smaller Organisations to understand why they will get attacked, whether intentionally or in the crossfire.

Default sample awareness and knowledge infographic

Myths and Misconceptions about What Attackers Want

As we have covered in previous episodes, the root of many successful attacks into Smaller and Medium-sized Organisations (SMOs) goes back to the assumptions they have about implementing or not implementing the controls they should have and take a balanced risk management approach. Some of the things we are going to cover may lead some to say that “you are just making everyone paranoid, life isn’t like that”. What we are trying to do is help organisations be more vigilant when they undertake certain activities. Just like when people cross the road it makes perfect sense to look and listen and understand the environment before crossing; no one walks around everywhere with the same vigilance they do when they cross the road, equally, we hope to provide some warnings on when to be vigilant and how to be vigilant. First, we are going to explain some of the reasons why organisations need to be vigilant based on their current thinking.

Some of the myths and misconceptions Small Organisations have about what attackers want (which leads to them being attacked) include the following:

  • We don’t have millions in revenue, or millions of passwords or anything like the big companies, so there is no reason we should get attacked. Many SMOs create their own misconception based on what they don’t have rather than the reality of what they do have. Every organisation, no matter its size has digital data and or connections, which is enough for attackers to use. For example, knowing the closeness between two individuals, attackers have spoofed emails from one trusted party to another saying that they are in trouble abroad and desperately need money to be sent. This has worked on both finance staff sending money to a CEO whose email account has been compromised, as well as private individuals where money was sent to family or friends – who definitely don’t have the resources of large organisations. Attackers will use anything that they can, to get their victim’s money, they assume that even if victims don’t have it, some of the data or connections they have are going to be worth something more to another attacker.
  • We are a local respected charity and don’t have any money, as all the work we do is providing voluntary help to people in need, so we shouldn’t be an attacker’s target, should we? The misconceptions here are that attackers know and care whether your organisation is local, respected or a charity. The extent to which they would care is how they can leverage this information to extort money from others. If your organisation doesn’t have any money, it will have other assets, like a contact or mailing list which may be used to email everyone and asking them to contribute to a fundraising campaign. Also, even if there is one email address for the charity or small business, that email address can be spoofed to send millions of messages with fundraising or other requests, using your good reputation to get what they want. So, just having a good reputation and an email address is useful enough for them to either sell to others or to make use of themselves.
  • Our organisation is so small, we don’t have our own email system, or any technology, we just use technology from large tech and social media companies, like Facebook and Google, so we won’t get compromised, will we? Different types of attackers are opportunistic in different ways, and many of them focus on what assets a potential victim has whether it is money, contacts or reputation. There have been many examples of attacks based on the information victims have disclosed on social media. Whether it is based on the victim having a large group of trusting followers, or having certain contacts as followers, attackers will attempt to evaluate how any information can be used to generate revenues with a scam.
  • We are unlikely to get ransomware, because our organisation doesn’t have any mission critical data which could be held to ransom in our operations, so we shouldn’t need to worry about this should we? The way that ransomware is utilised now compared to the past has changed. Many years ago, ransomware may not have worked on small or even many large organisations. But the way that attackers use ransomware now is, that once they break into an organisation, they will exfiltrate (ie steal) everything to identify what data is of value and how it can be used to extort a ransom. Once they understand, they will no longer send out a generic message to the organisation to pay a fixed sum. Instead, the message will be specific about the data that has been taken, and that if the victim does not pay, they will release the data to the public and that the organisation will have to disclose the breach to the data protection authority, which will result in a fine. The message will conclude saying that if the victim instead pays a much smaller amount to the attacker, they will not disclose any data and will provide a key to access the locked data. So, whether the ransom is worth a few hundred or a few million, the fact is that there are some attackers who will happily target small organisations on the basis that the victim won’t go to the police (and that there are many prospective small victims out there). Then, there are attackers who will only try to focus on larger organisations for the bigger pay-outs. When either group of attackers comes across targets they don’t want to handle themselves, they will sell the compromised organisation on to one or more attackers who are interested in the attributes of the victim. What this means is that any organisation of any size is a potential asset to be traded directly for cash to other attackers or to be used to extort money from.
  • We only have one shared computer and no employees, surely we can’t be a target? As we’ve tried to indicate, targeting is not based on what small organisation have or don’t have, it is based on weakness a particular attacker has found opportunistically, then on how they can make use of the weakness and or asset as a leverage. Examples of social engineering attacks where they call a number claiming they are from Microsoft and that the victim has malware on their computer, and they get the victim to install a piece of software which is supposed to be a fix but is really malware which will give complete remote access to the attacker. Sometimes they even ask the victim to pay for a fake security subscription. Chances are, zero, one, ten or fifty employees is not usually an attacker’s starting point for an attack, unless they have been paid to target, or have some other reason to target. On the whole, number of employees is not usually a starting point.
  • We knew that we may be vulnerable, so we put all our data into the cloud so that we won’t get attacked. Using the cloud is considered as good advice from the UK’s National Cyber Security Centre (NCSC), but the misconception here is that firstly all cloud services are secure and secondly that there are no other ways to compromise the organisation to access the cloud services.
  •  

Later we will look into some of the different assets that attackers may specifically target, but from the above we should assume that attackers act like entrepreneurs, in that they are looking for ways that they can monetize their time, in this case they want to monetise your assets. In doing so, they may try to sell them to you, or a competitor, or the highest bidder, or just some other attackers.

Default sample Threat Map infographic

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.


Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more. 


Actions and Activities

Now, on SaRB for SMOs:

  • Help us to help you by completing our short poll on this topic (only available when article is published).
  • Let us know which FAQs you would like us to answer.

Later, in your Organisation:

  • Complete Board level Policy Review
  • Update Policy
  • Present to the Board for Agreement

Finally, if you know anyone who could benefit from the information you have viewed, please invite them to register for SaRB for SMOs and share our resources with them.

Follow-up Resources:

Virtually Informed Resources:

  • Glossary - at the top of this blog article (link to items).
  • Infographics (Downloadable in the week of publication).
  • Download Items - Policy Templates, etc. (Downloadable in the week of publication).
  • FAQ’s (Available soon).
  • Blog articles (link to items )
  • How To articles (links only available to Premium subscribers).
  • Other content (available soon)

External Resources:

  • Ponemon Institute Survey
  • Other Survey information

Images from https://www.pixabay.com.