It’s just a job.
In the latest round of security awareness training that I have been teaching, I have been playing this video from Cisco. It is the anatomy of an attack from the hacker’s perspective. It is not very long and it hits all the salient parts of a devastating attack on a fictional company.
The ‘hacker’ does not consider herself a hacker as such, but more of a social engineer. When you get down to the core of successful phishing, it is social engineering – getting you to do something that is not in your best interests.
This type of attacker is sort of mid-way on the spectrum that ranges from script kiddies who have no technical skill, to the state sponsored attackers with skill and large amounts of resources. The video is constructed as a voice over interview with the attack and results shown during the conversation.
Attacker: It’s not a bad job.
Interviewer: So you consider this a job?
Attacker: I put a lot of work into this. I’m not lazy. It takes research.
As is common with many engaged in criminal/unethical behavior, there is no remorse for the disaster that followed her successful phishing effort. As far as she is concerned, the fact that the phishing email did its job means she did a good job. As she said “I was paid to do a job, and I did it well and that’s what’s expected of anyone, isn’t it?”
Unless you are a nation state (or a big corporation, like Sony), chances are the state sponsored actors are not trying to get at you. Unfortunately that eliminates very few of the bad guys who ARE after you. While ransomware is statistically a small percentage of the malware attacks out there, it is growing at an alarming rate. It makes the news because the payouts are getting larger, with the biggest so far at $1 million.
One thing driving the increase in ransomware is RaaS – Ransomware-as-a-service. There are a growing number of portals where you can pay a fee and get a nice management console, tech support and a fairly generous profit from a ransomware campaign and you don’t need any technical skill. You fill in some blanks and the portal owners do the rest. They even launder your bitcoin ransom and take a cut for their trouble. One web site has a sliding scale that reduces their percentage as your volume goes up. This means you can launch a ‘spray and pray’ type of campaign. You don’t need the skilled social engineer when you can work with volume. If you keep the payments low enough, you will get quite enough to make you happy.
Ransomware succeeds because people feel there is no other option than payment. A tested, current backup is the best deterrent to ransom payment. If you can restore your files in a timely fashion with minimal lost data, there is no reason to pay. Remember, if they got on to your PC/network, the ransomware is probably not the only thing they installed. There is nothing to prevent another ransom demand next week if you don’t take appropriate action. Backups at home and at work will help mitigate the threat of ransomware.
There still is a market for medical records, identity information, and the like. With breaches like River City Media (essentially a spamming operation) leaking 1.3+ BILLION records, the price for records is dropping. There is a glut in the market
So what will you do about it? This study found that of those in the surveyed, only 29% felt that their employees could successfully recognize risky links or sites. That means there is a 7 out of 10 chance that someone in their company would compromise security. If you tested your company, how would it fair? How about you? Do you know how to check an email or link and decide if it is trustworthy? There are several things you can look at, as mentioned here .
There are those who feel security awareness training is useful and some who do not. What is certain is that without training, you and your employees will most certainly do something harmful to the business. Get the people in your company smart enough to see phishing attempts for what they are. This will mean some extra work and slow them down a little. The time they lose being careful will be nothing compared to the time lost if they are not.
For more information on security training, and what you can do to defend against ransomware, call Ashton Technology Solutions at 216 397-4080.