According to the Global Risks Report 2022, prepared by the World Economic Forum, cybersecurity flaws and digital inequality are among the 10 most critical threats that humanity will face in the next two years. In fact, it is estimated that by 2030 there will be a malicious attack attempt every two minutes.
Every year there are 20,000 new vulnerabilities that need to be addressed in some way, an overwhelming number that makes it very difficult to resolve (via patches and updates). Put very simply, in the world of software and hardware, vulnerability has to do with system security validation flaws, which are exploited by attackers to make the system do something different or to access assets and data. sensitive.
During the Anatomy of a Cyberattack conference, the security and technology expert said that today the cybercriminal is no longer referred to as an individual, but rather gang or delinquent groups that have economic support and skilled people in the technical part; these organizations are dedicated to understanding network infrastructure and generating new forms of malware.
Among the main groups are Lockbit, Conti and Pysa. In the most recent cases of cyberattacks, 63% have been to exfiltrate data. The average extortion was $247 thousand dollars and the maximum extortion was $240 million dollars, eight times higher than that presented in 2020. downtime average suffered by the attacked organizations was 22 days, while the dwell time o Permanence time of the attackers in the systems was nine days.
Although the main motivator is profit –through extortion and ransom payments to recover information and access to systems–, there are also those who carry out this activity for personal or political reasons, which can be considered as hacktivism.
A simple way to catalog them is by taking into account the objective, whether massive or directed. The first is generally initiated through malware that, once it enters a computer, spreads automatically; while behind a targeted attack there is a person or hacker who defines their actions depending on whether or not the victim realizes what is happening.
Most incidents take place in a series of steps divided into three levels that are exposed in the so-called Attack Chain (or killchainwhose terms are derived from military models).
Anatomy of a cyber attack
At the first level, the initial objective of criminals is to gain access to the system. To do this, they often resort to information available on web pages or social networks to find out the organization chart of the target organization and identify who to direct the attack to. The initial access attempt can be seen through a phishingit can manifest itself in a phone call or email, but there is a deception that takes advantage of the so-called ‘weak link’, which is the user, so that he does something or enters a site that pretends to be another, all to gain first access.
In case the user does not realize that the security was compromised, the second step is known as “Establish foothold”which consists of staying in that system and from there discovering what other devices, credentials or networks can be accessed, which is the next phase known as Network Discovery (discover the network).
If, with the passing of hours or days, neither the user nor the systems team detect the threat, the attack moves to the second level of the chain in order to recognize the resources that are truly important (Key asset discovery); It can be customer data, the intellectual property of the software code or the network itself, which if the attackers do their analysis, they will surely want to get that information. Subsequently, the data is stolen (data exfiltration) and propagation within the same network (network propagation).
In the third and final level, the attacker prepares to deploy malicious software or ransomware (a type of malware), which once installed can remain inactive on the system until the attacker decides to run it to harass the victim. and/or extortion.
All these steps are carried out in an average of nine days, according to a recent study among multiple real breaches that became public, the second level being the most complex and to which criminals spend the most time.
Attacks targeting targets that malicious actors consider to be of high value for the money they may receive in return are becoming more frequent. In some cases, where no ransom is required, the information extracted from the organization ends up for sale on the illegal market; There are also situations in which double extortion occurs, where criminals exfiltrate data and also disable access to the system.
Many times it happens that the ransom is paid and your information is gone anyway; That is why the security agencies of each country discourage payment, firstly to avoid financing criminals, secondly because there is no guarantee that you will recover your information.
By Juan Marino, Cisco Cybersecurity Manager for Latin America
Eddie is an Australian news reporter with over 9 years in the industry and has published on Forbes and tech crunch.