This article is part of Panther’s new Future of Cyber Attacks Series which features interviews with cyber security experts, thought leaders, and practitioners with a goal of better understanding what organizations can do to prepare themselves for the future of cyber attacks.
The following is an interview we recently had with Yaniv Masjedi, Marketing, Aura.
How have cyber attacks evolved over the past 12 months?
We recently published an article on Aura blog titled: How To know If Your Identity Has Been Stolen where we share an alarming statistic: 47% of Americans experienced identity theft last year. If you think of that number – that’s a lot of people.
One of the biggest shifts that occurred over the last year was the growth in cyber attackers using manipulation to steal our private data. Research shows that Internet crime complaints soared by 69.4% in 2020, with the top three crimes reported being phishing scams, non-payment/non-delivery scams, and extortion.
A key reason for this increase is that cyber criminals recognize that as employees have moved their working lives onto their devices to collaborate, they’ve also moved outside of their organization’s perimeter defenses and are thus prime targets for fraud and phishing scams.
In many ways, by using our own devices to work from home, we’ve not only traded away our privacy but also our safety and our security. Our devices are now a bigger target for cyber criminals, who can attempt to manipulate us into giving up information with fake email and SMS messages.
Unfortunately, many organizations are struggling to get to grips with phishing and social engineering-style threats because traditional security solutions like antiviruses or network monitoring tools can’t detect them. The only way to detect them is by educating employees on the latest techniques, which requires consistent training.
What lessons can be learned from the biggest cyber attacks in recent history?
The Dark Halo and Kaseya ransomware attacks showed that no organization is too big to hack. It doesn’t matter whether you’re a multinational corporation or a government department; if an Advanced Persistent Threat (APT) actor wants to gain access to your data, it’s a matter of if, not when.
More and more APTs are launching supply chain attacks, so they can gain access to a third-party service provider’s internal systems and steal the data of multiple organizations. This means organizations can no longer blindly trust third-party providers to protect their data, as every piece of information they hold is at risk of exfiltration.
The only way for organizations to defend against these types of attacks is to minimize third-party access to sensitive data and to use a mixture of continuous network monitoring and identity protection services to identify data leaks when they occur.
What will cyber attacks look like in the future?
In the future, we’re going to see more cyber criminals begin to emulate the techniques and coordinated attacks used by state-sponsored APTs. The reason for this change is that many less skilled attackers will try and replicate the techniques used in “successful” APT attacks.
For example, when considering the techniques used in recent APT attacks like the Dark Halo and Kaseya breaches, it is likely that lower-level cyber criminals will start to use obfuscation techniques to avoid detection, so they have enough time to exfiltrate as much data as possible.
In addition, cyber criminals will start to use a wider range of techniques to break into target organization’s defenses, switching between manipulative phishing and social engineering attempts to brute force hacks, browser-based exploits, and cloud infrastructure modification.
What are three pieces of advice for organizations looking to get ahead of cyber attacks in the future?
Organizations looking to get ahead of cyber attacks need to develop a security strategy to protect interconnected devices from cyber criminals. At a high level, that means addressing human risk and increasing employee awareness of threats.
The CEO of Pango Group, owners of Hotspotshield VPN, Hamed Saeed recently put out a great video detailing the 5 Things Every Company Needs to Know About Data Privacy & Cyber Security with some practical tips:
The more users know about the risks of clicking on suspicious links or attachments, selecting weak passwords, and not updating devices, the more they’ll be able to avoid those behaviors that put themselves, their families, and their organization’s data at risk.
Steps organizations can take today:
- Educate your employees to mitigate human vulnerabilities – Provide employees with training on the techniques that cyber criminals are using to gather data, and educate them on how to protect themselves by selecting strong passwords and never clicking on links in emails from unknown senders.
- Communicate and document – If your employees are working from home, it’s vital to communicate with them and document their level of security awareness to ensure that they’re following the latest best practices.
- Start thinking ahead – Try to anticipate how cyber threats will evolve in the future, and commit to incrementally improving your security posture over time by onboarding tools like identity protection services, password managers, and vulnerability scanners.