AI and ML in Cybersecurity: Adoption is Rising, but Confusion Remains
If you’ve been working in the technology space for any length of time, you’ve undoubtedly heard about the rising importance of artificial intelligence (AI) and machine learning (ML). But what can these tools really do for you? More specifically, what kinds of benefits do they offer for cybersecurity and business operations?
If you’re not so sure, you’re not alone. As it turns out, although 96% of global IT decision-makers have adopted AI/ML-based cybersecurity tools, nearly 7 in 10 admit they’re not sure what these technologies do.
We surveyed 800 global IT decision-makers across the U.S., U.K., Japan, and Australia/New Zealand about their thoughts on AI and ML in cybersecurity. The report highlighted a number of interesting (and contradictory) findings, all of which indicated a general confusion about these tools and whether or not they make a difference for the businesses who use them. Additionally, nearly 3 out of 4 respondents (74%) agreed that, as long as their protection keeps them safe from cybercriminals, they really don’t care if it uses AI/ML.
Here’s a recap of key findings based on responses from all 4 regions.
- 91% say they understand and research their security tools, and specifically look for ones that use AI/ML.
- Yet 68% say that, although their tools claim to use AI/ML, they aren’t sure what that means.
- 84% think their business has all it needs to successfully stop AI/ML-based cyberattacks.
- But 86% believe they could be doing more to prevent cyberattacks.
- 72% say it is very important that cybersecurity advertising mention the use of AI/ML.
- However, 70% of respondents believe cybersecurity vendors’ marketing is intentionally deceptive about their AI/ML-based services.
AI and ML matter because automation matters
As we’ve all had to adjust to “the new normal”, IT professionals have had to tackle a variety of challenges. Not only have they had to figure out how to support a massive shift to working from home, but they also have to deal with the onslaught of opportunistic online scams and other cyberattacks that have surged amidst the chaos around COVID-19.
With all of us working to adapt to these new working conditions, it’s become clear tools that enable automation and productivity are pretty important. That’s where I want to highlight AI and ML. In addition to how AI/ML-based cybersecurity can drastically accelerate threat detection—and even predict shifts and emerging threat sources—these technologies can also make your workforce more efficient, more effective, and more confident.
While many of our survey respondents weren’t sure if AI/ML benefits their cybersecurity strategy, a solid percentage saw notable improvements in workforce efficiency after implementing these tools. Let’s go over those numbers.
- 42% reported an increase in worker productivity
- 39% saw increases in automated tasks
- 39% felt they had more time for training, learning new skills, and other tasks
- 38% felt more effective in their jobs
- 37% reported a decrease in human error
As you can see, the benefits of AI and ML aren’t just hype, and they extend well beyond the cybersecurity gains. Real numbers around productivity, automation, time savings, and efficacy are pretty compelling at the best of times, let alone when we’re dealing with sudden and drastic shifts to the ways we conduct business. That’s why I can’t stress the importance of these technologies enough—not only in your security strategy, but across your entire toolset.
Where to learn more
Ultimately, AI and ML-based tools can help businesses of all sizes become more resilient against cyberattacks—not to mention increase automation and operational efficiencies—but it’s important to understand them better to fully reap the benefits they offer.
While there’s clearly still a lot of confusion about what these tools do, I think we’re going to see a continuation of the upward trend in AI/ML adoption. That’s why it’s important that IT decision-makers have the resources to educate themselves about the best ways to implement these tools, and also look to vendors who have the historical knowledge and expertise in the space to guide them.
“Realistically, we can’t expect to stop sophisticated attacks if more than half of IT decision makers don’t understand AI/ML-based cybersecurity tools. We need to do better. That means more training and more emphasis not only on our tools and their capabilities, but also on our teams’ ability to use them to their best advantage.”
– Hal Lonas, SVP and CTO for SMB and Consumer at OpenText.
For further details about how businesses around the world are using AI and ML, their plans for cybersecurity spending, and use cases, download a copy of the full AI/ML report.
And if you still aren’t sure about AI/ML-based cybersecurity, I encourage you to read our white paper, Demystifying AI in Cybersecurity, to gain a better understanding of the technology, myth vs. reality, and how it benefits the cybersecurity industry.
Cyber News Rundown: HMRC Takes Down COVID-19 Scam Sites
Adult Website Leaks Trove of Sensitive Data
An recently discovered unsecured database belonging to the adult streaming site Cam4 was found to contain nearly 11 billion unique records amounting to seven terabytes of data. For a site with billions of visitors each year, the exposed data could affect millions who have visited the site since March 16 of this year, and could be used to further harm individuals whose connection to the site could be politically or socially sensitive. While the database was quickly taken offline, an analysis of the data showed that, though much of the data belonged to U.S. citizens, millions of others were from South America and Europe.
Hundreds of COVID-19 Scam Sites Taken Down by HMRC
Her Majesty’s Revenue & Customs (HMRC) has recently taken down nearly 300 COVID-related scam sites and domains. Hackers are opportunistic and have taken to preying on people trying to get information on the current pandemic but are finding themselves as victims of financial scams and phishing attempts. Fortunately, many organizations have taken up the cause of identifying and removing these harmful sites.
Nearly One Million WordPress Sites Under Attack
At least 24,000 unique IP addresses have been identified in a series of on-going attacks targeting vulnerabilities in more than 900,00 WordPress sites. Many vulnerabilities have been patched in recent months, but some sites have yet to update their plugins and remain at risk. The attacks inject malicious scripts into website headers when the WordPress user is logged in. Otherwise, the victim is redirected to another malicious advertisement, in hopes of gaining some profitable information.
Tokopedia Breach Leaves 91 Million User Records Up for Grabs
Over 91 million user records belonging to Tokopedia, a major Indonesian e-commerce firm, were recently found for sale on a dark web. The sale offered records for 15 million individual, likely stolen during a security incident in March, for $5,000. With millions of users and merchants using the site regularly, the company has issued a notice for users to change passwords as they investigate the breach.
Ransomware Demanding More as Corporations Continue to Payout
In recent fiscal quarters, the earnings for Sodinokibi and Ryuk ransomware have been rising steadily as SMBs and corporations are increasingly paying ransoms for data. Over the first quarter of 2020, the average ransom payout hovered around $111,000. A year prior, the average neared only $12,000 for large companies, typically very willing to pay for the quick return of their data, so limiting the amount of downtime an attack may cause. The top earning ransomware variants, Ryuk and Sodinokibi, both have shifted their focus from service providers to carefully targeted large corporations and have even pushed ransom demands over $1 million in some instances.
Poor Password Practices: The Curse of the Cybersecurity Risk Index Score
Your password passing habit may not be as be as harmless as you think. And yes, that includes Netflix login info too.
That’s one finding to come out of our newly released study of 2020’s Most (and Least) Cyber-Secure States. In this year’s analysis of the cyber readiness of all 50 U.S. states, and in partnership with Wakefield Research, we created a “Cyber Risk Hygiene Index” based on 10 metrics meant to measure individual and state-level cyber resilience against adverse online events.
Unfortunately for many Americans, two of those cyber hygiene metrics involved questions about their password habits:
- Do you avoid sharing passwords with others?
- Do you avoid reusing passwords?
Now, these questions weren’t the only reason no American received a passing grade on our Cyber Risk Hygiene Index, or that no state scored higher than a D, but they didn’t help. In all, the report found that more than one-third (34%) of Americans admit to sharing passwords and login credentials with others. Nearly half (49%) report having more accounts than passwords, meaning passwords are being reused across accounts.
Perhaps even more troubling is the finding that sharing passwords for streaming services—that famously widespread and supposedly benign new-age habit—has a worrying correlation: Americans who share passwords for streaming services (38%) are twice as likely to say they have had their identity stolen than those who do not (18%).
This is alarming because sharing and reusing passwords is especially dangerous during this golden age of phishing attacks. It means that, as soon as a cybercriminal achieves success in one phishing attack, those pinched credentials are likely to work for several other popular sites. A single successful phishing expedition could yield catches on banking sites, credit card applications, online marketplaces, and in a host of other potentially lucrative instances.
Even by sharing passwords with those a smidge less than trustworthy—or just careless—you’re increasing your attack surface area. Now that network of individuals who now have access to your accounts are susceptible to giving your information away if they take the bait in a phishing attack.
“Instead of giving away the keys to the guest room when you share passwords, it’s more like giving away keys to the castle if they are reused across multiple accounts,” says Webroot threat analyst Tyler Moffitt, “you could begiving away the keys to the whole kingdom if that’s the only password you use.”
More password facts from the report
- Tech Experts, one of the riskiest categories of users studied in our report, are more likely to share passwords (66%) than the average American (44%). Clearly, we at Webroot are in no position to point fingers.
- On brand, 66 percent of so-called “Mile Markers” refrained from sharing passwords, compared to 63 percent for the average American. This group scored the highest on our index and is defined by having progressed through life markers such as earning a degree, owning a home, or having children.
- Home-based Very Small Businesses (VSBs) are less likely to work with a dedicated IT team. As a result, they are more likely to use their personal devices for work and share passwords. Of these, 71 percent use the same passwords for home and business accounts, potentially cross contaminating their work and personal lives with the same security gaps.
- By generation, Gen Z is most likely to share passwords (56%), followed by Millennials (47%), Gen X (33%), and Boomers (19%).
How to address poor password practices
In terms of a personal password policy, it’s important to set yourself up for success. Yes, it’s true the amount of passwords one is responsible for can be dizzying, 191 per business according to one popular study.
That, and the parameters for creating a sound password seemingly grow more complex by the day. It used to be enough just to have a password. But now, they must be x characters long, contain one number and one special characters and so-on… And did we mention we recommend it be a passphrase, not a traditional password?
You get the gist.
That’s why our single strongest piece of advice to users looking to upgrade their cyber resilience is to use a password manager. This allows you to create long, alphanumeric and otherwise meaningless passwords without the need to keep tabs on them all.
After you’ve created a strong bank of passwords, managed through a password management service, supplement your security by adding two-factor authentication (2FA). Measures like 2FA pair your login credentials—something you know—with something you have, like a biometric feature or a mobile phone. This will ensure lifting your password (a unique one for each account, no doubt) isn’t even enough to crack your account.
“Put simply, an account simply isn’t as secure as it could be without 2FA,” says Moffitt. “And that means your credit card info, home address, or bank accounts aren’t as safe as they could be.”
No more reusing passwords. And, hopefully, no more sharing passwords. But that part’s up to you. You just have to ask yourself, is Netflix access worth having your identity stolen?
Mental Health and Mindful Tech
Anyone who has spent late nights scrolling through their social media feed or grinding on video games knows one thing is true: Technology can be a good thing, but only in moderation. Like too much of anything, spending a lot of time on the internet or social media can lead to unhealthy consequences. Since May is mental health awareness month, we thought it would be a good time to remind ourselves of the importance finding a healthy balance when it comes to using technology.
Social distancing on social media
The global coronavirus pandemic continues to test our own personal resilience. While most of us are sheltering at home, we’re also relying more and more on technology for work and staying connected to family and friends via virtual conferencing and social media. But too much social media can be a bad thing, too.
The more scientists study social media use, the more they find negative side effects:
- Young people who use social media more than two hours a day tend to rate their mental health as fair or poor compared with less frequent users.
- Occasional users of social media are almost 3x less likely to be depressed than heavy users.
- People who restrict social media use to a half-hour a day have significantly lower depressive and anxiety symptoms.
If you’re someone who finds periods of abstention reinvigorating, you may want to add a digital detox to go along with New Year’s resolutions and Sober October.
Data loss blues
When you spend a lot of time on a computer, it’s only a matter of time before you lose something important. It could be financial documents, or an album of precious family photos, or maybe a big work presentation. Worse yet, you could have your entire system taken over by ransomware. Stressed yet? You’re not alone. We asked IT pros what they would rather lose than their data and here’s what they had to say:
Things IT pros would rather lose than data:
- Internet connection
- Cell service
- Internal organ
- Wedding ring
- Robot lawnmower
- Bacon
That’s right. Bacon! Kidding aside, losing data can be stressful. And many businesses don’t survive after major data loss. That’s why using strong cybersecurity solutions, like cloud-based antivirus, is so important, as is backing up the important files and folders on your computer. Do it for the sake of your data, or do it for the bacon, but just do it! You’ll thank us.
Technology never sleeps
If you think it’s hard for those just using technology, think of the people who have to work in technology. If you’ve ever thought about a career in tech, you better like the night shift. Technology never sleeps. The best time to perform upgrades or installations is late at night when most users are offline and there’s less traffic on the network. Want to launch a new website? Midnight is probably the best time. But all this late-night system testing and debugging can lead to loss of sleep and, in turn, an unhealthy dose of stress.
And it’s not just tech pros doing tech things late at night. If you’re up late scrolling your feed and posting comments, you may not be sleeping as well as you should. The blue light from phone screens and computers reduce your levels of melatonin, which is the hormone that controls your sleep. And lack of sleep can lead to several harmful side-effects, including:
- Anxiety, insomnia, depression, forgetfulness
- Impaired thinking and slow reaction time
- Increased risk for heart disease, high blood pressure, stroke and diabetes
- Sleep apnea, low testosterone and decreased sex drive
- Skin lines, dark circles under the eyes, weight gain
So, avoid using tech too close to bedtime if you can. Reduced stimulation works wonders for good sleep habits. The news will still be there in the morning.
There’s an app for that
It’s not all doom and gloom when it comes to technology and mental health. In fact, advancements in health technology are emerging at a rapid rate. One area of progress is apps that help people with mental health issues. The National Institute of Mental Health has identified several promising trends, including:
- Apps that provide tools for managing stress, anxiety and sleep problems
- Cognitive remediation apps that help people develop thinking and coping skills
- Illness management apps that put trained health care providers in touch with patients
- Mindfulness, meditation and relaxation apps
Resilience online and offline
It’s a measure of our personal resilience when we’re able to persevere through something as disruptive as coronavirus. Having social media and the internet can help. But we have to be mindful to avoid overdoing it. We also have to be careful to protect the digital devices we’ve come to rely on with appropriate cybersecurity. That’s cyber-resilience. And it can do wonders for your peace of mind and your overall mental health.
Cyber News Rundown: Hackers Aim at Oil Producers
As Oil Prices Drop, Hackers Take Aim at Producers
With the recent crash in oil prices, and supply rapidly piling up, a new spear phishing campaign has begun targeting executives at several major oil producers. A massive number of emails started being distributed in late March, without the telltale signs of amateur phishing like bad spelling and grammar. Furthermore, the emails appeared to be from a sender with knowledge of the oil and gas industry. Two documents within the emails posed as bid contracts and proposal forms but were used to deliver the final payload, a trojan called Agent Tesla, which is a malware-as-a-service that can perform a variety of malicious activities on a system.
Software Affiliates Sending Phony Expiration Notices
Several dubious third-party software affiliates have been spotted distributing a campaign targeting antivirus users, prompting them to renew their subscription through the affiliate’s link, thus netting them additional revenue. Most affiliate programs have strict guidelines as to how the company can promote the affiliated software, and purposely misleading customers can lead to major penalties. Emails displaying expiration notices for Norton and McAfee have both been identified. With a percentage commission, the affiliate could be earning up to 20% of the purchase price for each fraudulent sale.
Philadelphia Sandwich Chain Faces Data Breach
PrimoHoagies, a Philadelphia-based sandwich chain, was the unsuspecting victim to a data breach that went undetected from July 2019 until this February. The breach affected all online sales during that time period, though no in-store purchase data was compromised. By April, the company released an official statement regarding the breach. But the admission came only days before a data security lawsuit was filed by a customer who had seen fraudulent charges on his credit card.
Decryption Keys for Shade Ransomware Made Available
After nearly five years of operation, the creators of Shade ransomware have decided to close shop and give out nearly 750,000 decryption keys along with an apology for harm done. While most ransomware variants tend to purposely avoid Russia and Ukraine, Shade focused specifically on these two countries during its run. Though the many decryption keys and master keys have been made public, the instructions for recovering the actual files are not especially user-friendly and a full decryption tool has not yet been released.
ExecuPharm Hit with Ransomware Attack
One of the largest pharmaceutical companies in the U.S. recently suffered a ransomware attack that not only encrypted their systems but also gain access to a trove of highly sensitive personal information belonging to thousands of clients. It is believed that the attack started with in mid-March with phishing emails targeting specific employees with the widest access to internal systems. At this time, there is no confirmed decryption tool for the ransomware variant used and the company has begun contacting affected customers.
5 Ways to Improve Business Cyber-Resilience
A popular military maxim speaks to the need for redundancy and it goes like this: “Two is one and one is none.” Redundancy is also a key principle when it comes to cyber-resilience. A popular rule in data protection and disaster recovery is called the 3-2-1 backup rule. IT pros often borrow from military strategies when approaching cyber-resilience, including a strategy known as “defense in depth.”
Defense in depth is a useful framework for protecting IT environments. It acknowledges that hackers will often use evasive tactics or brute force to overrun the outer-most layer of defense. So, multiple layers of defense are necessary – or defense in depth – to anticipate and mitigate lost ground. Cyber-resilience is a very high priority for businesses. So, we put together these five tips for improving cyber-resilience based on a defense-in-depth approach.
Tip #1: Sharpen perimeter defenses
Cybercriminals are getting better at using evasive tactics to circumvent company firewalls and antivirus. Some of these evasive tactics include file-based, file-less, obfuscated and encrypted script attacks. To counter these tactics, we’re rolling out a new shield technology to detect, block and remediate evasive attacks much faster and more effectively than before. Webroot® Evasion Shield stops attacks that elude other endpoint protection solutions. Cloud-based threat intelligence further increases resilience at the perimeter.
Tip #2: Strengthen the first line of defense – people
The primary vector for malware distribution is phishing attacks. While cybercriminals find increasingly deceptive ways to trick employees into downloading malicious code, not enough businesses are countering by educating their workforces about identifying suspicious activity. With employees being the weakest link in the cyber-security chain, the solution is regular security awareness training, with phishing simulations and courses on best practices for identifying and reporting suspicious activity.
Tip #3: Secure your DNS connection
The domain name system (DNS) is what allows internet traffic to find your website. But DNS protocols were not designed for security. In fact, they’re highly vulnerable to cyberattacks, including cache poisoning, DDoS, DNS hijacking, botnets, Command-and-Control (C&C) and man-in-the-middle attacks. A cloud-based DNS security solution enables businesses to enforce web access policies and stop threats at the network’s edge before they ever hit the network or endpoints.
Tip #4: Create and deploy a backup strategy
Redundancy is essential for cyber-resilience. Businesses must consider a scenario where malware circumvents outer defenses. Since detecting and remediating malware infections can be time-consuming, it’s important to have copies of files and data for business continuity. Scheduled backup with file versioning is necessary for mitigating malware infections and other forms of data loss. The scheduling feature is crucial since leaving it up to users exposes backup policy to human error.
Tip #5: Test recovery strategy regularly
Backup and recovery go hand-in-hand. And backup is only effective if it enables rapid recovery with minimal disruption. It’s important to test disaster recovery practices and procedures before you experience a live disaster scenario. Disasters come in different shapes and sizes, so it’s important to test simple file and folder recovery as well as large-scale system restore. Also, some systems are more critical than others. Tier-one systems (the most critical) need high levels of uptime, approaching 100%. This traditionally requires a secondary data center that is very costly to acquire and maintain. This is no longer the case. Disaster recovery as a service reduces the cost of standing up a secondary environment. It also allows for frequent testing of disaster recovery protocols. Businesses should test once a quarter – or at least once a year – to ensure systems are cyber-resilient when necessary.
To get started on the road to cyber resilience, take a fee trial here.
Cyber News Rundown: Ransomware Hits LA Suburbs
Los Angeles Suburb Hit with Ransomware
Last month, the City of Torrance, California fell victim to a ransomware attack that shut down many of their internal systems and demanded 100 Bitcoins to not publish the stolen data. Along with the roughly 200GB of data it stole from the city, the DoppelPaymer ransomware also deleted all local backups and encrypted hundreds of workstations. At this time, it’s uncertain whether the City of Torrance has chosen to pay the ransom, as the malware authors seem to have diligently removed any means for the City to recuperate on their own.
Malicious Packages Hidden Within Popular File Repository
Over 700 malicious packages have been discovered within the RubyGems main program and file repository. These originated from just two accounts and were uploaded over a single week period in late February. Between them, the many packages have a combined download number of over 100,000, most of which included a cryptocurrency script that could identify and intercept cryptocurrency transactions being made on Windows® devices. While this isn’t the first time malicious actors have used open source file repositories to distribute malicious payloads, this infiltration of an official hub for such a long period of time speaks to the lack of security within these types of systems.
Maze Ransomware Targets Cognizant ISP
Late last week, the Maze Ransomware group took aim at New Jersey-based internet service provider, Cognizant, and took down a significant portion of their internal systems. The attack occurred just a day after the removal of a dark web post that offered access to an IT company’s systems for $200,000. It had been listed for nearly a week. While Cognizant has already begun contacting its customers about the attack, the true extent of the damage remains unclear.
COVID-19 Scams Net $13 Million
The Federal Trade Commission recently released statistics on the number of complaints they’ve received specifically related to the COVID-19 pandemic: it’s over 17,000 in just a three-month period. While this number is assuredly less than the actual number of COVID-19 related scams, these reported complaints have resulted in a sum of over $13 million in actual losses, ranging from fraudulent payments to travel cancellations and refunds. Additionally, the FTC was able to catalogue over 1,200 COVID-19 related scam calls reported by people on the Do Not Call list.
Customer Data Stolen from Fitness App
A database belonging containing 40GB of personally identifiable information on thousands of customers of the fitness app, Kinomap, was found unsecured. Containing a total of 42 million records, the database remained accessible for nearly 2 weeks after the company was informed. It was only secured at last after French data protection officials were notified. Kinomap API keys were also among the exposed data, which would have allowed malicious visitors to hijack user accounts and steal any available data.
The Truth about Hackers, in Black and White (and Grey)
Did you know there are three primary types of hacker—white hats, black hats, and grey hats—and that there are subcategories within each one? Despite what you may have heard, not all hackers have intrinsically evil goals in mind. In fact, there are at least 300,000 hackers throughout the world who have registered themselves as white hats.
Also known as ethical hackers, white hats are coders who test internet systems to find bugs and security loopholes in an effort to help organizations lock them down before black hat hackers, i.e. the bad guys, can exploit them. Black hats, on the other hand, are the ones we’re referring to when we use words like “cybercriminal” or “threat actor.” These are hackers who violate computer security and break into systems for personal or financial gain, destructive motives, or other malicious intent.
The last of the three overarching types, grey hat hackers, are the ones whose motives are, well, in a bit of a grey area. Similar to white hats, grey hats may break into computer systems to let administrators know their networks have exploitable vulnerabilities that need to be fixed. However, from there, there’s nothing really stopping them from using this knowledge to extort a fee from the victim in exchange for helping to patch the bug. Alternatively, they might request a kind of finder’s fee. It really depends on the hacker.
So, hackers can be “good guys”?
Yes, they absolutely can.
In fact, there’s even an argument that black hats, while their motivations may be criminal in nature, are performing a beneficial service. After all, each time a massive hack occurs, the related programs, operating systems, businesses, and government structures are essentially shown where and how to make themselves more resilient against future attacks. According to Keren Elezari, a prominent cybersecurity analyst and hacking researcher, hackers and hacktivists ultimately push the internet and technology at large to become stronger and healthier by exposing vulnerabilities to create a better world.
White hat hackers, also known as ethical hackers, are cybersecurity defenders who use their skills to protect organizations from cyber threats. They might just be your friendly IT colleague. White hat hackers conduct penetration tests (often known as pen testing) and vulnerability assessments to identify security weaknesses that could be exploited by malicious hackers. With a deep understanding of cyber threats, white hat hackers help organizations strengthen security measures, develop more secure systems, and ensure the safety of digital assets. Their work is crucial in maintaining the integrity and confidentiality of sensitive information. Ethical hacking is a respected field within the IT industry, and white hat hackers are often sought after for their expertise in safeguarding cyber environments.
Why do they hack?
The shortest, simplest answer: for the money.
While white and grey hat hackers have altruistic motives in mind and, at least in the former group, are invested in ensuring security for all, the fact of the matter is that there’s a lot of money to be made in hacking. The average Certified Ethical Hacker earns around $91,000 USD per year. Additionally, to help make their products and services more secure, many technology companies offer significant bounties to coders who can expose vulnerabilities in their systems. For example, Apple offered a reward of $1.5 million USD last year to anyone who could hack an iPhone to find a serious security flaw. There are even groups, such as HackerOne, which provide bug bounty platforms that connect businesses with ethical hackers and cybersecurity researchers to perform penetration testing (i.e. finding vulnerabilities). Multiple hackers on the HackerOne bug bounty platform have earned over $1 million USD each.
And for black hats, theft, fraud, extortion, and other crimes can pay out significantly more. In fact, some black hats are sponsored by governments (see the Nation-State category below).
You mentioned subtypes. What are they?
As with many groups, there’s a wide range of hacker personas, each with different motivations. Here are a few of the basic ones you’re likely to encounter.
Script Kiddies
When you picture the stereotypical “hacker in a hoodie”, you’re thinking of a Script Kiddie. Script Kiddies are programming novices who have at least a little coding knowledge but lack expertise. Usually, they get free and open source software on the dark web and use it to infiltrate networks. Their individual motives can place them in black, white, or grey hat territory.
Hacktivists
Ever hear of a group of hackers called Anonymous? They’re a very well-known example of a hacktivist group who achieved notoriety when they took down the CIA’s website. Hacktivists are grey hat hackers with the primary goal of bringing public attention to a political or social matter through disruption. Two of the most common hacktivist strategies are stealing and exposing sensitive information or launching a denial of service (DDoS) attack.
Red Hats
Red hats are sort of like grey hats, except their goal is to block, confound, or straight-up destroy the efforts of black hat hackers. Think of them like the vigilantes of the hacker world. Rather than reporting breaches, they work to shut down malicious attacks with their own tools.
Green Hats
Green hat hackers are hackers who are new to the hacking world. They lack the skills and knowledge of their fellow black or white hat hackers. But they cause just as much damage as black hat hackers, as they try to hone their hacking skills. Sadly, most of the time, green hat hackers cannot fix what they break.
Nation-State
Remember earlier in this post when we mentioned that some black hats are sponsored by governments? That would be this group. Nation-state hackers are ones who engage in espionage, social engineering, or computer intrusion, typically with the goal of acquiring classified information or seeking large ransoms. As they are backed by government organizations, they are often extremely sophisticated and well trained.
Malicious Insiders
Perhaps one of the more overlooked threats to a business is the malicious insider. An insider might be a current or former employee who steals or destroys information, or it might be someone hired by a competitor to infiltrate an organization and pilfer trade secrets. The most valuable data for a malicious insider is usernames and passwords, which can then be sold on the dark web to turn a hefty profit.
What are your next steps?
Now that you better understand the hacker subtypes, you can use this information to help your organization identify potential threats, as well as opportunities to actually leverage hacking to protect your business. And if you haven’t already, check out our Lockdown Lessons, which include a variety of guides, podcasts, and webinars designed to help MSPs and businesses stay safe from cybercrime.
Beyond the educational steps you’re taking, you also need to ensure your security stack includes a robust endpoint protection solution that uses real-time threat intelligence and machine learning to prevent emerging attacks. Learn more about Webroot® Business Endpoint Protection or take a free trial here.
DNS is on the Verge of a Major Overhaul
“One of the things about working in internet technology is nothing lasts forever… [Students] come to me and they say, ‘I want to do something that has an impact 20, 50, or 100 years from now.’ I say well maybe you should compose music because none of this technology stuff is going to be around that long. It all gets replaced.” -Paul Mockapetris, co-inventor of the domain name system (DNS)
As foresighted as he may have been, the DNS inventor Paul Mockapetris got one thing wrong in a retrospective interview about his contribution to internet history. Namely, some aspects of technology do have at least 20-year staying power. In this case, his own invention: the domain name system.
But DNS, just three years shy of its fortieth birthday, is on the cusp of a major reimagining. One that could enhance the privacy of business and private users alike for some time to come. According to some experts, it may even be worthy of the title “DNS 2.0.”
The Problem with DNS Today
While DNS has evolved significantly in the more than 35 years since originally conceived, the skeletal structure remains much the same. DNS is the internet’s protocol for translating the URLs humans understand into the IP addresses machines do.
The problem is that this system never meant to consider privacy or security. With DNS today, requests are made and resolved in plain text, providing intrusive amounts of information to whomever may be resolving or inspecting them. That is most likely an internet service provider (ISP), but it may be a government entity or some other source. In authoritarian countries, governments can use this information to prosecute individuals for visiting sites with outlawed content. In the United States, it’s more likely to be monetized for its advertising value.
“The problem with DNS is it exposes what you’re doing,” says Webroot product manager and DNS expert Jonathan Barnett. “If I can log a user’s DNS requests, I can see when they work, when they don’t, how often they use Facebook, the Sonos Speakers and Google Nests on their network, all of that. From a privacy perspective, it shows what on the internet is associating with me and my network.”
This can be especially problematic in terms of home routers. Whereas business networks tend to be relatively secure—patched, up-to-date, and modern—”everyone’s home router tends to be set up by someone’s brother-in-law or an inexperienced ISP technician,” warns Barnett. In this case, malicious hackers can change DNS settings to redirect to their own resolvers.
“If you bring a device onto this network and try to navigate to one of your favorite sites, you may never wind up where you intended,” says Barnett.
In the age of COVID-19, it’s becoming an even bigger problem for employers. With a larger workforce working from home than perhaps ever before, traditional defenses at the network perimeter no longer remain.
“To maintain resilience,” says Barnett, “companies need to extend protection beyond the business network perimeter. One of the best ways to do that is through DNS protection that ensures requests are resolved through a trusted resolver and not a potentially misconfigured home network.”
DoH: The Second Coming of DNS
In response to these concerns, DNS over HTTPS (DoH) offers a method for encrypting DNS requests. Designed by the Internet Engineering Task Force, it leverages HTTPS privacy standard to mask these requests from those who may seek to use the information improperly. The same encryption standards used by banks, credit monitoring services, and other sites dealing in sensitive information display to prove their legitimacy is also used with DoH.
It does this by effectively ‘wrapping’ DNS requests with the HTTPS encryption protocols to ensure the server you connect with is the server you intended to connect with and that no one is listening in those requests, because all the traffic is encrypted.
“It makes sure no one is messing with a user by changing the results of a request before it’s returned,” says Barnett.
In addition to improving privacy around device usage—remember any internet-connected device needs to “phone home” occasionally, therefore initiating a DNS request—DoH also addresses several DNS-enabled attack methods. This includes DNS spoofing, also called DNS hijacking, whereby cybercriminals redirect a DNS request to their own servers in order to spy on or alter communications. By encrypting this traffic, it essentially becomes worthless as a target.
So, while the domain name system has served the internet and its users well for decades, the time may have come for a change.
“The creators of DNS, in their wildest dreams, imagined the system may be able to accommodate up to 50 million domains. We’re at 330 million now. It’s amazing what they achieved,” says Barnett. “But DNS needs to evolve. It’s been a great tool, but it wasn’t designed with privacy or security as a priority. DoH represents the logical evolution of DNS.”
Toward A DoH-Enabled Future
Several major tech players, like Mozilla with its Firefox browser, have already made the leap to using DoH as its preferred method of resolving requests. Many companies, however, would prefer to retain control of DNS and are concerned about applications making independent rogue DNS requests. Losing this control can compromise security as it limits the ability of a business to filter and process these requests.
As application creators strive for better privacy for their users and business always look improve security, a balance must be found. By limiting whether applications can enable DoH, Webroot® DNS Protection has designed its agent to retain control of DNS requests, and while also running each request through Webroot’s threat intelligence platform, both privacy and security is improved.
It’s next release, expected in the coming months, will be fully compatible with the new DoH protocol in service to the security and privacy of its users.
Cyber News Rundown: Ransomware Wrecks Florida City
Florida City Sees Lasting Effects of Ransomware Attack
Nearly three weeks after the City of Jupiter, Florida suffered a ransomware attack that took many of their internal systems offline, the city has yet to return to normal. City officials announced they would be working to rebuild their systems from backups, rather than paying any ransom, and were able to get their main website up and running again, along with many essential services. The timing of the attack couldn’t have been worse, as most of the City’s staff were under lockdown and unable to access compromised machines in a quick and safe manner.
Hackers Breach San Francisco International Airport
Late last Month, Russia-based hackers attempted to breach the internal networks of San Francisco International Airport using a simple injection script to obtain employee credentials. By forcing the use of the SMB file-sharing protocol, the hackers could quickly grab the usernames and hashed passwords, which would then allow them to deploy any number of malicious payloads or access extremely sensitive information. Shortly after the attack was detected and subsequently ended, the IT staff issued a forced password reset for all staff in hopes of minimizing any further damage.
Critical Exploits Patched by Microsoft
Recently, Microsoft patched three zero-day exploits that could allow remote code execution, privilege increases, and even creating new accounts with full OS permissions. Two of the patched flaws related to the Adobe Type Manager Library and were functional on multiple Windows® operating systems, but performed different tasks based on the environment in which they were deployed.
DDoS Suspect Arrested in Netherlands
Two Dutch government websites that were created to distribute information related to the COVID-19 pandemic fell victim to a DDoS attack for several hours. Dutch authorities, who have been heavily involved in many cybersecurity operations, have arrested at least one suspect and shut down 15 sites offering DDoS services. Hopefully, the shutdowns will help reduce the number of these types of attacks going forward.
RagnarLocker Takes Down Portuguese Energy
One of the largest energy providers in Europe, Energias de Portugal (EDP), became the victim of a ransomware attack that used the RagnarLocker variant. In exchange for the estimated 10TB of data stolen during the attack, attackers demanded a ransom of $10.9m to be paid in cryptocurrency. The authors behind RagnarLocker have already begun posting segments of the stolen data to their main website, along with the promise to release the rest and make their entire client list aware of the breach, if the ransom isn’t met.
What’s Behind the Surge in Phishing Sites? Three Theories
One of the most notable findings to come from the Webroot 2020 Threat Report was the significant rise in the number of active phishing sites over 2019—a 640% rise, to be exact. This reflects a year-over-year rise in active phishing sites, but it’s important to keep this (dangerous) threat in context.
“Of all websites that host malicious content, phishing historically has been a minority,” says Webroot Security Analyst Tyler Moffitt. “While it’s growing quite a bit and a significant threat, it’s still not a large percentage of the websites being used for malicious content. Those would be things like botnets or malware hosting.”
This traditional low instance rate is likely one explanation—or at least a portion of an explanation—that’s led to such a gaudy increase in the number of active sites.
Here are three other factors that may have contributed to the rise.
The diversification of attacks
Since first being described in a 1987 paper, phishing attacks have diversified considerably. While it was once reliably email-based with a broad scope, it now entails malware phishing, clone phishing, spear phishing, smishing, and many more specialized forms. Inevitably, these strains of attack require landing pages and form fields in for users to input the information to be stolen, helping to fuel the rise in active phishing sites.
Spear phishing—a highly targeted form of phishing requiring cybercriminals study their subject to craft more a realistic lure—has turned out to be a lucrative sub-technique. This has likely contributed to more cybercriminals adopting the technique over mass-target emails pointing to a single source. More on profitability later.
Check out this infographic for 5 tips on recognizing a phishing email.
Opportunism
After years of studying phishing data, it’s clear that the number of active phishing sites rises predictably during certain times of the year. Large online shopping holidays like Prime Day and Cyber Monday inevitably precipitate a spike in phishing attacks. In another example, webpages spoofing Apple quadrupled near the company’s March product release date, then leveled off.
Uncertainty also tends to fuel a rise in phishing sites.
“Not only do we always see a spike in phishing attacks around the holidays,” says Moffitt, “It also always happens in times of crisis. Throughout the COVID-19 outbreak we’ve followed a spike in phishing attacks in Italy and smishing scams promising to deliver your stimulus check if you click. Natural disasters also tend to bring these types of attacks out of the woodwork.”
The year 2019 was not without its wildfires, cyclones, and typhoons, but it’d be safe to suspect the number of phishing sites will grow again next year.
Short codes and HTTPs represent more phishing opportunities for cyber criminals. Malicious content is now often hosted on good domains (up to a quarter of the time, according to our Threat Report). Short codes also have the unintended consequence of masking a link’s destination URLs. Both these phenomena make it more difficult to identify a phishing attack.
“All of sudden these mental checks that everyone was told to use to sniff out phishing attacks, like double-checking URLs, no longer hold,” says Moffitt.
Profitability
Let’s face it, this is the big one. The rise in popularity of shared drives makes it more likely that any single phishing success will yield troves of valuable data. Compromising a corporate Dropbox account could easily warrant a six-figure ransom, or more, given the looming threat of GDPR and CCPA compliance violations.
“A few years ago, most of the targets were financial targets like PayPal and Chase,” according to Moffitt. “But now they are tech targets. Sites like Facebook, Google, Microsoft, and Apple. Because shared drives offer a better return on investment.”
Even for private individuals, shared drives are more bang for the buck. Credentials which can easily lead to identity theft can be sold on the dark web and, given the rampant rates of password re-use in the U.S., these can be cross-checked against other sites until the compromise spirals.
Finally, phishing is profitable as an initial entry point. Once a cybercriminal has accessed a business email account, for instance, he or she is able to case the joint until the most valuable next move has been determined.
“It’s a really lucrative first step,” says Moffitt.
Don’t take the bait
Installing up-to-date antivirus software is an essential first step in protecting yourself from phishing attacks. Features like Webroot’s Real-Time Anti-Phishing Shield can help stop these attacks before a user has the chance to fall for it. Continual education is equally as important. Webroot data shows that ongoing phishing simulations can lower click-through rates significantly.
The Problem with HTTPS
Despite the intent of ensuring safe transit of information to and from a trusted website, encrypted protocols (usually HTTPS) do little to validate that the content of certified websites is safe.
With the widespread usage of HTTPS protocols on major websites, network and security devices relying on interception of user traffic to apply filtering policies have lost visibility into page-level traffic. Cybercriminals can take advantage of this encryption to hide malicious content on secure connections, leaving users vulnerable to visiting malicious URLs within supposedly benign domains.
This limited visibility affects network devices that are unable to implement SSL/TLS decrypt functionality due to limited resources, cost, and capabilities. These devices are typically meant for home or small business use, but are also found in the enterprise arena, meaning the impact of this limited visibility can be widespread.
With 25% of malicious URLs identified by Webroot hosted within benign domains in 2019, a deeper view into underlying URLs is necessary to provide additional context to make better, more informed decisions when the exact URL path isn’t available.
Digging Deeper with Advanced Threat Intel
The BrightCloud® Web Classification and Web Reputation Services offers technology providers the most effective way to supplement domain-level visibility. Using cloud-based analytics and machine learning with more than 10 years of real-world refinement, BrightCloud® Threat Intelligence services have classified more than 842 million domains and 37 billion URLs to-date and can generate a predictive risk score for every domain on the internet.
The Domain Safety Score, available as a premium feature with BrightCloud® Web Classification and Reputation services, can be a valuable metric for filtering decisions when there is lack of path-level visibility on websites using HTTPs protocols. Even technology partners who do have path-level visibility can benefit from using the Domain Safety Score to avoid the complexity and compliance hurdles of deciding when to decrypt user traffic.
The Domain Safety Score is available for every domain and represents the estimated safety of the content found within that domain, ranging from 1 to 100, with 1 being the least safe. A domain with a low score has a higher predictive risk of having content within its pages that could compromise the security of users and systems, such as phishing forms or malicious downloads.
Using these services, organizations can implement and enforce effective web policies that protect users against web threats, whether encrypted through HTTPs or not.
Devising Domain Safety Scores
As mentioned, a Domain Safety Score represents the estimated safety of the content found within that domain. This enables better security filtering decisions for devices with minimal page-level visibility due to increasing adoption of HTTPS encryption.
How do we do it?
BrightCloud uses high-level input features to help determine Domain Safety Scores, including:
- Domain attribute data, including publicly available information associated with the domain, such as registry information, certificate information, IP address information, and the domain name itself.
- Behavioral features obtained from historical records of known communication events with the domain, gathered from real-world endpoints.
- A novel deep-learning architecture employing multiple deep, recurrent neural networks to extract sequence information, feeding them into a classification network that is fully differentiable. This allows us to use the most cutting-edge technology to leverage as much information possible from a domain to determine a safety score.
- Model training using a standard backpropagation through time algorithm, fully unrolling all sequences to calculate gradients. In order to train such a network on a huge dataset, we have developed a custom framework that optimizes the memory footprint to run efficiently on GPU resources in a supercomputing cluster. This approach allows us to train models faster and iterate quickly so we can remain responsive and adapt to large changes in the threat landscape over time.
A secure connection doesn’t have to compromise your privacy. That’s why Webroot’s Domain Safety Scores peek below the domain level to the places where up to a quarter of online threats lurk.
Learn more about Domain Safety Scores, here.