One of the reasons why there’s so much cybercrime is because there are so many ways for cybercriminals to exploit vulnerabilities and circumvent even the best defenses. You may be surprised to find that one of the biggest vulnerabilities is users. Many successful attacks could actually be prevented if users just knew what to look for. In that spirit, we put together this blog post to explain the different hacker types and methods they use against us.

For even more tips from Webroot IT security experts Tyler Moffitt, Kelvin Murray, Grayson Milbourne, George Anderson and Jonathan Barnett, download the complete e-book on hacker personas.

Take a deep dive into the three main hacker types and get tips on how to defend against them by downloading the e-book, Hacker Personas: a deeper Look Into Cybercrime.

The Impersonator

Today’s cybercriminals are masters at exploiting basic human trust. Pretending to be someone else, these hackers manipulate their victims into opening doors to systems or unwittingly sharing passwords or banking details. This type of cybercriminal is skilled at masking their true intentions behind seemingly harmless requests or legitimate-looking websites. Impersonators are increasingly sophisticated, often hosting malicious content on legitimate sites.

The Opportunist

Opportunists exploit common human traits such as trust and familiarity. They rely on targeted or focused attacks, and carry out their crimes against specific businesses or individuals. These hackers thoroughly research their targets, often running tests before launching the actual attack. Opportunists look for existing weaknesses or vulnerabilities they can exploit at scale to pull as many victims as possible into their nets.

The Infiltrator

Infiltrators rely on virtual back doors and unprotected points-of-entry to slip through hidden

cracks. Hiding in the shadows, this type of cybercriminal watches and waits for the opportunity to invade systems. DNS (Domain Name System) is especially vulnerable. Once the criminal redirects internet traffic to malicious websites or takes control of servers, the damage is inevitable.

One of the most common methods of infiltration includes internet-based attacks, such as Denial of Service (DoS), Distributed Denial of Service (DDoS) and DNS poisoning. By default, DNS traffic is unencrypted, allowing internet service providers and other third parties to monitor website requests, surveil browsing habits, and even duplicate web servers to redirect traffic. However, cybercriminals can also use legal DNS traffic surveillance to their advantage.

Cybersecurity Tips for Individuals and Businesses

Aside from arming yourself with the knowledge you need to identify attacks, it’s important to install threat detection and remediation software on your devices. Be sure to update and patch software and firewalls as well as network security programs. You should also be skeptical of any requests for financial information or passwords, and scrutinize all COVID-related emails, links or apps. To learn more tips on how to identify and prevent attacks, download the complete e-book below.

For most small businesses, the chances of falling prey to a long-term covert surveillance operation by well-resourced, likely state-backed actors are slim. To recap, that is what the evidence suggests happened in the SolarWinds compromise discovered last December. Many believe the company’s Orion update was used to conduct cyber espionage for months prior to being discovered.

However, data shows the time to detect a data breach for businesses averages 280 days, according to research conducted by IBM and the Ponemon Institute; a significant gap between the time a network is compromised and its discovery. This shows that stealthily surveilling a network is not a tactic exclusive to highly sophisticated threat actors targeting enterprise businesses.

What would reducing the time to discovery mean for small businesses? Likely it would mean less of their data on the dark web, fewer important pieces of intellectual property leaked, ransomware attacks thwarted or less reputational damage to companies.

Here are some ideas IT admins can use to detect a network compromise sooner, potentially limiting the damage of an adverse cyber event.

Consider booby trapping your network

As swashbuckling as it sounds, adopting an “offensive defensive” posture against cyberattacks can help your organization level the playing field against attackers. Because so much of cybersecurity relies on passive forms of protection (think firewalls, antivirus solutions, password protection, etc.), hackers have an asymmetrical advantage when probing defenses. Passive protection is good and necessary, to be sure, but network “booby traps,” sometimes called canary tokens, can help reduce the advantage held by hackers.

These measures may include setting up a domain administrator account that is bound to look like a juicy target to a network intruder. It may be configured according to default settings or with a particularly weak password – some way that makes it easy for a determined hacker to access. Once inside, though, the intruder’s presence triggers alarms alerting IT staff that an attack is underway and even locking out the suspicious user.

Researchers have laid out several ways booby trapping could work, but all rely on the principal of an action being taken by an attacker that would typically not occur otherwise. While they may not reveal who is behind the attack or their motivations, booby traps trigger a response alerting admins and allowing time to react.

Configure and pay close attention to failed login attempts

Allowing attackers unlimited tries at cracking passwords is never wise, but sometimes the configurations for preventing this are overlooked. This is especially dangerous when remote desktop protocol (RDP) is enabled. RDP-enabled machines can often be located using search engines like Shodan.io, making them sitting ducks for attackers armed with brute-force tools.

When configured properly, however, RDP and other password protected tools should lock users out after a given number of incorrect attempts and alert an admin. This would force a user, legitimate or otherwise, to wait some predetermined time before attempting to login again. Reaching out to the locked-out user could then help determine if the credentials have been stolen or if it is a genuine case of “fat fingers.”

If credentials have been compromised, it is a good idea to force password resets and keep an eye out for further failed login attempts. If there is no limit to the number of times a password can be tried without being timed out, an organization may never know it is in an attacker’s crosshairs.

Monitor anomalous web traffic

Skilled threat actors like those involved in the SolarWinds attack take steps to conceal their true locations when attempting to compromise a network. This can prevent alarm bells from ringing when, suddenly, an IP address from Eastern Europe is trying to connect to a network housed in Silicon Valley. Other times, malicious hackers do not have the skills or resources to cover their tracks. Their attack may also be so broadly aimed they simply do not care to.

That is why the difference between looking for malware and looking for “weird stuff” matters. It takes time to gather the data to truly know what constitutes “anomalous activity,” but once it is there it can automatically alert admins when it occurs. This could include communication with previously unknown IP addresses or uncommon application traffic patterns. In other words, a platform that has never talked to a domain in China but now does so often should be cause for alarm.

Monitoring access lists, including who is logged into what and whether anything is out of the ordinary, is another good option for spotting potential breaches early on. These so-called “spot-checks” can be too resource intensive for small businesses without dedicated IT positions, and too expensive to farm out to MSPs, but they are good to consider for businesses with dedicated IT resources.

Staying on guard against attacks

The best strategies for ensuring cyberattacks are not successful – and do not go unnoticed if they do – involve a mix of active and passive defenses. But poor configurations can undermine both. While small businesses are unlikely to become targets of highly skilled state-sponsored attackers, there are steps they can still take to make sure defenses are not undermined by the same common tactics.  

Here are a few quick tips:

• Do not rely on the default configuration for RDP. Enforce 2FA and passwords time outs.
• Disable powerful tools like PowerShell, Office macros and WMI where not needed.
• Limit access rights on your internal network so that only those who need access have it.
• Strictly control access to the dev and QA processes if these take place within your organization.

While we can all rejoice that 2020 is over, cybersecurity experts agree we haven’t seen the last of the pandemic-related rise in cyberattacks. Throughout the last year, we’ve seen huge spikes in phishing, malicious domains, malware and more, and we don’t expect that to slow down. As employees around the world continue to work from home, 2021 is shaping up to be another year of record highs in terms of malicious online activity.

What is the cyber-demic?

Cybercriminals have always been opportunistic, taking advantage of all possible avenues that disrupt businesses, steal data, trick end users, and more to turn a profit. As the threat reports Webroot produces each year have shown — not to mention the increasing number of major hacks in the headlines — threats keep evolving, and their growth is often exponential. That means even before the pandemic, cyberattacks and resulting data loss were already becoming a case of “when,” not “if.”

Still, the COVID-19 pandemic brought unprecedented surges in threat activity as cybercriminals capitalized on chaos and security gaps caused by the switch to WFH. Particularly by targeting vaccine production and distribution, COVID-19 trackers, videoconference applications, and other pandemic-related topics in their scams, criminals have upped the ante on what would have already been a record year; hence “cyber-demic.”

What types of malicious activities should we expect?

“It’s all about data,” says Matt Seeley, senior solutions consultant at Carbonite + Webroot, OpenText companies.

“Whether you’re a business or an individual at home, your data is important to you. Not having access to corporate data can put companies out of business. Not having access to your personal files can also have devastating consequences. The scammers know how important data is. That’s why stealing it, misusing it, holding it for ransom, or threatening it in some other way is such an effective way to get what they want – i.e., the money.”

– Matt Seeley, sr. solutions consultant, Carbonite + Webroot, OpenText companies

Recent trends in ransomware back up these insights. Thought to be pioneered by the Maze ransomware group, a new tactic emerged in 2020 in which ransomware authors changed their business model. Instead of infiltrating systems to encrypt data and demand a ransomware to unlock it, they instead encrypted the data and further incentivized ransom payment by threatening to expose that data if the victim chose not to pay. Using leak/auction websites, criminals can display or auction off victim’s data to the highest bidder; the cake-topper here is that organizations that are subject to privacy regulations, such as GDPR, PCI, etc., would also have to pay the fines associated with improperly securing sensitive data.

Additionally, the modular nature of modern malware means many malware groups are teaming up to increase their chances of a successful payday. For example, a phishing email might drop a botnet/Trojan that listens for domain credentials. Once the criminals have domain credentials, they can disable security and/or tamper with backups. That way, when they eventually drop ransomware, businesses may have no choice but to pay, since their backups are also compromised.

How IT will Prevail in 2021

“The answer, once again, is data,” says Seeley, “though, in this case, it’s part of overall cyber fitness. If your data isn’t secured, properly segmented, backed up and tested, then 2021 is likely to be a bad year.”

Stressing the need to combine comprehensive cybersecurity layers with proven backup and disaster recovery solutions, Seeley explains, “To bring your cyber fitness up and become more resilient, I recommend businesses start off by assuming they will definitely get breached this year, even if they’ve been lucky and have never been breached before. Once you accept that as your foundation, you can prepare for it. It’s that preparation that’s going to be key.”

Here are his top 3 tips for businesses to stay safe.

1. Know your data.
   “This is the #1 most important advice I can offer. You can’t secure data if you don’t know where it lives or how important it is. The folks who don’t know their data, who don’t know all the places it resides, how up-to-date it is, or what kind of security it needs, are the ones who are going to suffer the worst if they get attacked or experience some kind of physical damage, like hardware failure or a natural disaster. They’re the ones who, even if they have backups in place, will go to restore their data and realize they don’t have the right information after all. You don’t want to have to learn that the hard way.”
2. Classify your data.
   “This is part of knowing your data. If you accept that the data breach is going to happen sooner or later, then you need to know which data is mission-critical to get through your day, vs. other historical data that is nice to have, but won’t make or break your business if you lose access for a little while. Once you know the timing of which systems and data need to be available this second and which ones can wait a few days or weeks, you can properly plan your disaster recovery strategy and choose the right backup solutions and schedules.”
3. Test your data recovery plan.
   “The biggest obstacle to your cyber fitness is overconfidence. Just because you have antivirus and backups doesn’t guarantee your protections will be there and functional when you need them. Bad actors are going to keep getting craftier. They’re going to keep finding new ways to target data. You need to regularly monitor and test your backup and disaster recovery strategy to ensure that your data is exactly as safe and available as you need it to be.”
   
   For more details on stress testing your disaster recovery plan, read his blog on the subject.

While these tips apply more to businesses than home users, Seeley says the same fundamental principles apply to anyone. “Think about all the data you could lose if your personal computer crashed right now and the hard drive died. Do you have it backed up? Are those backups secure? Do you know all the places your data lives? Do you have protection for it? Whether you’re a business, an MSP, a regular person at home, a student… These are the types of questions we should all be asking ourselves, so we can all be more resilient in this cyber-demic.”