April 22, 2021

Inside the Mind of a Cyber Criminal

  • threat detection
  • NDR
  • cybersecurity

They can strike at any moment, often when you least expect it. Like bank robbers quickly making their way to the vault—following months of reconnaissance—the cyber-crook has access to your most sensitive data within minutes. It can be months, even years until you fully recover – and many will never make it that far.  

According to a report in the Denver Post, over half of small businesses close within six months of devastating cyber-attacks.  Those who survive to lose hundreds of thousands of dollars – sometimes millions - to lost time, negative press, and the recovery effort. 

Fighting off potential threats starts with knowing your enemy and gaining a solid understanding of how, when, and where criminals are most likely to strike. In this blog series, we'll break down the most common types of attacks, how they happen, and tips on new and emerging threats. As attacks become more random and difficult to prevent, security teams need to stay one step ahead of the enemy. 

One of the hardest-hitting cyber-threats, ransomware, has been a growing scourge for years. But recent attacks illustrate an increasing sophistication by attackers within this slice of the cybercrime underbelly. A growing number of assaults against the business sector, schools, and government organizations are now a primary cybersecurity concern. In addition, the ever-changing nature of ransomware attacks is complicating the cyber defender's job. 

For instance, the last 12 months have seen emerging types of extortion attempts on ransomware operators. Double-extortion efforts pioneered by cyberattack groups like Maze have become standard operating procedures (stealing sensitive data and threatening to release it if a victim doesn't pay up).  

Beyond this, some ransomware operators, such as the SunCrypt gang, mounted follow-on denial-of-service (DoS) attacks to put the screws on victims. Other gangs are using the data they steal to mount additional attacks on the initial victim's partners or suppliers, as seen in the Blackbaud attack. 

Faster detection is good news, right? 

The amount of time cybercriminals spend inside compromised networks is dropping. While that might sound like a step in the right direction, hackers are spending less time inside networks because of the global surge in ransomware attacks. 

Researchers analyzed hundreds of incidents and found that the average dwell time – the duration between the start of a security intrusion and when it's identified – has dropped to below a month to 24 days. 

While some of the reduction in dwell time is driven by better detection and response capabilities, the rise in ransomware has also played a role. These attacks are highly lucrative for cybercriminals, but unlike most other forms of cybercrime, ransomware doesn't remain under the radar. Victims of ransomware attacks know they've been breached. 

When hackers are successful, they leverage compromised assets to pass on messages to identify who they are (pseudonyms off course) and demand money via untraceable mediums such as bitcoin. Panicked organizations are incredibly vulnerable, and in such extenuating circumstances, often pay up.

Modus operandi of a ransomware attack 

The less you know about the attacker, the more opportunity they have to extract funds from your organization fraudulently. A skilled and determined cybercriminal can use multiple entry points to navigate defences, breach your network in minutes and evade detection for months. 

This is how they do it: 

  1. Reconnaissance and compromise: The initial reconnaissance period before an attack involves criminals researching and gathering information about the target organization. They look for network ranges, IP addresses, and domain names. Attackers also try to find the email addresses of key players in an organization or identify vulnerable employees by sending phishing emails. They also scan for network vulnerabilities. These activities can take months, but the attackers are patient.  
  1. Obtain credentials: After accessing the network, criminals try to infiltrate further into the grid by acquiring access privileges. Attackers use various tools to help them steal credentials, allowing them to upgrade their access to administrator level and penetrate back-office and operational networks silently. 
  1. Submit fraudulent messages: Attackers infiltrate the network using malicious programs that allow them to hide in multiple systems and inject malware into critical systems. At this point, they can start to submit fraudulent payment instructions by impersonating an operator or approver. 
  1. Hide the evidence: Once fraudulent payments have been sent, attackers cover their tracks, hiding evidence of their actions. Using various tools and techniques, they delete or manipulate records and corrupt systems to confuse forensic experts. 

While quickly detecting attacks inside the network is better than not detecting them at all, the best way to protect the organization from cyber threats is to detect or prevent them before they've even had a chance to compromise the network. Many ransomware attacks can be prevented, but it requires diligence, the right tools and technology, and understanding the ever-changing threat landscape. 

In part two of this series, we'll take a close look at the latest phishing trends and how to prevent falling victim.