Malaysia SME recently carried an interesting feature report on how Asian companies can keep up with evolving cyber threats. F-Secure APJ head Keith Martin explains file-less attacks are malware attacks that can bypass standard security tools and post more danger than the common malware file-based attacks. He also shed some light on the trending cyber threats and how SMEs can create a robust system against the threats.
Why is this so critical now? It’s because, as digital technology takes over the world, the need to protect ourselves and our businesses has never been more important. Nevertheless, a vast majority of SMEs are still oblivious to the importance of cyber security says F-Secure, a Finnish cyber security and privacy company.
F-Secure has conducted numerous workshops for SMEs, and through their engagements with local firms, they identified that many of them are not aware of the seriousness of cyber threats. What they see is the tip of the iceberg which is the direct co-relation between a threat and the loss experienced. But the impact of a threat which may seem petty at first could be detrimental especially to a small organisation.
“A simple analogy would be a car break-in scenario. While car owners may think that the damage could be as small as losing a Touch ‘n Go card and some coins they have reserved in the car, the thieves could also gain access to the owner’s personal details through documents or name cards left in the car,” said Martin.
In other words, all a hacker needs is an access to your system and a small piece of information, to begin the next phase of attack.
Retailers who have embraced digitalisation and become online merchants make up a segment of F-Secure clients. Martin said that most of these businesses invest a lot of money in setting up their online platforms, but they take security lightly.
E-commerce merchants who are growing fast become a target victim for hackers, who usually aim the payment gateway system. There are cases where online merchants deliver goods to the buyer but do not receive any payment.
Martin urged SMEs not to look at installing a robust security system as a matter of cost but rather as “getting the biggest value for your buck”.
“If you get hacked, lose key customer data, and tarnish your reputation, the damage can cost millions. That is a lot more expensive than the cost of installing cyber security software/’ said Martin.
Types of attacks
For the longest time, we hear, read and experience malware file based attacks. But Martin explains that file-less attacks are on the rise. These are malware attacks that can bypass standard security tools.
“File-less attacks are targeted attacks. They have a specific task and aim a particular computer, system, or person,” said Martin. “It is different from a ransomware ware attack which is usually sent to a huge number of people, hoping that a fragment would click on it.
Hackers are cautious not to get caught or identified when conducting a file-less attack, because getting another opportunity to enter a system is usually slim.
It first begins with a file-less infection, an attack which does not write anything to a disk. This allows the hacker to bypass most antivirus solutions because they rely on scanning for malicious files. If there is no file, there is no detection.
Instead, an attacker can use an exploit, which leverages a trusted system, application or process to gain a foothold in a target machine.
“They can gain access to a machine, which could be of less value to them. So, they will stay in the system, and start checking and gathering as much useful data as possible. It’s like a burglar who had entered a house to steal a specific item. He hides in the closet and comes out now and then to check the drawers or cupboards. He is cautious and does not want to alert anyone of his presence.
“The hacker then uses tools such as PowerShell that allows them to use commands to get access to another computer which has more valuable information,” said Martin.
Finally, the attacker can establish persistence in the environment by creating ‘back doors’ that are so hidden, they cannot be detected by most security tools. These back door techniques could involve enabling onscreen keyboard, which the hacker could use to create a user account in the computer.
This is an obvious and popular choice because it allows attackers to easily bypass antivirus and firewalls, giving them access to the compromised system at will, while remaining completely undetected.
Apart from file-less attacks, ransomware is another popular type of attack. “People usually care about ransomware because it involves their money,” said Martin.
Ransomware has evolved into a service type of business. Hackers sell their ransomware creations to criminals. These hackers create a new version of ransomware which is unidentifiable by existing antivirus.
The criminals will have a huge database of emails to send the ransomware to. Compromised victims pay a sum of money to the criminals, and the hackers will then get certain percentage of the money.
Meanwhile, the burgeoning IoT trend is not excluded from cyber threats, and attackers are already exploring techniques to get into a connected network. In fact, with IoT, attackers have more choices of access into a system.
An IoT network involves physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators, and connectivity which enable these objects to connect and exchange data.
“Anything that is connected can get hacked. A smart kettle for instance, which is connected to WiFi can get hacked. There is no reason to hack a kettle of course, but the kettle becomes an entry point for hackers.
“So, they look for the weakest link in any network. Sometimes it is a smart device and sometimes it is people who can be tricked easily,” said Martin.
Meanwhile, successful intellectual properties and brands often make companies the target for fraudulent or malicious activities too. Such activities include brand violation where third parties mock successful companies and typo squatting where someone registers domains using words similar to a successful brand to redirect traffic using links that look similar. Many companies have little to no awareness of these sorts of activities.
How to protect my company?
Protecting your company starts from the basics. People often become the entry point into an organisation for hackers.
One of the mistakes many people make is password duplication. Let’s face the fact. We are living in a world that is more connected than ever. We have to register or sign up for an account every time we seek access to a web or app. But it is only so much that our brain can remember. So, many of us resort to taking the easy route out by using the same password for multiple accounts.
What is even worse is when employees in an organisation use identical passwords for their company and personal accounts. When hackers breach an account, they automatically gain access to the other.
Companies must also keep their employees wary of phishing emails. Hackers are only becoming more creative in tricking people to click on a malicious link. Hence, it is recommended that employees make it a practice to check where a link is connected to before clicking on it.
“This can be easily done. What you have to do is hover your mouse over the link and the landing page will pop up next to it. If it shows something different from the link, it is best to leave it unclicked/’ said Martin.
F-Secure has a fairly wide range of products to help businesses build a robust network. One such product is Radar. Radar is a vulnerability scanning and management platform. It allows firms to manage both internal and external threats and report risks. It maps a firm’s full attack surface and responds to critical vulnerabilities associated with cyber threats.
” In cybersecurity, roughly 80% of viruses can be stopped by patching the system,” said Martin. A patch is a piece of software designed to update a computer programme or its supporting data, to fix or improve it.
“Vulnerability within a system, software or platform changes every day. Every day, there is somebody else that has found another way to exploit a piece of system or hardware,” said Martin.
“And so Radar allows a firm to regularly check its systems to know if they are save and as robust as they are supposed to be. Radar generates reports containing information about the status of a system, if the system is protected or not protected, and if it is not protected, how much of a danger it poses,” said Martin.
Unlike other vulnerability management solutions, Radar features web crawling technology, called Internet Asset Discovery that also covers the deep web. With this, firms can fulfil a wide variety of tasks ranging from threat assessment to business intelligence. In other words, Radar allows you to easily browse through all targets to quickly identify risks and potentially vulnerable connections, and expand the possible attack surface beyond a network.
With Radar, IT security team of an organisation will be able to map its attack surface in the aggregate of all known, unknown, and potential vulnerabilities critical to the business, external misconfigured systems, malware websites and website-linked hosts, and brand infringements and phishing.
Apart from that there is Rapid Detection Service (RDS) in F-Secure that detects file-less attacks. “The average time from an initial attack to being discovered is 220 days. Imagine the kind of damage an attack can do to your system within that span.” RDS includes lightweight intrusion detection endpoint and network decoy sensors that are deployed across an IT infrastructure. The sensors monitor activities initiated by the attackers and will stream all information in real-time to its cloud that hunts for anomalies in the data by using a combination of advanced analytics such as real-time behavioural analytics, big data analytics and reputational analytics.
“Anomalies are hunted from two perspectives, known and unknown bad behaviour,” said Martin. The use of different types of analytics means that attackers are unable to successfully use evasion tactics designed against a specific analytics type.
Anomalies are flagged to RDS analysts who work 24/7 to verify them and filter out false positives. Once the analysts have confirmed that an anomaly is an actual threat, they will alert the firm in less than 30 minutes and guide them through the necessary steps to contain and remediate the threat.
F-Secure also provides detailed information about the attack, which can be used as evidence in criminal cases. They provide on-site incident response service for difficult cases if a firm’s own experts are unavailable.
Note: The original version of the report was carried in a recent issue of Malaysia SME.