Cyber Defense – Thinking like a hacker in 2022
It’s one thing to build your IT security by ticking the box next to each threat, and deploying a best of breed tool to address it. But in the face of their ever-growing sophistication, truly effective defense against cyber attacks also requires you to get inside the mind of your hacker.
What do they really want? Why did they choose you? What do they fear?
Let’s look at how hackers see some of your greatest assets as your biggest vulnerabilities and
what they don’t want you to do about them.
Your hacker’s favorite points of entry
Job one is to get inside your network. No matter how sophisticated your cyber security, the weakest links are almost always the same: your employees, your publicly accessible web sites, and your employee workstations.
Those are typical first points of attack for hackers, no matter what’s driving them, or their ultimate plan.
1. Your employees – Phishing
That poster in HR, the one that says “Our people are your greatest asset… ” never seems to mention that they are also your biggest security risk.
Phishing is the art of getting anyone with valuable information to give it up, voluntarily. Get them to click on an enticing link in an email, or give up passwords to a caller impersonating IT.
How important is phishing to your hacker? The FBI and industry experts agree that more than 90% of all successful cyber attacks start with phishing.
Email is the most common medium for phishing–attackers send a fake yet authentic-looking email that appears to come from IT or a colleague, with a link that downloads malware, or tricks the user into entering sensitive info.
Your hacker likes your employees as much as you do. And of course the right anti-malware and spam tools will take much of the onus of detecting phishing off your employees. But once in a while a malicious email will get through, and there’s no substitute for training.
Every employee should know never to click a link in an email when there’s any doubt, and importantly, to report potential phishing attempts to IT.
2. Your public websites – SQL Injection and password attacks
It’s so 1997– hackers run SQL queries on your database by passing formatted query strings through public, unprotected text-entry forms on your web site. Yeah, somehow this is still a thing in 2022.
It takes more than just input validation and implementing structured queries to prevent SQL injection or brute force password attacks. But those kinds of defensive programming practices are a good start.
Once you’ve established best practice defenses, regular penetration testing will help spot vulnerabilities.
Your customer facing websites, employee portals, and partner sites are all potential points of entry, and not just for SQL injection. AI-driven, brute force password attacks have taken a leap forward in sophistication. They can “guess” and try passwords iteratively, having trained on massive amounts of username and password data, learning and adopting patterns of password selection from user practices.
Enforce minimum password strength and implement two-factor authentication to make your log in access points a less attractive target.
3. Your Workstations – Shadow IT and Cross site scripting
Employee workstations, no matter how locked down, are a serious point of vulnerability.
Shadow IT is the employee use of applications or platforms not approved by their supervisor or IT. It’s often innocent, but a 2019 Forbes survey identified Shadow IT as a common cyber-security blind spot that affected more than one in five organizations.
As deadlines loom, employees look for tools on the web to help them get things done, and that can entail all kinds of unsafe interactions, like pasting sensitive data into third-party web sites, sharing information through social media, or introducing vulnerable applications to your network.
Even security-savvy employees may bend the rules from time to time.
That can extend to accessing less secure websites, even when not enticed by a phishing email, risking Cross-Site Scripting (XSS) that can introduce malware, or access sensitive information directly at the client workstation.
XSS attacks borrow concepts from both phishing and SQL injection, except the malicious code runs on the client side, providing access to local data like cookies, or dynamically redirecting users to a phony site. Worse still, XSS attacks come from merely visiting a legitimate website.
The endgame: three popular hacker goals
Understanding what makes hackers tick, and what they’re really after, will equip you to think about protecting systems that don’t exactly shout “security risk.”
1. Data heist
The most common goal by far is to steal data, but the target isn’t always the headline-grabbing treasure trove of customer credit card numbers. Yes, it’s important to protect customer and employee PII like credit card and social security numbers. That’s frequently, and understandably, the focus of efforts to secure data.
But value is subjective, and hackers have evolved and developed ways to monetize and leverage data in ways that aren’t obvious–mosaic attacks and secondary sources of data can be just as valuable unless you think like them.
Mosaic attacks come from hackers’ ability to take bits of seemingly useless data, often from multiple sources, and combine them to produce a more complete picture of individual data subjects. While allowing that data to be stolen isn’t a direct threat to you, emerging regulation targets data handlers and you could be held liable for a breach that steals clear text data, even if it seems innocuous.
Hackers know how to find valuable cleartext data. Don’t give it to them. If you store data of European citizens as cleartext, you’re now obligated not to, as part of GDPR data-privacy legislation. Even if you’re an American company. Identifying data, credit card numbers, contact information, all must be anonymized, pseudonymized, or otherwise de-identified.
What often gets short shrift is those databases throughout your infrastructure that hold a goldmine of casual notes left by busy employees without a second thought.
Widely adopted business tools like Salesforce, Confluence, collaboration platforms, and software development platforms are designed to make information more accessible. can be attacked to steal source code or carelessly hard-coded credentials.
Soteri’s tools use the same algorithms hackers use to spot the unique signature of access credentials, and can delete them before they become a problem.
Hackers like a challenge, and some crave notoriety, especially in their “community”. Others think of themselves as activists. They want to make a point.
Whatever their driving motivation, they express it through business disruption, data destruction, or both.
Spectacular, high-profile shock and awe attacks have hit brand name businesses like Sony and Nintendo confer cyber-cred, and erode brand confidence.
The usual point of entry? Phishing.
Like other phishing attacks, they can introduce malicious scripts that can infect your LAN, erasing hard drives, destroying data, and shutting down business operations.
It’s a great way to directly monetize a hack. The usual point of entry? You guessed it. Phishing.
Ransomware often starts with a trojan uploaded to your LAN. A user clicks a link in a phishing email, and thus downloads malicious code that locks down your data until you pay your attacker.
Ransom attacks are becoming increasingly sophisticated, both in the way they lock away your data and the e-money payment schemes that ensure payment before you get your data back, and limit the breadcrumbs that allow law enforcement to track them.
Air-gapped, offsite backups, and a well designed recovery plan can help avoid a big payday for your hacker.
Three fears of hard-working hackers
Hacker’s want you in reactive mode, running around, playing whack-a-mole, one step behind their unrivaled brilliance.
You have a plan, and you don’t think like a victim, you think like they do. And that’s a problem.
1. Your employees won’t play along
At some point, a phishing attack requires one of your employees to cooperate with your hacker.
Even if the bad guys can get a malicious phishing email past your firewall, simple employee training, followed up by a must-pass quiz, even in large organizations, can approach 100% recognition of possible phishing email.
That’s really all that’s required. They don’t have to identify malicious email, only those that aren’t 100% safe, and to never click those links.
2. Finding the vault empty
All that work to get into your network–now where’s all the data?
If you’ve anonymized and backed up your structured customer data, you might feel all buttoned up, but not all attackers will be too surprised. They know you’ve overlooked valuable data elsewhere.
By thinking like they do, you’ll realize your cloud is full of Easter eggs. They’re everywhere, thanks in part to the way employees tend to casually share data or remember important passwords by jotting them down in the tools they use every day. After all, who’s going to look for AWS credentials hidden on a Confluence page? Or how about cleartext credentials hard-coded in source control, just for convenience in unit testing.
That’s why Soteri builds products that can recognize credentials, out of context, across databases and across your network. Consider scanning frequently for wayward passwords and keys.
3. Realizing that you think like a hacker
At some point, it may occur to your attacker– when you implemented your cybersecurity plan, you didn’t just go through the motions. You didn’t just tick the boxes to protect against “techniques”.
You took a moment to think like the bad guys.
The bottom line
Each layer in multi-layered defense assumes the layers above it don’t exist.
So protect the perimeter, and don’t let them in–understand and protect their favorite access points.
If they do get in, don’t let them see your data–anonymize the valuable business data, delete the valuable and dangerous data casually left in secondary databases by employees just trying to get things done.
Establish a backup and recovery plan.
And as you put your defenses in place, take a moment to think like a hacker, and train your employees to do the same.