Now is not an easy time for cybersecurity professionals in charge of protecting their organisations. Indeed, the UK Government’s recent survey of British businesses paints a worrying picture of the situation, with two in five companies having faced a cyberattack in the last year.
These numbers come as little surprise, with the rate of threats increasing exponentially in the last year and the tactics of cybercriminals evolving. Cybersecurity professionals not only need to keep pace with innovative criminals, but they also need to navigate the chaos of the global pandemic, which has given threat actors ample opportunity to exploit new vulnerabilities in UK industries.
The pandemic has been a boon to cybercriminals for multiple reasons, all of which combine to create a perfect environment to target companies. One of the most salient is that the disruption of the pandemic has made company employees more susceptible to social engineering attacks. Social engineering attacks are campaigns that use psychological manipulation to compel targets into performing actions or divulging confidential information.
Social engineering in the age of COVID-19
For organisations to better protect themselves and their employees, it is important to understand the varying nature of social engineering attacks during the pandemic and why they have been so effective in the hands of cybercriminals.
Social engineering tactics are not new to the COVID-19 era. Indeed, past mass disasters and even past epidemics ‘ such as Ebola, Zika, and SARS ‘ have been weaponised by bad actors to victimise the population. What separates COVID-19 from previous events is the scope of the crisis, both in its global scale and length of time.
Cybercriminals keep a close eye on the news, and when disaster strikes, they execute layered attack campaigns to target the general population and more tailored attacks to target companies. These campaigns exploit the natural fears, or need for information of the populace, so that they give up information or click on links when they would otherwise be more cautious. For example, a social engineering phishing email campaign could imitate that of a public health organisation asking for personal details to help with a vaccination programme.
Working from home conditions, combined with the unprecedented situation over the past year, has made it increasingly difficult for employees to ascertain the legitimacy of the emails and social communications they receive. Cybercriminals have made the most of this confusion to infiltrate organisations and imitate colleagues through social engineering.
One particularly effective method in the arsenal of cybercriminals is that of spear phishing. Spear-phishing attacks involve targeting individuals or groups of employees with emails that appear to come from an executive and ask for some sort of action to be taken, through which company data or systems are compromised. This tactic relies on criminals being able to convincingly imitate the executive through access to detailed personal information of the individual. Cybersecurity professionals have also seen the proliferation of easy to use phish kits. Recent research into the Logo Kit phish kit, with its ability create fake forms that mimic corporate login portals, shows how effective these can be at deceiving employees and capturing sensitive data.
Vision into the external attack service is key
Given the severe nature of the threat, it is up to companies to shield their organisation and its employees from the current cybercrime pandemic ‘ the best way of doing this is through maintaining excellent vision into the online attack surface.
The online attack surface is every manifestation of the company ‘ be it through branding or assets ‘ as it appears across the internet. By reviewing and monitoring this attack surface, companies can gain insight and proactively address the possible risks posed to the organisation through the web. When companies understand the anatomy of this attack surface, which is essentially how they appear from the outside in, they can implement a digital threat management programme to catalogue the vectors and exposures through which they or their employees might be targeted.
For most companies, their online attack surface is comprised of assets belonging to three distinct categories. The first of these is ‘legitimate assets’ ‘ official assets, such as the company website, that fall under the purview of IT security teams. Second to legitimate assets, are assets created by business unts or contracted third parties that the security team is unaware of. This ‘shadow IT’ falls outside the scope of an organisation’s security programme and over time can exhibit weaknesses that threat actors can exploit. Third and finally, there are rogue assets, which are fraudulent assets created by threat actors to mimic a company in the wild and through which unsuspecting customers are directed via social engineering tactics using email, social media and sms messaging. These take the form of phishing sites, fake mobiles apps, or fake social media accounts designed to trick the consumer into giving up personal information such as credit card details.
Unfortunately, social engineering attacks are a threat that is here to stay. Even beyond the pandemic, criminals will make use of the skills they have honed over this period during whatever event next disrupts the news cycle. This being the case, companies have a responsibility to maintain a holistic vision into their online attack surface to prevent damage to their own brand and the victimisation of the public.