Enterprise cybersecurity: Protecting your organization against common cyberthreats

21.08.2018
10 min.
title

The propagation of artificial intelligence, blockchain, and internet of things provided cybercriminals with alternative channels to attack organizations and new ways to camouflage malicious activities. At the same time, companies keep fighting with common types of threats that attackers have been using for years.

In this article, we offer you to take a closer look at the current state of cybersecurity, analyze widely spread types of cyberattacks, and discover effective ways of protecting against them to guarantee the required level of enterprise network security.

Classifying cyberattacks

To define the character, vector, and possible outcomes of a particular cyberattack, organizations can rely on the established Common Attack Pattern Enumeration and Classification (CAPEC) managed by MITRE Corporation. The elaborated system distinguishes two core groups of cyberattacks depending on their mechanism and domain.

IBM X-Force Threat Index 2018 shows that injecting unexpected items became a highly popular attack mechanism. The number of injection attacks almost doubled from 42% in 2016 to 79% in 2017 with botnet‑based CMDi LFI attacks and CMDi attacks utilizing coin-mining tools being common types of injections. Information collection and analysis is the second popular attack vector. According to IBM, hackers use the fingerprinting technique actively to explore information about selected targets and detect exploitable vulnerabilities.

Common cyberattacks and feasible countermeasures

The official statistics on cyberattacks change quickly. Quite often security professionals can observe waves of attacks based on the same principles. For example, 2017 was a year of devastating malware campaigns. At the same time, some types of attacks can be widely registered at any year, so organizations should be ready to face them at any time.

Brute force attacks

Brute force is a straightforward and undisguised trial and error type of cyberattack. Using brute force techniques, hackers usually try to reach to valuable data by cracking a victim’s passwords or encryption keys. Websites with built-in user authorization and mail services are traditionally the most attractive targets for attackers who carry out dictionary attacks to pick up and crack active passwords. A reverse brute-force attack is an alternative attack method that supposes an attacker to try one password against multiple usernames.

Since trying thousands of passwords manually takes too much time and effort, hackers use special tools to automate the process. This allows them to organize massive brute forcing against large networks. One of the well-known examples is a distributed brute force attack targeting WordPress sites in December 2017. This was one of the most aggressive campaigns ever registered with over 14 million attacks per hour at peaks.

Brute force attacks can cause a lot of damage to corporate IT infrastructures and can lead to substantial data leaks. Fortunately, they are also quite easy to spot due to the large number of abnormal logins and logouts.

The OWASP Foundation offers several techniques to withstand brute force attacks. Time delays between successive login attempts, complex answers to unsuccessful logins, automatically locked accounts after failed logins, and CAPTCHAs are just a few feasible measures to knock down a brute force attack. Organizations should also disallow weak and commonly used passwords and train staff to never reuse or create variations of old passwords, as well as implement password encryption software to prevent brute forcing.

DDoS attacks

A distributed denial-of-service attack or shortly DDoS represents a set of malicious activities targeted at disrupting the normal operation of a server, service, or network by exhausting them with a flood of data packets. Assaulted by hackers, a target becomes unreachable for standard users while malicious actors take control over it to further contaminate the network, put enterprise infrastructure out of service, or steal confidential data.

Typically, a DDoS attack begins with an exploited vulnerability, which allows hackers to gain control over a particular computer or a network device, known as a zombie or a bot. A zombie then detects other vulnerable systems and infects them by allowing hackers to create a botnet, a contaminated network. After that, an attacker can use the botnet traffic to flood the selected target. DDoS floods can be overwhelming. For example, on February 28, 2018, GitHub faced a DDoS attack with incredible peak traffic of 1.35 TBps.

Depending on the target, there are three main types of DDoS attacks, including network-centric (volumetric), protocol attacks, and application layer attacks. DDoS attacks are dangerous because they often affect the target together with connected networks and systems. Thus, a DDoS attack can compromise not only an organization but also their service providers.

The popularity of IoT contributes a lot to the effectiveness of DDoS attacks. IoT devices often lack basic security controls and let hackers to widen their attack surfaces. The State of Industrial Cybersecurity 2018 survey by Kaspersky Lab proves that 65% of organizations globally believe that OT/ICS security risks are related to IoT.

To minimize risks related to DDoS attacks, companies should put their effort into eliminating network vulnerabilities that can attract malicious users. They should also keep constant control over their network traffic and implement relevant enterprise security solutions to prevent the transmission of undesired packets, thwart user interaction with insecure services and block suspicious traffic. By setting up network monitoring tools, organizations can stay tuned into network activities and apply immediate countermeasures in case of a DDoS.

Malware attacks

Viruses, worms, Trojan horses, and wipers are just a few types of malware that can infect a target system and let hackers steal sensitive data, disrupt core computing functions, and secretly monitor users’ activity.

Ransomware is another incarnation of malware that is particularly popular during the last few years. By getting into a target system and spreading ransomware, attackers encrypt the data and offer to decrypt it after a demanded ransom payment.

Once launched, malware is nearly impossible to stop, so it’s always better for organizations to prevent infection than battle it. The experience of past massive attacks proves that organizations often neglect the core principles of enterprise security, which leads them to terrible outcomes.

A sadly known WannaCry ransomware attack in May 2017 became the most disastrous cyberattack of all times. It affected almost 200,000 computers in 150,000 countries bringing the total damage of $8 billion. Surprisingly, such a catastrophic damage didn’t result from the unavailability of countermeasures. The ransomware propagated through a known exploit in older versions of Microsoft Windows. While the corporation released necessary security patches before the attack, affected organizations didn’t consider the updates and just kept using their old operating systems as they were.

Injection attacks

Injection attacks suppose that a hacker injects malicious code into a program or a computer and executes remote commands to perform malicious activities. There are various types of injections, including blind XPath injection, XPath injection, buffer overflow, LDAP injection, OS commanding, SSI injection, blind SQL injection and SQL injection, or shortly SQLi. In the latter case, an attacker injects commands that can read or modify a database and alter the meaning of the original SQL query.

SQL injection attacks are common due to the significant prevalence of SQL injection vulnerabilities, and the attractiveness of the target (i.e., the database typically contains all the interesting/critical data for your application). Not only SQLi attacks are common, they are also dangerous. By gaining the access to a database, a hacker can not only change its normal operation but also steal identities, remove data and break data integrity or completely destroy large data sets. Moreover, through SQLi, an attacker can get privileged user rights (for example, a database administrator), thus causing even more damage to services and operating systems connected with the database.

The OWASP Cheat Sheet includes several methods of defense against injection attacks. Database developers should pay primary attention to how they write database queries. It is highly recommended to create parameterized queries with bind variables instead of dynamic queries. Additionally, developers can use stored procedures without any unsafe dynamic SQL generation. Practicing white list input validation (query redesign) and eliminating user-supplied input are two more techniques to make a database SQLi-proof. Limiting the number of privileged users with wide administration rights is another must to prevent malicious users from getting control over a database.

Social engineering

Social engineering involves psychological manipulation of users in order to make them divulge confidential information such as telephone numbers, addresses, credit card details and so on. Social engineering can be used for system access and is sometimes the easiest way to penetrate into a large organization protected by a complex security infrastructure.

Social engineering is often used as the first step for hackers to explore the selected target, collect secret information, or spread malicious software by taking the advantage of employees’ carelessness. There is a variety of social engineering techniques that let malicious actors succeed in their activities. Baiting, vishing, honey trap, watering hole, pretexting, quid pro quo, tailgating, phishing, and whaling are popular methods to compromise enterprise cybersecurity by interacting with different user groups.

Verizon’s 2018 Data Breach Investigations Report says that phishing and pretexting represent 98% of social incidents. It’s also interesting to see that pretexting is much more successful compared to phishing. The report features 114 confirmed data breaches out of 170 registered pretexting attacks (67% of success) versus 236 data breaches out of 1,192 phishing incidents (less than 20% of success).

Unfortunately, even organizations with implemented security controls aren’t protected against social engineering if employees aren’t vigilant enough to emails they get, people they communicate and if they are ready to disclose corporate data. Regular security training is to teach employees how to deal with suspicious devices and email attachments, how to recognize camouflaged hackers and not to get into their trap. Security filters for incoming emails should also be in place to reduce the risk that an employee opens an infected email.

Advanced persistent threat

Advanced persistent threat or shortly APT is one of the most dangerous types of cyberattacks, as it’s very difficult to detect. In this type of attack, a malicious user penetrates into a network and anchors there for a long period of time. Unlike other types of attacks, APTs rarely entail large damage to an organization’s infrastructure. Instead, an attacker puts great effort in staying unnoticed to steal large volumes of sensitive information or money.

At the moment, Carbanak attack is the largest registered APT attack against banks worldwide. The Carbanak gang started their activities in late 2013 and during 5 years of targeted activities, they managed to steal more than $1 billion from over 100 financial institutions in 40 countries. The gang’s leader was arrested only in March 2018 after a large-scale investigation conducted by the joint effort of several countries.

The example of the Carbanak attack shows how sophisticated hackers can be and how difficult it might be to stop their activities. At the enterprise level, a permanent network monitoring and an exceptional vigilance of security professionals, database, and system administrators can be the only remedy against an APT. Abnormal logins and logouts, implemented backdoors that let hackers to get in and out of a network, unexpected data storages, targeted spear phishing, and whaling campaigns might be the signs of an ongoing APT attack.

What industries are at risk?

The cost of each stolen data item across all industries increases from year to year and 2018 continuous the trend. Not only the average size of data breaches but also the average total cost of a data breach and the average cost per lost or stolen record increased beyond 2017 numbers, affirms the 2018 Cost of a Data Breach study by Ponemon Institute.

While no organization is immune to cybercrime, there are industries and business domains that usually attract hackers’ biggest attention. This year’s observations reveal a curious fact: a frequent leader in cyberattack reports, healthcare sector, dropped out of cybercriminals’ focus. Instead, financial services topped the list of the most attacked industries, followed by information and communication technology, manufacturing, and retail.

At the same time, healthcare stays the leader in per capita cost of a stolen record. Industries that operate under weaker regulation (for example, public sector, retail, media, etc.) traditionally have a substantially lower cost of a per capita data breach compared to heavily regulated industries such as healthcare and financial organizations.

How to protect your organization?

Hackers are getting smarter every day. Attacks have transformed from short and aggressive, to long-term and sophisticated, involving multiple vectors and step-by-step stages. It doesn’t mean that organizations stay helpless in this unstable cyber environment, though. Building up a robust enterprise security architecture coupled with automated security tools and governance plans can help companies stay away from cyber troubles.

Respecting security basics

Traditional security measures such as antivirus software, firewalls, password managers, web gateways, and mirrors on cloud services seem banal but they are essential for a company to detect and mitigate attackers’ first moves. Keeping an eye on timely updates and patches will also prevent companies from exposing their IT environment. Regular security training is a suitable measure to teach employees to stay attentive to suspicious activities within their working stations.

Advanced security software

Apart from standard security measures, organizations are welcome to adopt relevant enterprise security solutions that will help security professionals to get a comprehensive vision of their IT ecosystem. Depending on an organization’s specifics and needs, they can rely on user and entity behavior analytics (UEBA), data loss prevention (DLP), identity and access management (IAM), security information and event management (SIEM), threat intelligence and other security-centric systems.

Security testing

Finally, companies can take security testing both as a preventive and reactive measure. On the one hand, security testing helps organizations reveal existing vulnerabilities and eliminate them before they attract attackers. On the other hand, network security and software security testing can help an attacked organization to clearly define the attack vector and analyze attackers’ path to stop them on the way. Additionally, penetration testing can be carried out yearly at less vulnerable organizations and twice a year at organizations exposed to high cyber risks.