During a team meeting with Brett Gallant of Adaptive Office Solutions, he mentioned a fact that lingered with the rest of us… Hackers can be inside a business infrastructure for months without anyone knowing.
Soon after Brett headed out for a cyber security meeting, the rest of us lingered in the board room wondering… What are the hackers actually doing all of that time?
After a little research, we discovered…Almost anything they want. But, let’s get more specific…
How Hackers Gain Acess
According to excerpts from an article by WingSwept, they wrote, “One of the many things people want to know after they suffer a ransomware attack is “How did they gain access to my network?” However it happened, it may have happened many months ago – and ransomware victims may have bigger problems than encrypted files.
In many cases, Small and Medium-sized Businesses compromised with malware don’t discover it for more than two years – the average is 798 days, according to Infocyte. When looking at ransomware specifically, the average “dwell time” for cybercriminals on SMB networks is 43 days.
Hackers don’t want to wait too long to trigger a ransomware payload in case they lose access to the network, but they’re still perfectly happy staying inside the network for up to six months because there’s plenty of money to be gained along the way to the final attack.
Once hackers find their way onto a network, they scan the network to determine what files their stolen credentials can access. At large corporations, there might be intellectual property that is worth large amounts of money to the right buyer. Smaller companies might not have multi-million dollar trade secrets, but they do have private information like customer data or employee records.
Cybercriminals may also wait until the ideal time to trigger their ransom demand – and that means the worst possible time for you. Anti-malware company Malwarebytes told Wired magazine recently that the “dwell” time on networks ranges from days to months.
“When the time has come for ransomware deployment, threat actors will typically choose weekends, and preferably the wee hours of Sunday morning. This made sense pre-pandemic as staff would typically return to work on Mondays to witness the damage,” says Jérôme Segura, head of threat intelligence at the monitoring firm Malwarebytes.
In fact, Microsoft is reporting that many healthcare companies learned over the past few months that hackers had been in their networks for months. Once the pandemic overwhelmed their hospitals, they activated ransomware. The pandemic allowed them to raise their prices because hospitals didn’t have the resources to slow down and try to recover from the data loss.
Microsoft has also laid out the techniques used to gain network entry in these sleeper cell attacks. At the top of their list: Remote Desktop Protocol access without Multi-Factor Authentication, and hardware running Windows operating systems that had reached end of life and were no longer receiving security updates. Networks that allow the use of weak passwords (short passwords or those without symbols or numbers) are especially vulnerable.”
The Tools Hackers Use to Get Into Networks
That was a compelling article, but we wanted to back up a step in order to explain the techniques that cybercriminals use to get into your networks in the first place. Let’s take a look at some excerpts from a recent article by Aura…
“Hackers compromise networks and devices by exploiting weaknesses in their built-in security systems. Malicious hackers (also known as black hat hackers) do this in order to gain unauthorized access to personal information.
Victims of cybercriminals lose their privacy and financial security and face the potentially life-long consequences of identity theft.
Here are just a few ways that cybercriminals can hack their way into your computer:
Malware and other viruses
Scammers may send you fake texts or emails with links that contain malware. If you click on the link, your device will be infected — allowing the hackers to crawl your computer for sensitive data or use spyware to spy on you in the background.
Tech support scams
Hackers contact you via emails or pop-ups claiming that your computer has been compromised with a virus. These messages appear to be sent from reputable security companies (as in the recent Geek Squad scams) — convincing you to call the tech support number in the message. The hacker asks for access to your computer in order to fix the made-up problem, but takes control of your device instead.
Taking advantage of outdated software
Software updates from your service providers are specifically designed to address security vulnerabilities. If your operating system or web browsers aren’t up to date, hackers can break in by taking advantage of known security issues.
Hacking your Wi-Fi network
Weak passwords, outdated firmware models, and missed software updates in your router’s settings leave your network vulnerable. Gaining control of personal devices that are connected to a weakened network can be as simple as hacking into the Wi-Fi network itself.
Phishing attacks that request remote access
Hackers pose as well-known businesses or government agencies and send a phishing email, text, or phone call that contains an urgent message. When the target clicks on the link provided in the email, they’re taken to a bogus website that immediately compromises their device. Alternatively, victims are tricked into sharing access to their computers by following the scammer’s directions over the phone.
Buying your passwords on the Dark Web
The Dark Web is a place where hackers go to buy and sell stolen information. If your sensitive information was exposed in a data breach, access to all of your private accounts could be up for grabs.
How To Know If Your Computer System Has Been Hacked
According to Aura, these are some tell-tale signs…
If you’re concerned that you’ve been hacked, here are some signs to look out for:
- You receive notification emails about sign-in attempts that you never made.
- Your device becomes slow, overheated, and laggy.
- You receive multiple pop-ups with alarming messages claiming that your device is infected with a virus.
- Browser windows, tabs, and apps on your device pop open on their own.
- Your place of work contacts you with a warning that the company fell victim to a data breach.
- You experience unsuccessful login attempts with your accounts.
- Friends and coworkers tell you that they’ve received strange messages from you.
- Spam emails start to flood your inbox.
- Suspicious charges appear on your bank statements.
- New and unfamiliar extensions and add-ons show up on your browser.
- You keep getting redirected to unwanted websites while you try to surf the web.”
That was great information about the ways that hackers gain access to your infrastructure, but what’s the lifecycle of an average hack?
Why Hackers “Dwell”
Here’s what ZDNet had to say about this topic…
“Cyber criminals are spending more time inside networks before they’re discovered, providing them with the ability to carry out higher complexity campaigns and more damaging cyberattacks.
Dwell time is the amount of time hackers are inside the network before they’re discovered or before they leave – and being able to spend an increased amount of time inside a compromised network undetected means they’re able to conduct malicious activity, such as monitoring users, stealing data or laying the foundations for a malware or ransomware attack.
“Going deeper into the networks just allows them to penetrate harder-to-reach areas and find that business-critical data,” he added.
One of the key methods cyber criminals are using to gain initial access to networks is through unpatched security vulnerabilities, something that Sophos says is the root cause of 47% of incidents they investigated last year.
Among the organisations that struggle most – and have the longest median dwell times – are small businesses. Typically, these organisations struggle to find the budget, resources, and enough information security staff to effectively manage even basic cybersecurity, let alone quickly detect suspicious activity in the network.
Other techniques used by cyber criminals to breach networks include phishing attacks, as well as using stolen login credentials, taken from earlier data dumps. Hackers are also able to enter networks by using brute-force attacks to crack accounts with weak or common passwords.
No matter how intruders are entering the network or who they’re targeting, that they’re able to spend longer inside networks without being detected is bad for those who get breached.
“We’ve seen this – multiple attackers ending up in the same network, multiple ransomware crews ending up in the same network, the same crew going back into the same network again because the company didn’t close the hole in the first place after they’ve recovered – that’s what the longer dwell times are,” said Shier.
But even with several layers of defense, it’s possible that intruders could still gain access to the network – so it’s important that there’s an information security team in place who knows what regular activity looks like and are able to identify and investigate potentially malicious behavior.
“Security teams can defend their organisation by monitoring and investigating suspicious activity. The difference between benign and malicious is not always easy to spot,” said Shier.
“Technology in any environment, whether cyber or physical, can do a great deal but it is not enough by itself. Human experience and skill and the ability to respond are a vital part of any security solution,” he said.
What Are Hackers Doing While They’re Dwelling?
Well… after circling the main topic, we finally found the answer to… What are Hackers doing during the months they’re dwelling?
Here’s the best article we could find on the matter. It’s written by advantio, and here’s what they had to say, “For hackers, particularly those working as part of advanced persistent threat (APT) groups, compromising network perimeter security is just the first step play in a potentially long game. Once through the firewall, they will conduct several activities until they reach their end goal – stealing money or sensitive information or causing long-term damage to the victim’s systems and reputation.
By knowing what these activities are, organizations can better identify security incidents in progress – and respond accordingly. Here we uncover the basic playbook of successful hackers.
1. Secure access to the network
Sophisticated fraud takes time to set up and execute; it is highly unlikely that criminals can do all the work needed in one day. Their first order of priority once into your network is to secure access, allowing them to reconnect whenever they want.
Typically access is gained via a compromised PC, so they will establish some form of persistence. This is usually done by installing a backdoor that acts as a basecamp for stage 2.
2. Compromise credentials
Once inside your network, attention shifts to capturing elevated permissions that allow the hackers greater control over network resources. Ideally, they are looking for administrative-level credentials at either the local or domain level, allowing them greater control and increased visibility of network resources.
The hackers have a range of tools at their disposal, from keyloggers installed on endpoints, to man-in-the-middle (MITM) attacks that sniff packets, scan ports, and hijack sessions on the current network segment. In some instances they may delete software libraries or overflow storage with arbitrary data to trigger a call to the helpdesk; this allows them to capture admin-level credentials when the technical support engineer logs in to begin troubleshooting – a technique known as “pass the hash”.
3. Exploit and/or compromise existing vulnerabilities
While work continues trying to capture admin-level credentials, the hackers will also scan for basic security vulnerabilities a.k.a low-hanging fruits elsewhere on the network. Network-attached resources will be scanned for misconfigurations, particularly where default login details have not been changed – or left blank. Such basic vulnerabilities will be a high priority because they most likely will not trigger any monitoring system (IDS/IPS).
By taking control of additional resources, the hackers consolidate access to the network and increase potential attack vectors as more in-depth techniques come into play.
4. Secure access to corporate servers
With access to endpoints secured, attention shifts to the servers where key services and data are hosted. They will create new admin-level accounts to the domain, for instance, helping to reduce the risk of being detected. They will also create new SSH keys and install rootkits to further obfuscate their activities.
Work will then proceed on how best to exfiltrate data without detection. Covert channels like HTTPS proxies and DNS tunnels are perfect for disguising unsanctioned activities because they tend to go unnoticed in the middle of ‘normal’ network traffic. They will also compromise intrusion detection systems through general misconfiguration, or by whitelisting affected hosts to ignore any traffic, thereby deflecting suspicion.
On some occasions, hackers have been known to use off-the-shelf applications to speed up the process. Legitimate network support tools like Radmin, Teamviewer, and Anydesk offer a quick and dirty way to control servers and exfiltrate data without raising too many red flags with their victim’s network security team.
What do hackers hope to achieve?
With admin-level access to a corporate network, cybercriminals are free to do almost anything they choose. Virtually all hacking activities are carried out for profit or as part of an espionage program funded by a foreign nation-state, or corporate competitor.
Data exfiltration is generally a priority. Once in possession of corporate information hackers can search for sensitive details – like credit card numbers – or sell the data to a third party. Where exfiltration is not possible, criminals will search through databases and applications looking for bank accounts, stock trading accounts, corporate encryption certificates, or anything else they may be able to sell.
Some cyberattacks are simply part of a larger project. Supply chain attacks allow hackers to propagate vulnerabilities to other parties, compromising secondary networks from the inside and dramatically increasing their potential targets for instance. Other times they may compromise web applications using code injections; in the case of the British Airways breach, a code injection attack went undetected for 15 days, allowing hackers to capture customer credit card details directly from the ba.com website.
In other cases, attacks may be designed purely to cause maximum damage or disruption. By deleting or corrupting data, business operations can be severely disrupted at a significant cost to the victim.
How to reduce your attack surface?
At the center of your cyber defenses is an understanding that this is an ongoing process; security needs to be constantly reviewed, revised, and strengthened to reduce the risk of becoming a victim.
The first step is to create a series of cybersecurity policies that detail potential risks, and responses to a suspected breach. As well as defining an access control policy to govern permissions, you will need to include cybersecurity concerns as part of the wider personnel policy, emphasizing everyone has a role to play in keeping the company safe. It’s recommended to include security awareness training for employees because people are usually the weakest part of the cybersecurity chain. Finally, a security incident policy will help to define what happens in the event of a suspected breach, and how the investigation and remediation will be handled.
Second, your business needs to look at how network security will be improved. Enhanced identity management will reduce the risk of falling victim to basic login exploits for instance. You will also need to dramatically tighten resource access, using access control lists (ACL) and privileged user management to prevent compromised credentials from being used outside their intended roles.
Change management will also play an incredibly important role in ensuring network resources are properly patched and updated. Maintaining both change control and configuration management registers allow you to quickly trace sanctioned network changes – and those that may have been performed by an unauthorized third party. A similar patch management register will help keep track of systems that have, or have not, been updated.
While we are talking about reducing attack surface, it is good to have an additional security measure in the form of the low-hanging fruits called “honeypots”. Just link them to any monitoring/alerting system, and they will serve you a good duty.
Even with these safeguards in place, there is always a risk of the network being breached as long as it is available on the Internet.
To further reduce potential attack surfaces, best practice principles suggest performing penetration testing at least once per year. In this way, you can identify and patch vulnerabilities before they are exploited. You should also carefully check statutory requirements – PCI DSS compliance demands penetration test is carried out at least annually and after significant changes in the environment.
Modern cybercrime is a high-stakes game, with the potential to financially and reputationally ruin a business. It is also a highly technical, resource-intensive discipline, which means many organizations lack the resources and knowledge to test and maintain defenses in-house.”
6 Ways to Protect Yourself and Your Business
As promised, here are some prevention tips from onsip…
As the IoT grows and AI development expands, so too do correlated cyber threats. Escalation is a constant in cybersecurity, and you should approach it accordingly. Here are some top ways to maintain and improve cybersecurity in your life:
1. Multifactor Authentication
Hopefully, you already use two-factor authentication for most secure logins. It takes a few seconds of your day and packs a heavy security punch. You’re already used to it! For those with access to sensitive business and client information, multifactor authentication is a simple way to add extra protection.
You can’t protect your data or devices if you don’t understand the threats. It only takes one weak password to break a company. With business email compromise expected to rise, can you confidently say that every person in your organization follows the bare minimum in security practices? What about three months from now? Require cybersecurity training, and not just during new employee onboarding. Make it regular, make it thorough, and make sure your team actually pays attention.
3. Prevention Over Containment
The current norm in the cybersecurity industry is containment. When prevention efforts can save more than a million dollars per attack, why on earth would three-quarters of cybersecurity professionals focus on containment instead? Because it’s more accountable. Prevention is too hard and not so neat with exact numbers to drop on a report to the board.
We think that’s one of the most ridiculous things we’ve heard. Instead, be proactive.
Audit your network and website for weak spots so that you have a regular idea of your attack surface. Make patch management a priority. Put resources into a cybersecurity team that can supervise and enforce employee security protocols. Prevention efforts can save a business over a million dollars per attack.
Containment doesn’t help when the damage is done. Focus on prevention.
4. Default Security Settings
If it connects to the Internet, it’s hackable. If we haven’t scared you enough, Google “baby monitor hacked.” On how many of your smart devices have you actively checked and updated the security settings? Factory default settings are rarely strong. To help get you started, we have a guide to securing all aspects of your VoIP phone system.
5. Strong Passwords
We’ve said it before, and we’ll say it again. Use a password manager to generate strong passwords and organize them. All you need to do is remember one extremely strong password and you can access your vault.
6. Use a VPN!
A VPN creates a private network from a public Internet connection. Consider it your seatbelt for the Internet car. As in, it’s not the only safety feature you should have, but it’s one of the most important.”
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
Every single device that connects to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.
Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions you can lower your costs through systems that are running at their prime, creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.
To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at email@example.com