WatchPoint Security Blog

Carbon Black - Cybercriminal Payback Time

Written by Greg Edwards | November 17, 2015

Fixing the Problem: Cybercriminal Payback Time

In our first article about modern cyber security and its impact on the small to medium sized company, we looked at the scale and scope of the problem in the current cyber crime landscape. In this article, we will focus on how to fix the problem.

OK, none of us have a hotline to Superman and Batman is out of town. What we do have, however, is access to state of the art, effective security technology, which is built for smaller companies like yours. This article will look at how that works against some of the most serious threats to your business and your customer base.

Fixing the Problem: Malware Infection

Ransomware, like Cryptolocker, is one of the biggest malware problems there is, especially for the SMB. Ransomware has even been described by Georgetown Law special panel on Cybercrime 2020: The Future of Online Crime and Investigations as “…the future of cybercrime”. This means that we should expect the problem to simply get worse.


Dealing with malware threats, like ransomware, is something that is best dealt with across several layers and by being highly defensive. Malware often gets onto our networks via email, either as an email attachment or by taking a user to an infected website via an email link. The malware threat is changing too, and cybercriminals now also use seamless infection via ‘drive-by download’ as a mechanism; this is where you don’t even have to click anything to become infected. So how do you stop infection by malware?

  1. The first thing you can do is to make your employees aware of the threat and how it can get onto your network.
  2. The second thing is to make sure the software installed across your network is patched and up to date. Many of the malware threats work by finding software holes or ‘vulnerabilities’. For example, your browser, if out of date, may contain one of these holes and will allow the drive-by download software to execute without you even being aware that it has.
  3. Use security intelligence to prevent infection. The above two methods are important, but malware can still get through your defenses. This is especially true if the malware looks for a ‘zero-day vulnerability’. This type of software hole has no patch, so it can’t be fixed. Only surveillance software like Carbon Black can prevent this type of malware infection by spotting it before it happens.

So the layered approach to malware infection prevention is:

Educate/Patch/Monitor

 

Fixing the Problem: Protecting Login Credentials

Login credentials are one of our keys to the kingdom. Administrator credentials doubly so. Cybercriminals are after them, and once they have them, they can get into your network, causing loss of company intellectual property, access customer data such as financial details and Personally Identifying Information (PII) and even cause damage to your systems. The damage that can be caused is especially concerning if you are a manufacturer. Dell in their 2015 Annual Security Threat Report found that attacks against Supervisory Control and Data Acquisition Systems (SCADA), i.e. the types of software needed to run manufacturing systems, had seen an increase in cyber-attacks between 2013-2014 of 100%.

Login credentials are typically stolen using a spear phishing email. These can be credentials that let the thieves access your bank account, or your network and databases. Spear phishing emails specifically target certain employees, typically administrators or business owners. The spear phishing email looks very real. It uses social engineering and trust to get people to click on the email. FireEye has found that spear phishing emails have a 70% open rate. Once opened, 50% will then click on the malicious links, with the ultimate result of stolen login credentials. 

With such clever tactics, it is difficult to educate users to change their behavior. The cybercriminals know their target and know how to make them click on that bad email link. The best way to prevent the loss of credentials via this method is to again use some system of surveillance. The use of already collated security intelligence, such as that used by the Carbon Black network, gives insight into the types of threats out there and can alert you to problems before they become incidents. However, if the worst does happen and your administrator’s credentials are stolen, rapid remediation of the situation is your best course of action. You don’t need a team of security experts in-house to do that, WatchPoint Data can offer live incident response to give you peace of mind.

To reiterate, the best way to mitigate the issues around credential theft is to:

Monitor/ live incident response

 

Fixing the Problem: Stop Data Being Stolen

Data thieves are after all types of data. Data can be your intellectual property or company proprietary information. It can be your customers’ personal information like addresses and social security numbers. It can be your company’s or your customers’ financial details. Whichever it is, it has value to cybercriminals.

Data loss is driven by a number of mechanisms. Some we have already talked about, i.e. phishing emails and malware, but it can also be lost by insider threats. Insider threats are an area of cyber security that is very difficult to manage, but that has a major impact on company security. 

Preventing data loss is a multi-pronged action. You can do many things to protect your interests including:

  1. Preventing malware infection
  2. Protecting against phishing attempts
  3. Managing insider threats by regularly monitoring of network for suspicious and unusual behavior (as recommended by the FBI, as well as PWC in their Managing Insider Threats report)
  4. Ensure that devices like USB keys are controlled (see our earlier post on How to be a Hacker)

Preventing insider losses requires:

Education/Patching/Monitoring/Live incident response

 

Fixing the Problem: Aftermath Remediation

You may do everything by the book. You’ve educated your users, patched your system and have robust monitoring in place, but still, cybercriminals can find ways through your defenses. This is because it is the job of cybercriminals to do so and they do it well, as exemplified by the breaches of major companies we see in the news each week. 

Small companies can go out of business when a cyber incident occurs. The costs are high. According to The Harford, the average cost of a data breach is $3.5M, and breach notification alone is $565,020.  Almost every state now has mandatory reporting laws

The FBI reports that between October 2013 and August 2015 there were 7,066 incidents
 of Business Email Compromise (BEC) with $747,659,840.63 in the US alone.  That is an average of $105,810 - which of course, for companies under U.S. laws, isn’t remediated by the bank.

If the threat becomes a breach, you are faced with several possibilities:

  1. You lose time and money and possibly even reputation after the breach
  2. You are insured, and you can make a claim
  3. You have access to a rapid remediation team like the WatchPoint Data Live Incident Response Team, who can make sure the incident is contained and can help to fix the damage and make sure it doesn’t happen again

Aftermath control:

Cyber Liability Insurance/Live incident response/Close off the gap

 

A Secure Future

Cybercriminals and their threats do not have to take over your business. You don’t have to spend a fortune, or employ in-house security experts, to have control over those threats. You just need to be aware of your options and put in place the right measures to give you, your business, and your customers a secure future.

With WatchPoint's Security Solution For The First Time You'll:

      Know someone is securing your business.

      Have true visibility into your digital assets.

      Have a support staff dedicated to safeguarding your network.