Time and again, cybercriminals have proven to be agile operators, sharpening and transforming their tools in response to world events and trends.
As Kroll’s Paul Jackson put it, “criminal ingenuity is constantly improving and organized crime becoming more organized.”
Kroll, where Jackson serves as Asia Pacific lead for cyber risk practice, is a leading provider of services and digital products related to governance, risk and transparency based in New York.
Jackson cited a case in point: more than 20,000 COVID19-related domains and 2,500 Zoom-related domains were registered in May 2021 alone as criminals pounced on people’s fear of COVID and on vulnerable work-from-home setups.
Along with Kroll managing director James McLeary and senior vice president Jay Gomez, Jackson conducted a session on cybercrime and security for almost 100 Lopez Group employees in August.
Further, Jackson shared a July 2021 report from Intel471 indicating that ransomware attacks, where the owner is blocked from accessing their files or data until they pay a ransom, accounted for as much as 75% of cybersecurity breaches, with Europe (35%), North America (32%) and Asia (13%) as the top three targets.
In terms of breaches reported by sector, professional services and accounting represented 19%, followed by manufacturing (17%); consumer and industrial products (15%); technology, media and telecom (10%); and energy, resources and agriculture (9%).
Hackers target these sectors because they possess critical data that, if hijacked, make them more likely to pay a ransom so as to avoid disrupting their business operations, Jackson said.
Visually impersonating domain name or domain name spoofing, which is used in business email compromise (BEC), is also seeing an uptick during the pandemic. The scam has become so rampant that it accounted for a third of cybercrime losses in 2020.
Even as he reiterated that it is a valuable networking tool, Jackson warned about social engineering scams using LinkedIn, where criminals make up headhunter profiles and lure targets with offers of better-paying jobs; they then email the victim a job description file that infects their computer when they open it.
“If you connect with somebody on LinkedIn, somehow it seems you can trust them. It is very easy to social engineer people into accepting malicious documents. Be careful how you represent your role because bad guys are looking for decision makers,” the cybersecurity expert cautioned.
Companies looking to protect themselves need to identify their “crown jewels” or most important assets, determine their risk appetite, do a cyberthreat scenario assessment (“know your enemy in order to protect yourself ”) and, lastly, address these risks by putting the necessary improvements in place.
But if the unthinkable happens and an incident is reported, who do you turn to? What do you do?
Outlining Kroll’s response in BEC or domain name abuse incidents, Jackson referred to an incident where an invoice for a third party was intercepted and the funds transferred to the criminals.
In such a case, the team will look into the email systems and investigate where the compromise could be taking place. This is often a slow and complex process that could be hampered by various roadblocks. One is bulletproof hosting, where criminals set up in locations with little or no law enforcement.
Stressing that “email is a critical gateway to your whole organization,” he recommended for companies to build up their email defenses, conduct threat hunting and ensure they’re not already compromised. It is also important to get the information to the cybersecurity team within 24 or 48 hours.
When it comes to data breach cases, Jackson said “organizations should have a conversation about how they respond to it.”
“To start, you need to see what the attackers had done within the network—where they got in, how they got in and did they move around in the network. This is our core function. We come in and we immediately deploy tools that allow us to have this visibility and will start to tell the story of what actually occurred,” Jackson explained.
Aside from identifying which data could be at risk, the team will also determine what the attackers actually did with the data.
“Did they take it out, just look at it, damage it, encrypt it. More importantly, you need to know if the attackers are still in the network. You cannot do business securely until you are sure attackers are no longer in your network,” he stressed.
The latter part of the process includes, with the help of the company’s leaders, deciding what is reportable to the authorities and when to report.
In the end, companies can know the answers only by testing, running through different scenarios and doing tabletop exercises.
Emergence of the CISO
According to James McLeary, the CISO role emerged only in the last few years. The CISO must be someone who is technologically competent and can promote the security agenda in a way that will resonate with his or her peers. He or she can be a full-time employee or an external expert; given the difficulty of hiring the perfect person for the job, McLeary said it is entirely possible to hire two people—an in-house CISO and an external adviser.
With regard to choosing the right cybersecurity framework, Jackson asserted that it should not be an IT decision as it is something that affects the whole company.
McLeary agreed: “A lot of the success of the security function will hinge upon making sure the framework is the right one and that everyone has bought into it.”
One example is the globally adopted framework National Institute of Standards and Technology Cyber Security Framework (NIST-CSF), which uses a language nontech execs can readily buy into and helps connect the security agenda to the overall business vision and mission and strategies, McLeary said.
“It just really revolves around five key pillars: identify, protect, detect, respond and recover. Business impact is critical—you don’t want to be out of business for days or months on end. You want to recover quickly. So, this is what these frameworks provide you,” Jackson said of NIST.
Since Kroll itself is not a developer of software and hardware manufacturer, it can independently help advise clients pick out the best solutions for their company.
“We see companies buying these very expensive solutions and no idea how to deploy them, or they buy these solutions before they’ve got a governance framework, before they’ve identified what they’re actually protecting,” Jackson said.
At the end of the day, however, tools and technology are only a small part of the solution.
“Having the right people, the right advisers is the greatest part of any effective security practice. It’s all about the people,” Jackson stressed.