The proliferation and growing sophistication of artificial intelligence (AI) could have serious implications for how cyber criminals coordinate attacks on the global economy. In what is already an unending arms race, with global corporations trying in vain to stay one step ahead of criminals and hactivists, the potential benefits of using AI and machine learning tools to develop new attack methods could be substantial.
That said, there could also be benefits to those whose job it is to keep firms safe and limit the scope and severity of attacks. Dmitri Alperovitch, the co-founder of information security firm CrowdStrike, was recently quoted in the UK newspaper, the Guardian*, as saying: “My prediction is it’s going to be more beneficial to the defensive side, because where AI shines is in massive data collection, which applies more to the defence than offence.”
What one cannot deny is that social engineering attacks have ballooned in recent years in tandem with the growing number of interconnected devices.
“There has been an explosion in the number of connected devices and smart phones, leading to more network traffic and more data available for social engineering exploits,” comments Steve Banda (pictured), Senior Product Manager at Eze Castle Integration.
Last year, Gartner Inc* forecast that there would be 20.4 billion connected devices by 2020 with Greater China, North America and Western Europe accounting for 67 per cent of the overall Internet of Things (IoT).
Social engineering is the obvious starting point for cyber criminals as they exploit endpoint vulnerabilities and construct a way to capitalise on the weakness of humans.
That trend is nothing new but as Banda explains, “We are starting to see that some of these attacks are not only financially motivated but also politically motivated. At the same time, hactivist and espionage groups are becoming more active in launching sophisticated attacks.
“Take a wire transfer scam as an example, which are more successful than one may think as it preys on an employee’s nature to be helpful and responsive to senior management requests. The scenario often starts with an employee receiving an email asking for a wire transaction to be initiated in another system. The email looks credible, and the end user is not being asked to simply click on a link in an email (like historic phishing scams).
“Behind the email, the attacker orchestrates an entirely fictitious environment in which the individual thinks they are executing a wire transfer securely. That type of attack is becoming something that is quite scary and highlights the importance of employee training around process adherence and security policies.
“Stealing credentials is another type of threat method that has been in play for a while and continues to evolve as are short-term opportunistic phishing attacks,” says Banda. “With the latter, attackers leverage timely, top-of-mind events such as tax season to try and trick people. On the flipside, Eze Castle Integration sees long-term phishing attacks where attackers take time to work through an organisation.
In a long term attack, there is no instantaneous harm done to one’s organisation. That advanced persistent threat is dangerous because the hacker can sit in the background, quietly monitoring an organisation, seeing how emails are worded, and what the organisational structure is.
But there are plenty of safeguards that firms can take, both technical and human, and this is something that Eze Castle Integration is particularly focused on with its Eze Phishing and Training Program.
A layered approach for protection
From a technical perspective, Eze Castle advises clients to employ layers of security defence. Starting from the outside of an organisation and moving in, it’s about having perimeter level protection such as next generation firewalls and continuous monitoring. Then email security solutions for filtering spam, malware, detecting phishing attacks, as well as securing one’s end points by having antivirus tools and patch management tools.
“Even at a basic user level, it is about ensuring you have sufficient access controls in place; controlling what your end users can access, how they can access systems remotely, managing how often they keep their passwords up to date, employing multi-factor authentication to access data and so on.
“Finally, mobile device management allows you to monitor and manage all of the devices that are connected to your network from a central location,” explains Banda.
Additional technical safeguards might include an intrusion detection and protection system to monitor and control what data comes in and goes of the network. Having a data back-up solution is also a prudent safeguard,” adds Banda.
Creating human safeguards
There are three core components to the Eze Phishing and Training Program.
The first involves security awareness training, which is computer-based training designed to take users through key concepts. At the end of the training there is an assessment to test understanding. This helps to establish a foundation in understanding cybersecurity and the threat landscape.
The second core component is running phishing simulations.
“We come up with and source various phishing campaigns, which are designed to trick users. We execute these on a periodic basis with all of our clients. An employee will receive a message in their inbox and there are a variety of actions offered. They might be asked to click a link, download an attachment, or they might be asked to provide credentials. In the event of doing one of these things, the person is instantly greeted with a new screen saying ‘You’ve just failed a phishing test’.
“It’s a gotcha moment and the whole point is to try and catch people and help them learn best practices in order to avoid getting caught next time. We point out what they should have spotted in the email as part of the assessment to educate them and raise awareness,” comments Banda.
The third component involves reporting on the various assessments that Eze Castle Integration conducts based on the data it collects on how people respond to these attacks.
Banda says the findings range quite a bit. “You might get a 30 per cent click rate, which is roughly average, within one organisation, and you expect that this falls over time as the firm continues to train staff with phishing simulations.
“Without doubt, we have seen this as an effective method of training. It definitely raises awareness and it constantly puts pressure on us to come up with new creative ways to catch end users.
“You end up trying to mimic what is happening in the real environment and that is key. There could be an advantage to doing one of these attacks after people have left the office for the day and are checking their mobile devices,” outlines Banda.
Eze Castle has a data privacy and security team that helps clients with the full spectrum of cybersecurity preparedness from plan and policy development to technology implementation and training.
As Banda concludes: “Take every safeguard possible. In doing so, you will prevent attacks as best you can. Even if a breach were to occur, you will be well placed to mitigate the effects of that attack. Have a culture of ongoing awareness within your organisation.”