Let's talk cyber defence; becoming a human threat detector
Devoid of filter, Jaan Kitsuk's eye-opening talk on human error heralds a necessary wake-up call to all cybersecurity professionals and any of us who use the internet (and in 2022, who doesn’t?).
Through an exploration of the dark world of Ransomware-as-a-Service (RaaS), the industrialization of cybercrime, and the evolution of social engineering, Kitsuk calls on us to become the next generation of champions in the war on cybercrime. Inspired by his talk, I'll highlight some of the factors that are reshaping the modern cyber threat landscape and the actions we must each take to transform human vulnerability into human cyber defence.
FBI IC3 Report - 475% Increase in Cyber Crime
Given the current situation, we must urgently reconsider the most common approaches to securing businesses from malicious actors. A glance through the FBI IC3 report for 2021 makes us painfully aware of the monetary losses cybercrime causes each year. With many companies lacking the necessary cybersecurity knowledge and resources, "paying the ransom" seems like the only way out. The yearly total damages have increased 475% between 2016 and 2021, reaching 6.9 billion USD, and predictions for the future show a continuation of this rising trend.
Social Engineering and RaaS
Research indicates that social engineering is one of the leading attack vectors malicious actors employ to gain access, to private data in the average data breach attempt. Even more concerning is the revelation that the latest generation of hackers no longer needs to know how to write a single line of code to carry out sophisticated attacks, gain access. Cybercriminals are creating full-scale organizations and offering their services in the form of RaaS packages, set up in the familiar Software-as-a-Service (SaaS) format.
The following leaked quote reveals to us the popular thinking amongst cybercriminals today:
“We can’t win the technology war because on this ground we compete with billion-dollar companies, but we can win the human factor.” - a member of the Russia-based group responsible for the Conti ransomware attacks, via Telegram. (Source)
The introduction of RaaS breaks the barrier to entry, allowing script-kiddies, opportunists willing to pay (they'll accept payment via credit cards or crypto currency), and deeply malicious actors to carry out millions of breach attacks daily. The hacker economy thrives on the use of both RaaS and social engineering, so while most businesses are diligent with their technical solutions, hackers continue to rake in stolen dollars by feeding on companies’ most vulnerable resource: the human factor. It is crucial to remember that "the human factor" is not limited to employees, but also includes contractors and anyone with network access (including yourself).
A study of the rapid industrialization and restructuring of the hacker value chain reveals that phases are distributed amongst various specialist threat groups. Malicious actors partner up to combine their expertise, monetizing their ability to distribute via RaaS packages and perpetuating the hacker economy by purchasing from partners beyond their speciality.
As hackers become increasingly proficient in isolating and personally targeting individuals -- organizations and the leaders responsible for a company's cybersecurity program can often find themselves overwhelmed when searching for an effective solution to their human error vulnerabilities. This is especially true considering the various types of errors uninformed users make while on the web.
Protecting your organization from social engineering
Jaan, the CPO and co-founder of CYBR , explains that we must protect our organizations and businesses from these super-charged, targeted attacks. The one-size-fits-all, generic approach to awareness training and attack simulations is outdated, and we must take action to remedy this immediately. CYBR offers the ultimate solution with the combination of Teach AI and Breach AI.
"For us to defeat the hackers, we must think like the hackers and get ahead of them" - Jaan Kitsuk
CYBR's approach is laser-focused on discovering, diagnosing and treating your employees’ individual vulnerabilities. Breach AI carries out sophisticated attack simulations that are uniquely crafted for each employee. Teach AI delivers bite-sized, gamified and engaging training. The results are risk mitigation, measurable changes in security habits and an improved security culture throughout your organization.
Security Culture and Awareness Training
Fostering a strong security culture empowers your organization and employees in the face of cyber threats. A security awareness program, is unlikely to reach its full potential and reap benefits in organizations with a weak or non-existent security culture. Picture this scenario: Let's say that your employees know what phishing emails look like due to an awareness campaign. That's a great first step, however, security culture does not end there. What happens if someone with network access accidentally clicks on a malicious link in an email?
Weak Security Culture
In an organization that lacks in security culture, the employee will likely neglect to report the error due to feelings of shame and embarrassment. This could allow the threat actor deeper access to your organization's private data or worse.
Strong Security Culture
Looking at the same scenario in a company with a strong security culture, instead of feeling fear and hiding their mistake of clicking on a malicious link, the employee is confident about reporting the error immediately, which allows the incident to be isolated and handled more effectively.
Establishing a strong Security Culture throughout your organization propels the effectiveness of your security awareness program forward. You want those with network access to be immediate responders and reliable threat detectors.
Transforming human error into human cyber defence
The following steps are a great way to begin transforming your employees' human vulnerabilities into a human cyber defence force:
1. Update yourself on the current cyber threat landscape
Stay up to date on security issues and changes within the cyber threat landscape. Make sure that your employees are aware of different types of ransomware threats, and know the appropriate measures for potentially infected systems. Doing this will increase your and your employees’ awareness, ensuring you are better prepared for most current threats.
2. Security Culture is non-negotiable
Security Culture must become a part of your work environment. The "once a year" awareness campaign approach is outdated and ineffective when it comes to measurable changes in employee behaviours and habits. In 2022, a cyber awareness programme is a must-have part of any security strategy. Small ways to improve include; ensuring that all operating systems are updated, private keys are kept secure, and that you encrypt files containing sensitive data.
3. Continuous Awareness Training
Allow your employees to maximize their successes and learn from their failures with consistent training and the delivery of personalized attack simulations. Training prepare your employees with knowledge of different types of malware, social engineering attacks, and cyber threats. Attack simulations will give your employees the opportunity to experience cyber threats in a safe environment; allowing them to improve their threat detection abilities. For a clearer perspective of your organization's risk score, try sorting your employees by risk-access level.
Discover more about improving security culture within your organization, explore some of the reasons why you should never reuse the same password or check out the latest on the phishing threat: call back phishing.