Maksim Kabakou - Fotolia

Security Think Tank: Essential tools to mitigate double extortion attacks

The threat of identity theft via a data breach is heightened with the rise of attacks where ransomware threat actors both encrypt and ransom, and exfiltrate and leak their victims’ data. How does this evolution in cyber crime heighten risk for the enterprise, and what steps can we take to safeguard the personal data we hold?

It is sound business sense to be able to fully exploit the revenue potential of any product, so why wouldn’t the developers and controllers of malicious software do the same? Cyber criminals are now not just encrypting data then demanding money, they are also using the threat of releasing that data into the public domain to pressure victims into paying the ransom.

Ransomware remains one of the most prevalent threats an organisation faces, with the main route of infection through phishing emails. Reports from the National Cyber Security Centre and results from the annual cyber security survey of businesses and charities by the Department for Digital, Culture, Media and Sport show that 86% of malicious software attacks involve phishing. New waves of phishing emails from “HMRC” and “TV-Licensing” are being complemented by those using the Covid-19 pandemic as a masquerade.

If an individual’s social media privacy settings have not been set correctly and they share too much information on their work-related activities, then this can help attackers make their phishing emails much more plausible. In a recent example, attackers exploited social media information about a project team working in a foreign country. The employees posted details of their location and the project, and the attackers used the information to submit an invoice to the head office in London which was almost paid.

Many cyber criminals sell on leaked data on the dark web and this often creates many waves of attacks long after the original breach, with a supply chain of criminals willing to purchase the datasets. This makes it essential to monitor the dark web regularly.

Managing these risks requires a comprehensive approach using both technical and procedural controls, as well as education.

Putting the technical controls in place

Technical controls need to be applied to the IT infrastructure that can easily be configured to meet emerging threats while being both cost-effective and having minimal impact on the user experience. Such controls include using only trusted security software on all devices and keeping software and operating systems up to date through regular patching.

Adoption of cloud services can also help to mitigate a ransomware infection, because many cloud services retain previous versions of an organisation’s data.

Encryption is another option, but the business case needs to be clear and in some cases there are regulations that demand that it is adopted as a minimal security requirement.

Creating the right culture through education

Phishing attacks can be mitigated by implementing email gateways that try to trap phishing emails, but these will never stop 100% of the potential attacks, making a user education programme essential.

There are some simple things that a user can look out for that should alert them to the authenticity of an email, and a key part of this approach is training people not to click on a link or to enable macros without being completely sure it is genuine.

This is increasingly important with growing numbers of staff working at home who need to ensure they keep their work separate from their home-based IT systems.

Hiding data in plain sight

Protecting data is no longer about just preventing access, but ensuring that it is only shared based on who is requesting it. Watermarking data by adding unique values to identify compromised information and data loss prevention tools can also be useful.

One of the main questions we are asked when responding to an incident is: “Can you find our personal data?” The ability to identify PII that is present on large IT estates is essential and a fundamental part of complying with the General Data Protection Regulation (GDPR), with the need to have an inventory of PII held by the organisation.

Moving away from the password

Advances in biometric authentication – now prevalent on mobile telephones – are becoming more sophisticated, allowing less intrusive means of authentication. Innovations such as Microsoft Hello are replacing passwords with biometrics and a simple PIN.

Recently, the State University of New York announced that it had successfully created a 3D finger vein biometric authentication method that provides levels of specificity and anti-spoofing that were not possible before. Such advances in technology will remove the chances of weak or reused credentials being exploited.

Using AI to spot a potential breach

Artificial intelligence (AI) is becoming a fundamental part of protecting an organisation against data loss. In a complex environment faced with many threats, the traditional approach of just monitoring technical feeds is no longer enough.

This is where AI can play its part, understanding or learning what is the normal level of accepted security and then spotting trends across a wide range of technical and human factors that indicate risky behaviour or actions, which, if spotted in real time, can avoid data loss before it occurs.

It is clear that a full range of all these tools will be needed to protect personal data effectively.

Jim Metcalfe is cyber security expert at PA Consulting.

Read more on Hackers and cybercrime prevention