A common saying in the cybersecurity world is “There are two kinds of companies: those that have been breached and those that just don’t know it yet.” The scariest part of this phrase is the “just don’t know it yet.” No breach is good, but at least when you know about it, you can start taking steps to remedy it.
These days, many cybercriminals lie in wait and hide inside of compromised systems, often for months, before making a move.
One of the reasons that the hackers of today break into a system and hide is simple: quality of the target of their attack.
To explain, let’s back up for a minute: We’ve seen more and more cases recently of phishing attacks using an actual person’s email address. An attacker breaks into an account of a high-level company official (usually stealing credentials in another phishing attack), then use that person’s email to request a wire transfer from a lower-level employee. Typically, they just make up a scenario where it would be needed (traveling and lost their wallet, a client is upset, etc.).
In some cases, though, attackers will break into the high-level officials account and wait for an actual request for money. Then, they will jump into the middle of an email chain and direct a wire transfer or invoice payment to their account instead of to the legitimate parties involved. This increases their chances of successfully get the money.
That kind of attack takes careful reconnaissance. The attackers first must decide who the target is- the more important and higher up the corporate food chain, the better. Next comes gaining access whether through a phishing scam email, brute force or malware attack to weasel their way into the network.
After that comes the hard part: waiting and carefully selecting the time to strike. Why would they waste time stealing social security numbers and personal data when they could redirect a wire transfer for hundreds of thousands of dollars. All that it has cost them up to this point is time, and their patience is handsomely rewarded albeit with someone else’s money.
The other reason attackers sit watching and waiting in a system is quantity. If they can go undetected for longer, they can steal more personal information which they can use to steal identities or sell on the black market.
Let’s look at an actual incident from 2017: A medical office in Atlanta had a ransomware attack on their system. While this was resolved without paying the ransom, it uncovered that hackers had access to their system from February of 2016 to May of 2017. That’s 15 months that someone had unauthorized access to social security numbers, names, driver’s license numbers, addresses, phone numbers, prescriptions and insurance information.
Imagine the illegal activities that these cybercriminals can now engage in: Credit card fraud, obtaining prescription drugs, insurance fraud, just to name a few. Of course, it would have been easier for the attacker to simply jump in, grab some data and run. But by staying silent, they were able to grab much more information than they would have in a smash and grab type attack.
One question we don’t know the answer to is if the breach would have been discovered at all if they didn’t also get hit with ransomware. Unfortunately, there isn’t a great way to detect if someone is already in your system without good intrusion detection and prevention systems already in place.
Your best bet is to set up alerts for unusual network activity like logins from foreign locations (or multiple logins in different locations in a short amount of time), multiple login failures, a user downloading massive amounts of data at once, spikes in network activity, etc.
Multi-factor authentication can also help alert you if something is up. If you (or anyone on your team) start getting verification requests that you didn’t generate, that’s a pretty good indication that someone is trying to access your account.
It goes without saying that the world is becoming a far less secure place in the realm of data security. As always, if you see something, say something. The slightest detail may be the clue that breaks an investigation wide open.