OT - for IT guys - how do we stop Russian Hackers?

[Nitwit]

The phishing and spoofing is getting incredibly hard to spot, even for those of us in the field and know what to look for. The hackers are getting very good at it. You need to have a mindset that ANY email that you open could be suspicious, even if it appears to be from somebody you know. That's why companies are going with certificate signed emails, etc. Email phishing and spoofing is becoming a lot like telemarketers for the phone lines. I tell my elderly father daily that every single time the phone rings, it is probably a scammer and he should treat it that way. The same mindset should be used for emails. On a side note, as much as Russia has been blamed, China is also to blame. I have seen the thousands and thousands of attempted hits on a firewall. It's amazing really.

I agree. My company would get 1000 intrusion attempts per day traceable back to China. There are probably thousands of 14 year old computer nerds sitting around in their boxer shorts doing this for 8 hours a day sending this crap around the world. Surely if Bitcoin was regulated and traceable it could stop a lot of this but that’s unlikely to happen. The illegal money laundering through Bitcoin is a big problem and the potential regulators are probably getting paid off to turn a blind eye. If they send out 100,000 intrusion attempts per day, I assume this is possible with automated software programs written for this purpose. They only need to get a good hit on maybe .1% to break into 100 networks per day.

 

[Woodpecker]

I’m continually astonished with how many people fall prey to phishing.

It doesn't surprise me. This pretty much explains it.

 

[Wandering Spectator]

I guest lecture on this and my presentation is “The Business of Cybercrime”. I can say that there’s a pipeline of talent coming out of schools that are gearing up to fight this issue. That said, it will be a never-ending battle and that’s why I believe it’s a great and rewarding career.

Some of the points I try to make in my presentation are:
1) Compromised credentials are the gateway to fraud
2) When authenticating a session, start with the assumption that the user’s identity or credentials have been compromised
3) Careless consumers/users are a major threat - think phishing, etc...
4) As more services are moved online, new attacks will continue
5) Hackers are focused on how fast they can convert credentials to cash.
6) Criminal rings that operate like businesses are responsible for a majority of these attacks.

Businesses make a risk decision on how much fraud is acceptable. As the ransomware attacks become more visible and costly, the Boards will react and be forced to make more investments - but the attacks will never stop. As the famous bank robber Willie Sutton reportedly replied when asked why he robbed the bank, he said “Because that’s where the money is.”

 

[BrucePa]

The phishing and spoofing is getting incredibly hard to spot, even for those of us in the field and know what to look for. The hackers are getting very good at it. You need to have a mindset that ANY email that you open could be suspicious, even if it appears to be from somebody you know. That's why companies are going with certificate signed emails, etc. Email phishing and spoofing is becoming a lot like telemarketers for the phone lines. I tell my elderly father daily that every single time the phone rings, it is probably a scammer and he should treat it that way. The same mindset should be used for emails. On a side note, as much as Russia has been blamed, China is also to blame. I have seen the thousands and thousands of attempted hits on a firewall. It's amazing really.

Cyber guy here. Former CISO x 4.

It's people who are being attacked, not systems. Very sophisticated people are attacking very vulnerable people, and it works right, left, and sideways. Click on the link and your enterprise is pwned. Attacking systems is yesterday's attack vector. People are the most vulnerable link in any enterprise, and always will be.

 

[Obliviax]

If you are into cyber crime, this guy is one of the best in the industry. He is now a "journalist" but he's been tracking hacks for several years if not decades:

Krebs on Security – In-depth security news and investigation

There are also several realtime threat trackers and here is one. Interestingly, today, it shows that the USA is the originator of 49% of all worldwide threats while the target of 53%:

Live Threat Map | Real-time View of Cyber Attacks | Imperva

A real-time global view of DDoS attacks, hacking attempts, and bot assaults mitigated by Imperva security services.

www.imperva.com

 

[jmorovich]

From a corporate standpoint it's not a matter of "if" it's going to happen but "when". Once I was able to get my team and the Executives to begin thinking this way it made everything clearer and easier to address.

No matter how big your company is they will find you and find a weakness (normally an employee or an old forgotten network device that is vulnerable).

I am a current CIO/CISO and we have implemented a robust training course for all employees. We have identified them as our weakest link in this fight. To prepare them we give them weekly micro quizzes, phishing campaigns every two weeks, and send out random tech tips. We give small bonuses for good tech tip catches and have made the phishing campaigns a "game" from a group standpoint to incentivize them. This is ALL for the employee side. On the I/T side we have a hardware company that monitors all traffic 24x7 and a separate software company that monitors all software activities 24x7.

We were hit in 2018 with a Ransomware attack requesting $500,000 in bitcoin (one of my old hardware techs left a firewall on the network unattended and unpatched. We were hit with a bruteforce attack). As I mentioned earlier, we planned for "when" not "if". We were down for a total of 24 hours. We had cold spares setup and disconnected from our network to eliminate any possible infection, daily backups of all servers, VM's replicated offsite, and all accounting data backed up and encrypted offsite every 15 minutes. It was a super chaotic 24 hours but critical systems were up and running in 24 hours and we spent the next 2-3 weeks just getting other systems up necessary.

I don't think there's any real way to avoid these attacks since the human element is the key component.

 

[ThePennsyOracle]

From a corporate standpoint it's not a matter of "if" it's going to happen but "when". Once I was able to get my team and the Executives to begin thinking this way it made everything clearer and easier to address.

No matter how big your company is they will find you and find a weakness (normally an employee or an old forgotten network device that is vulnerable).

I am a current CIO/CISO and we have implemented a robust training course for all employees. We have identified them as our weakest link in this fight. To prepare them we give them weekly micro quizzes, phishing campaigns every two weeks, and send out random tech tips. We give small bonuses for good tech tip catches and have made the phishing campaigns a "game" from a group standpoint to incentivize them. This is ALL for the employee side. On the I/T side we have a hardware company that monitors all traffic 24x7 and a separate software company that monitors all software activities 24x7.

We were hit in 2018 with a Ransomware attack requesting $500,000 in bitcoin (one of my old hardware techs left a firewall on the network unattended and unpatched. We were hit with a bruteforce attack). As I mentioned earlier, we planned for "when" not "if". We were down for a total of 24 hours. We had cold spares setup and disconnected from our network to eliminate any possible infection, daily backups of all servers, VM's replicated offsite, and all accounting data backed up and encrypted offsite every 15 minutes. It was a super chaotic 24 hours but critical systems were up and running in 24 hours and we spent the next 2-3 weeks just getting other systems up necessary.

I don't think there's any real way to avoid these attacks since the human element is the key component.

It sounds like you have a great training program setup. My employer's version of IT security training is: Send a company wide email to announce phishing tests in the next 2 weeks, wait for people to click on the link, and slap their hands. Oh, there's also a static online "course" that takes 5 minutes.

 

[LionJim]

It sounds like you have a great training program setup. My employer's version of IT security training is: Send a company wide email to announce phishing tests in the next 2 weeks, wait for people to click on the link, and slap their hands. Oh, there's also a static online "course" that takes 5 minutes.

Seen that.

 

[Ward Hog]

Over the past 6 months my 30 employee firm averages about 1 to 2 hack attempts per day. This number is increasing and becoming much more difficult to spot as they are now using information that only someone who did a lot of research would know. We had one in February that got in and shut down our system, threatening to hold out for ransom. The police and feds wanted nothing to do with it. Our tech guys were able to overcome it, but it probably was not a very sophisticated attack compared to these new ones.

 

[BobPSU92]

If you are into cyber crime, this guy is one of the best in the industry. He is now a "journalist" but he's been tracking hacks for several years if not decades:

Krebs on Security – In-depth security news and investigation

There are also several realtime threat trackers and here is one. Interestingly, today, it shows that the USA is the originator of 49% of all worldwide threats while the target of 53%:

Live Threat Map | Real-time View of Cyber Attacks | Imperva

A real-time global view of DDoS attacks, hacking attempts, and bot assaults mitigated by Imperva security services.

www.imperva.com

I thought all we need is LifeLock.

 

[Obliviax]

This stuff going on now looks like the new normal. I’d be interested to hear from IT guys who work in intrusion security to weigh in as to how these hackers are breaking through companies’ firewalls. What’s next? Electrical grids in Phoenix in the middle of summer, municipal water systems, Netflix, Charles Schwab, or Google? Interested in opinions from those working in the field.

So what's wrong with Russian Hookers and why are they limited to just the "it" guys?

 

[Nittany Security2]

 

[psu_et_vt]

It didn't seem the USA really suffered from these debilitating domestically-originated hacking problems until early 2021.

What am I missing? 🤷‍♂️

That SolarWinds hack and the thousands of others that were kept quiet before then?

 

[BW Lion]

That SolarWinds hack and the thousands of others that were kept quiet before then?

SolarWinds was a hack of vulnerable US Government systems.

My life wasn’t affected, but I can easily see how yours might have been

 

[Nitwit]

It didn't seem the USA really suffered from these debilitating domestically-originated hacking problems until early 2021.

What am I missing? 🤷‍♂️

Reality

 

[Nittany Security2]

 

[psu_et_vt]

SolarWinds was a hack of vulnerable US Government systems.

My life wasn’t affected, but I can easily see how yours might have been

SolarWinds was a hack of a contractor to Microsoft affecting all sorts of companies amd government agencies.

 

[psu_et_vt]

SolarWinds was a hack of vulnerable US Government systems.

My life wasn’t affected, but I can easily see how yours might have been

Using this thing called Google will show you references to the thousands of ransomware attacks that have been occurring over the last decade. You only think your life wasn't affected by SolarWinds since that hack opened up avenues to sensitive data referencing pretty much every American. The fact is nobody knows how that data has been or is being used. It most likely is still being collected.
Here is a very short list of ransomware attacks from 2020

Worst Ransomware Attacks 2020 | Top Cases and Tips to Avoid Attacks

Find out what the worst ransomware attacks of 2020 have been and how you can prevent yourself from becoming the next victim.

www.soscanhelp.com

 

[BlueLion]

The gov't needs to be setting traps that will allow them to pinpoint the attackers.

 

[91Joe95]

The gov't needs to be setting traps that will allow them to pinpoint the attackers.

I doubt they have very many problems figuring out where the attacks are coming from.

 

[LionJim]

I doubt they have very many problems figuring out where the attacks are coming from.

They’re coming from all over, pretty much. This New Yorker article goes into the beginnings of cyber ransoms. Hint: it’s an offshoot of kidnappings for ransom. It seems to be a lot more prevalent than one might think, simply because a lot of companies don’t make their issues public.

How to Negotiate with Ransomware Hackers

Kurtis Minder finds the cat-and-mouse energy of outsmarting criminal syndicates deeply satisfying.

www.newyorker.com

 

[Obliviax]

They’re coming from all over, pretty much. This New Yorker article goes into the beginnings of cyber ransoms. Hint: it’s an offshoot of kidnappings for ransom. It seems to be a lot more prevalent than one might think, simply because a lot of companies don’t make their issues public.

How to Negotiate with Ransomware Hackers

Kurtis Minder finds the cat-and-mouse energy of outsmarting criminal syndicates deeply satisfying.

www.newyorker.com

yep...and records will show that more attacks come from inside the USA than any other nation.

 

[klive]

I'm in IT Security and Compliance, and in short, as others mentioned, a lot of companies still view IT Security as "overhead" and not revenue-generating, so it's one of the first things to chop at budget time. When I did security consulting, I argued that Security was revenue generating by citing compromise trends and money lost by companies who failed to take it seriously - some ceasing to exist because of a breach. With all of the technology we have, human error is still the biggest factor when it comes to IT Security. You still need humans to make the right decisions, acquire the right tools, understand and act on risks, and put in the proper resources and processes in place that can fully leverage the capabilities and tools we have.

There is a reason IT security has evolved into a domain (profession) all of its own - there is a lot that goes into it. Security awareness training (focus on phishing and spear-phishing which is how most ransomware attacks originate), proper alerting and monitoring, proper patching and updating of systems, proper vendor management, regular vulnerability and penetration testing by qualified resources, proper access controls, and proper backups. If you are routinely backing up data, and systems to alternate locations, ransomware attacks become less of an issue. It becomes less about prevention and more about your ability to recover. I've audited many companies that will actually spend the money on a sophisticated vulnerability testing tool, but then don't follow through with remediating the findings in a timely manner, or try to explain them away. Systems are too complex, we can patch this application because it will break that application...

 

[klive]

It sounds like you have a great training program setup. My employer's version of IT security training is: Send a company wide email to announce phishing tests in the next 2 weeks, wait for people to click on the link, and slap their hands. Oh, there's also a static online "course" that takes 5 minutes.

ugh! Tell your employer you're not supposed to announce the "Phishing Tests"! You run a campaign, establish a baseline, conduct training, then run them later in the year to see how effective the training is. SMH

 

[klive]

The gov't needs to be setting traps that will allow them to pinpoint the attackers.

I assure you the government does have "honey traps"

 

[ThePennsyOracle]

ugh! Tell your employer you're not supposed to announce the "Phishing Tests"! You run a campaign, establish a baseline, conduct training, then run them later in the year to see how effective the training is. SMH

Oh I have. No one cares--in fact, "phishing season" should be coming up soon. It's usually a summer activity.

 

[bwifan]

They hit the ferry service from Cape Cod to Nantucket/Martha's Vineyard just the other day... My parents had just come back across from our house on Nantucket after the Steamship Authority lost control of their software. Boats were fine navigating, mostly inventory of reservations, etc... Been wondering how long have the hackers been setting this up. Will it be business after business here over the next year... Thinking of the hysteria that would take place if they are able to control a bank and people can't get their money out....


https://www.cnbc.com/2021/06/02/ran...-marthas-vineyard.html?&qsearchterm=nantucket

 

[scueng77]

This stuff going on now looks like the new normal. I’d be interested to hear from IT guys who work in intrusion security to weigh in as to how these hackers are breaking through companies’ firewalls. What’s next? Electrical grids in Phoenix in the middle of summer, municipal water systems, Netflix, Charles Schwab, or Google? Interested in opinions from those working in the field.

The majority of these are 100% NOT HACKS. These are people that do something wrong on the internet or with their email because either they aren't properly trained on how to deal with it or their company is too cheap to invest in technology that will stop people from doing what they shouldn't be doing.

 

[The Spin Meister]

ugh! Tell your employer you're not supposed to announce the "Phishing Tests"! You run a campaign, establish a baseline, conduct training, then run them later in the year to see how effective the training is. SMH

They announce the phishing tests so that they get a very low rate of failures. Then they ‘see a great job we did training people to not fall for this?’ Makes them look good, justifies the time and expense, justifies next round of training.

 

[Nitwit]

People are trying to make this a political problem rather than a criminal problem. I suppose to the extent the criminals live in another country, finding them and extraditing them has political implications, but as a poster stated before, as long as there is money to be made, criminals will continue to attempt to make it through ransomware. These hackers, wherever they live, know that it’s harder to pursue them across borders so they choose their targets in countries other than their own. It’s unrealistic to think that a government can prevent these activities anymore than they can prevent other types of crime - robberies, shootings, smuggling, fraud, etc. from occurring within their own borders.

 

[klive]

They announce the phishing tests so that they get a very low rate of failures. Then they ‘see a great job we did training people to not fall for this?’ Makes them look good, justifies the time and expense, justifies next round of training.

That's a good point, and you are right. It's not a very good simulation however and it's a bad business practice. I'd prefer to make the justification of training argument by showing them how poor the baseline was, then show the results after we implemented a round of training. Execs love metrics, especially when they can see money is being well-spent. It's an "un-tainted" test.

 

[Nitt1300]

People are trying to make this a political problem rather than a criminal problem. I suppose to the extent the criminals live in another country, finding them and extraditing them has political implications, but as a poster stated before, as long as there is money to be made, criminals will continue to attempt to make it through ransomware. These hackers, wherever they live, know that it’s harder to pursue them across borders so they choose their targets in countries other than their own. It’s unrealistic to think that a government can prevent these activities anymore than they can prevent other types of crime - robberies, shootings, smuggling, fraud, etc. from occurring within their own borders.

bingo- of course, it can be both a criminal and political problem at the same time if some governments are criminal enterprises

I'm not saying Putin or the Korean fatboy are criminals, mind you.

 

[GregInPitt]

 

[The Spin Meister]

Make me POTUS and here is now I handle it: First publicly name the company/companies behind some major attack. Publicly show any connection to Putin or Xi or whomever is connected. Then a month later a couple key players die of some mysterious poison that just happens to be identical to the poisons that Putin has used on his enemies. That would send a pretty unambiguous message not only to hack attacks but also to Putin’s audacious murders.

 

[Nittany Security2]

 

[Nittany Security2]

 

[BobPSU92]

View embedded media

ASS. BEATING.

 

[Nittany Security2]

 

[McCloudersportLion]

Old bald black dude: From the hood and I'm a hornet, and I'ma only sting when I cornered

Michigan Trash Mark Wahlberg: And Ima only sucker punch and swing without warnin

 

[Wandering Spectator]

View embedded media

Doesn’t matter how long and/complex the password is if it’s breached as part of a data leak, malware attack or phishing attack.

The technology exists to eliminate (or at a minimum, minimize) passwords as an authentication method. Businesses need to look for alternatives as opposed to adding “security theater” and blaming the users.