Proofpoint has long maintained that people, not technology, are the most critical variable in a successful cyber attack. And while this assertion has gained more traction year by year, the events of 2020 have truly thrown it into the spotlight.
The pandemic saw teams around the world rush to support and secure remote working, with attack surfaces and points of entry increasing rapidly, almost overnight.
This presented an incredible opportunity to cyber criminals, and they wasted no time in taking it. By mid-March 2020, about 80% of all threats we scanned daily used COVID-19 themes. And almost every threat actor we tracked used pandemic-related content at some point over the year.
Here in 2021, with most of us well-versed in the new way of working, the lures used by cyber criminals may have changed. But the relentless targeting of our people has not.
Such people-centric attacks require a people-centric defence. And this is only possible when you understand:
- Where your users are most vulnerable
- How attackers are targeting them
- The harm caused when your privileged accounts are compromised
Putting users to the test
User security awareness levels are the cornerstone of any effective cyber defence. So, you must regularly assess their threat-spotting capabilities. Simulated phishing exercises are a crucial part of this strategy.
Our annual State of the Phish report analysed how users responded to more than 60 million simulated phishing emails during 2020. By comparing the average failure rates, we can see where users are most vulnerable.
- 20% of users failed attachment-based phishing tests. This is where attacks contain malicious files.
- 12% failed link-based tests by clicking on unsafe URLs.
- 4% failed data entry-based tests. This is where a user is taken to a fake login page and asked for credentials.
While you should absolutely test users’ awareness of common threats like phishing and credential theft, it’s important to note that not all successful attacks are commonplace.
Steganography, for example, which involves hiding malicious code in pictures and other file types, appears in few targeted campaigns. However, it generates clickthrough rates of over 1 in 3.
Fraudulent CAPTCHA campaigns are relatively rare too, yet they generated 50-times the click rate in 2020 than in 2019.
Getting to know your attackers
Once you understand the attacked, it’s time to get to know the attackers. In 2020 Proofpoint identified 69 active threat actors.
Threat actors use a wide range of techniques to sidestep security controls, trick victims into activating the attack and infect targeted systems. But whatever the method or indeed the motive, techniques that require the recipient to interact with an attachment or directly with the attacks rose substantially.
Unsurprisingly, credential theft still leads the way, accounting for more than two-thirds of all malicious messages last year. Damaging enough on its own, this particular threat can also be a starting point for a much more devastating attack: Business Email Compromise (BEC).
One of the most financially damaging threats to businesses of all sizes, BEC represents 44% of all reported cyber crime losses – costing organisations around $1.8 billion in 2020 alone.1
Ransomware is on the rise too, increasing by 300% last year. In total, we saw over 48 million messages capable of being used as an entry point for malicious payloads.
Remote access Trojans also remain popular, appearing in nearly a quarter of all email threat campaigns last year.
Protecting the privileged
Attacks on any member of your organisation can be potentially devastating. But attacks on those with privileged access to networks, systems, and data can be catastrophic.
A compromised high-level user is a significant insider threat, so it’s paramount that you do all you can to secure privileged accounts. A shift towards remote work, coupled with changing log telemetry and evolving access requests, has made this process far more challenging.
Cyber criminals are well aware of this fact and are already adapting their tactics in response. Organisations must adapt too, monitoring a wide range of insider threat alerts, the top 5 were:
- Connecting an unlisted USB device
- Performing large file or folder copy
- Exfiltrating tracked file to the web by uploading
- Opening a clear text file that potentially stores passwords
- Downloading File with potentially malicious extension
Crafting a people-centric defence
Cyber attacks are inevitable. But most can’t succeed without human help. That’s why all organisations should put their people at the heart of their cyber defence.
Deploy a solution that gives you visibility into who’s being attacked, how they’re being attacked, and how they respond. Find out how: Read The Human Factor 2021 report.
1 Source: FBI. “2020 Internet Crime Report.” March 2021.