How to Prevent Against Increasingly Personalized Attacks From Hackers

/in


For today’s hackers, it’s personal. Rather than the massive “spray and pray” tactics of yesteryear, today’s cybercriminals are getting creative with highly targeted and highly personalized attacks. And it’s working.  

Quality over quantity  

It used to be that hackers primarily targeted institutions with generic phishing campaigns. Armed with better intel, today’s cybercriminals are carrying out individually targeted, highly personalized attacks. According to IBM’s X-Force Threat Intelligence Index, phishing was the top infection vector at 41% with password spraying representing a meager 1%. This personalized approach is paying off big time. According to the Cost of a Data Breach Report 2022, conducted independently by Ponemon Institute, and sponsored, analyzed, and published by IBM Security®, the average cost of a data breach with a phishing initial attack vector cost $4.91 million.  

“By utilizing open-source intelligence gathering and social engineering techniques, bad actors not only know who to target for maximum access and impact, but how best to capture that person’s attention based on their interests,” explained Stephanie “Snow” Carruthers, Chief People Hacker for IBM X-Force Red, whose job as a social engineer is to find an organization’s weaknesses and exploit them before the hackers do. Through a specific employee, hackers can gain access to vital networks and move laterally through the system without raising so much as an eyebrow, let alone a red flag.  

The devil’s in the details 

In one of her penetration testing campaigns, Snow crafted a phishing email targeting a group of employees who had complained about their company’s parking situation online. The email, which came from an employee in human resources, alerted employees of a new parking policy. Fifty-seven percent clicked the would-be malicious link.  

“I put myself in the shoes of someone I want to hack and try to craft something specific to them,” Snow said.

“People are an organization’s strength, but they can also be its weakness,” she explained. “When we receive a message that is personal — be it an email or a text — we let our defenses down and can let hackers…

Source…