How Small Businesses Can Defend Against Cybercrime

BIZTECH: You’ve talked about cybercriminals “living off the land” after they get inside an organization’s network. What do you mean by that?

It starts with the fact that threat protection has become quite advanced. On the endpoints and on the server, there’s quite a lot of technology that’s actively looking for malicious files and malicious activity. Adversaries have caught on to the fact that instead of using a well-known malicious tool, they can actually use system components that are part of the operating system. That’s living off the land.

PowerShell, for example, provides a way of managing devices and computers. In a way, it provides a scripting interface for an attacker to run a variety of tasks, including moving files from one place to the next, running code and changing access privileges, even exfiltrating files without leaving the telltale signs that traditional security measures will be looking for.

That’s something that not a lot of people are talking about or noticing, and there’s quite a difficulty in identifying these kinds of attacks. I like to shine a light on it, because somebody in the organization needs to build some expertise in it. It’s not something you can build a firewall around, and it’s not something that you can easily turn off.

MORE FROM BIZTECH: Read how small businesses can avoid being victims of the inside job.

BIZTECH: Are there other examples of this style of attack?

Yes. The British and American authorities have come out with a report on an attack called VPNFilter. This is an attack using components of routers. Not a home router, but routers that are in factories and other infrastructure — for example, a water treatment facility in Ukraine. The hackers were running some of their own malware, but also using the administrative protocols that are built into the router itself. They were basically using the firmware, the code, that’s on the router, and using that as a back door. This is another way of living off the land, using the vulnerabilities that exist in the network technology.

But these are just examples. The broader point is that threat actors now have a very wide and sophisticated ar­senal of tools at their disposal, in­cluding tools that are developed by nation-states — for example, the exploits that were leaked from the U.S. National Security Administration, tools like EternalBlue and EternalRomance.

Previously, these would be considered sophisticated capabilities; now, these are widely available. For the cy­berattacker, they don’t need to be in a bunker working for six months looking for the next zero day, or even to buy that next zero day with a suitcase filled with unmarked bills. They can really just get a lot of capabilities from these leaks or from using whatever is in the operating system of the router or the server.

The arsenal of tools available to adversaries has really become quite diverse and sophisticated. We’re really looking at a different threat landscape than we were two or five years ago.

BIZTECH: A lot of these tools can be deployed by novice threat actors who don’t have a lot of skill or experience, right?

That’s exactly right. There’s a lot of Crimeware as a Service. Just like we have Software as a Service, if you wanted to launch a career as a cybercriminal, you don’t need a lot more than motivation, some startup money (mostly bitcoin or some other cryptocurrency) and access to the darknet. You may need to build up your reputation as you’re transacting with other criminals. But really, the fact is that if you want to be a cybercriminal, there are other criminals who will be very happy to sell you whatever tools
you need.

So, there’s no skill or knowledge barrier to becoming a cybercriminal; mostly there’s just a motivation barrier. It is a type of crime that does pay, and it’s a lot less risky than other types of criminal activity. If you were so inclined, it would be easy for you to pursue a career as a cybercriminal — and, unfortunately, you’d be quite successful.

BIZTECH: What should the CIO of a small or midsized company be doing right now as these threats keep growing?

First, don’t do it yourself. There is strength in numbers and there’s a very big and supportive security ecosystem that you can be part of. Whether it’s via providers such as CDW or through information sharing and analysis centers, or ISACs. There are ISACs set up for many industries.

You can — and must, I think — rely on the help and expertise of other people. Be good at the business you’re in and partner with the people who are experts in cybersecurity. I find myself talking a lot about managed security se­rvice providers, or MSSPs; that’s a great way for a small organization to augment its capabilities.