Cyberattacks, the risks

The Risks of Cyber Attacks and the Dangers of APTs

The thought of a cyber attack on your business is a scary one indeed, and could cause loss of money, time, effort, reputation, and most importantly: business continuity.

However, most managers seem to have an “it-won’t-happen-to-me” mindset; and it might seem like a fairly rational thought. With over 4.5 billion people on the internet, what is the probability that an attacker will single your organization out as a target?

It turns out it’s a little over 1 in 4!

In a 2019 study conducted by the Ponemon Institute and backed by IBM, it was found that companies have a 29.6% chance of being the target of a cyber attack in the following 2 years. Many experts judge that it’s not a matter of “if”, it’s a matter of “when”.

The numbers show that a cyber attack takes place every 39 seconds, with around 3.8 million data records stolen every day. The total average cost of a breach in the Middle East came in at $5.97 million. This is $2 million greater than the global average.

But you’ve been in business for 20 years, and you’ve never been attacked once.

Or maybe not…? This is where the plot takes a dark turn for the worst.

Not all attacks are visible

When we think of cyber attacks we usually picture the Hollywood version, where the attacker hacks into your systems in about 2 minutes, overrides all controls, and starts printing out messages on your screens issuing their demands.

And while this is one form of attack (and largely dramatized for effect), there is a far less glamorous, but infinitely more insidious (and reportedly far more common) type of cyber attack, where the attacker doesn’t declare their presence, but remains inside your system, working silently and in the dark, maybe for years upon years, without you even knowing.

Security vendors report that it takes an average of 381 days to discover and contain attacks in the Middle East; the highest worldwide. That’s almost 13 months where the attacker is lodged inside your infrastructure whittling away at your defenses, exfiltrating your data, and expertly covering their tracks.

Just because you don’t know they’re there, doesn’t mean you’re safe.

Advanced Persistent Threats

Of the latter, silent type of attack is the Advanced Persistent Threat or APT. Attackers employ sophisticated, highly customized methods to attack a certain organization, orchestrating their campaign through various methods of social engineering, phishing, and planting malware on the devices of employees and minimally defended business partners to gain access into your network. The “Advanced” part denotes the sophisticated methods the attacker employs to infiltrate your system, which could take months to execute.

Once inside, they work on avoiding detection, expanding through the network, and mapping it out to identify ways to gain entry into the organization’s sensitive data. Having gained access to that, they continue working undetected, exfiltrating and extracting sensitive records bit by bit over extended periods of time, which they use for financial and corporate gain.

The threats are constantly evolving

Similar to biological viruses, APTs can be modified to avoid detection. Once that happens, any patterns, trends, or signatures that security software could have used to identify the threat in future attacks become obsolete. Security engineers will then have another bit of lead time until they crack the new signatures, but by then the threat will have morphed again, remaining always one step ahead of being caught.

Malware vs APTs

APTs fall under the general umbrella of “malware”, but when someone mentions malware they are usually referring to malicious applications that are designed to spread by infecting as many devices as they can reach. APTs, however, take on a different approach.

The attacker conducting an APT attack targets a specific system or organization, or even a specific user within the organization, conducting social engineering research to find out ways to breach that user’s security. Such info can be gleaned from any and all digital footprints we constantly leave on our social media feeds and other online public platforms.

Other examples of cyber attacks

Business networks and infrastructures might be the most obvious choice for a cyber attack, where the attacker acquires the organization’s data, but there are other types of attacks that have purposes other than data exfiltration.

Attackers have been known to attack Industrial Control Networks and SCADA systems (Supervisory Control And Data Acquisition)[1] which are systems with sensors that affect electromechanical systems, critical for automated and electronically controlled civil infrastructures, like sewage plants, power plants and electrical relay stations. An attack on these targets can be devastating to civilian populations[1] (or even higher-grade entities[2]), but they are inherently built with little to no security.

An attacker taking out a power plant in a major city could very well lead to failure in critical systems, such as healthcare, which could lead to damages or even casualties.

Is your business at risk of an attack?

Targets of cyberattacks come in all shapes, sizes, and industries. Attacks are largely concentrated in the health sector, financial organizations, energy, manufacturing, pharmaceutical companies, technology, education, entertainment, transportation, communication, and governments… basically, almost everybody!

And while APT attacks usually target larger organizations due to the greater potential gain, smaller and medium businesses are an indirect target. Attackers know that larger organizations are more heavily defended, but that they may open up their system’s doors to smaller partners that usually aren’t so well protected. These smaller partners, vendors, and suppliers represent an unwitting Trojan horse that allows the attacker to hitch a ride into more robust and secure systems.

The list of targets is long and diverse, so it’s safe to say: that no one is safe… unless they preemptively put in place measures to detect these threats and have expert security teams constantly on the alert to counteract attacks if they happen…

Or rather “when” they happen.