Krebs warns of cyber criminal mind shift

Renowned investigative journalist Brian Krebs of Krebs on Security warns that cyber criminals are changing tact in how they go about their work and seek gains for their exploits.

Speaking at Okta’s annual conference in Las Vegas, Krebs told attendees that this “mind shift” will play out in a few key threats that he expects to peak over the coming year.

According to Krebs, account takeovers, ransomware, phishing and extortion-based DDOS attacks are all going to become a lot more targeted, making it more expensive and difficult to recover from and that no organisation is safe.

Krebs says that when an organisation gets hit with credential attacks stolen from a LinkedIn data breach, for instance, it’s pretty easy to block as the password checking activity usually comes from a single IP. However, “bad guys” are now becoming a lot more savvy about how they do these account checking attacks.

“They’re basically running large distributed botnets of hacked computers - in many cases we’re talking about tens of thousands or hundreds of thousands of computers - and so you could imagine the difficulty in trying to filter that activity. If you’re trying to test a billion passwords and you can distribute it over 100 thousand systems over a couple of days - nobody is going to see that type of low slow attack and that’s what we’re dealing with. I think we can expect to see a lot more of that going forward.”

He noted that ransomware is also heading towards a more targeted shift within the cyber criminal community where attackers are taking more time and effort to figure out what the stolen data is worth and how much the organisation would be willing to pay to get the data back instead of demanding the same amount from every victim.

“Put yourself in the criminals’ shoes - they’re on cybercrime forums trying to make a living selling all of this stolen data and, well, its kind of a pain dealing with other criminals because, guess what, they try to rip you off all the time and at the end of the day - they’re cheap. So attackers are now starting to bypass the underground forums (effectively the middle man) and go back to the victim company that they stole the data from. Because those folks are probably more willing to pay more than your average cyber criminal.”

Krebs also sees underground forum members hiring each others services to launch more targeted phishing attacks against corporations that they want to get access too.

“Some of these members even solicit bids regarding the names of people within organisations that could serve as insiders as well as a list of people who might be susceptible to being recruited and extorted. If this doesn’t put the fear of God in you, then I don’t know what will.

“A lot of companies are getting very nervous about how easy it is now for disgruntled employees to go over to the dark web and sell access to their company’s network or sell their company’s trade secrets. It’s a very real threat so treat you're employees well, keep them very close and pay attention to what they’re doing.”

Krebs urges organisations to think more like the attackers and perform gap analyses on a regular basis to determine where the weaknesses within their systems may lie. He added that determining how much is being spent on keeping the attackers out versus how much is spent trying to respond as quickly as possible after the breach and before it metastasises into a bigger problem is the most important question every organisation needs to ask themselves.

“If an organisation is advanced in its security maturity level, the leadership will be in the habit of asking some very hard questions on a regular basis. These may be questions they don’t even want to know the answers too, but they’re mature enough to know they need to be asking them.”